× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e6ee1c7fdec1a48d850ec281636288f059865cc8dfbe2a83b6437ff6206c4d7d
File name: biosagentplus_40.exe
Detection ratio: 1 / 58
Analysis date: 2016-03-27 06:34:03 UTC ( 2 years, 7 months ago ) View latest
Antivirus Result Update
DrWeb Program.Unwanted.657 20160327
Ad-Aware 20160326
AegisLab 20160327
Yandex 20160316
AhnLab-V3 20160326
Alibaba 20160323
ALYac 20160327
Antiy-AVL 20160327
Arcabit 20160326
Avast 20160327
AVG 20160327
Avira (no cloud) 20160326
AVware 20160327
Baidu 20160325
Baidu-International 20160326
BitDefender 20160327
Bkav 20160327
ByteHero 20160327
CAT-QuickHeal 20160326
ClamAV 20160326
CMC 20160322
Comodo 20160327
Cyren 20160327
Emsisoft 20160327
ESET-NOD32 20160327
F-Prot 20160327
F-Secure 20160327
Fortinet 20160327
GData 20160327
Ikarus 20160326
Jiangmin 20160327
K7AntiVirus 20160327
K7GW 20160323
Kaspersky 20160327
Kingsoft 20160327
Malwarebytes 20160327
McAfee 20160327
McAfee-GW-Edition 20160327
Microsoft 20160327
eScan 20160327
NANO-Antivirus 20160327
nProtect 20160325
Panda 20160326
Qihoo-360 20160327
Rising 20160327
Sophos AV 20160327
SUPERAntiSpyware 20160327
Symantec 20160327
Tencent 20160327
TheHacker 20160325
TotalDefense 20160327
TrendMicro 20160327
TrendMicro-HouseCall 20160327
VBA32 20160326
VIPRE 20160326
ViRobot 20160327
Zillya 20160326
Zoner 20160327
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Product DriverAgent Application
Original name DriverAgent
File version 2.2015.7.14
Signature verification Signed file, verified signature
Signing date 8:06 AM 7/14/2015
Signers
[+] eSupport.com, Inc.
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer GlobalSign CodeSigning CA - SHA256 - G2
Valid from 9:36 PM 9/24/2014
Valid to 9:36 PM 9/25/2015
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint FB985BC0EE6A065FDE893CD552EAFA86E409AF84
Serial number 11 21 6E 05 4F AD 93 0D 88 CA BC 07 8E B0 D3 BC C8 AC
[+] GlobalSign CodeSigning CA - SHA256 - G2
Status Valid
Issuer GlobalSign
Valid from 11:00 AM 8/2/2011
Valid to 11:00 AM 8/2/2019
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 4E34C4841080D07059EFC1F3C5DE4D79905A36FF
Serial number 04 00 00 00 00 01 31 89 C6 37 E8
[+] GlobalSign
Status Valid
Issuer GlobalSign Root CA
Valid from 11:00 AM 11/18/2009
Valid to 11:00 AM 3/18/2019
Valid usage All
Algorithm sha256RSA
Thumbprint 4765557AF418C68A641199146A7E556AA8242996
Serial number 04 00 00 00 00 01 25 07 1D F9 AF
[+] GlobalSign Root CA - R1
Status Valid
Issuer GlobalSign Root CA
Valid from 1:00 PM 9/1/1998
Valid to 1:00 PM 1/28/2028
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, OCSP Signing, EFS, IPSEC Tunnel, IPSEC User, IPSEC IKE Intermediate
Algorithm sha1RSA
Thumbprint B1BC968BD4F49D622AA89A81F2150152A41D829C
Serial number 04 00 00 00 00 01 15 4B 5A C3 94
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-07-14 05:19:50
Entry Point 0x0015E7C0
Number of sections 3
PE sections
Overlays
MD5 f6d6e4b491223efa9cb5236d25ec59d3
File type data
Offset 656896
Size 6872
Entropy 7.40
PE imports
Ord(24)
Ord(37)
Ord(36)
VirtualFree
Ord(31)
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
Ord(35)
CM_Get_DevNode_Status
ImageList_Add
GetSaveFileNameA
SaveDC
CoInitialize
VariantCopy
SetupDiGetClassDevsA
SHGetMalloc
VerQueryValueA
getprotobyname
Number of PE resources by type
RT_RCDATA 33
RT_STRING 17
RT_BITMAP 11
RT_GROUP_CURSOR 7
RT_CURSOR 7
RT_ICON 4
RT_DIALOG 2
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
RUSSIAN 34
ENGLISH US 26
NEUTRAL 24
PE resources
ExifTool file metadata
UninitializedDataSize
827392

LinkerVersion
2.25

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.2015.7.14

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi

CharacterSet
Windows, Latin1

InitializedDataSize
53248

EntryPoint
0x15e7c0

OriginalFileName
DriverAgent

MIMEType
application/octet-stream

FileVersion
2.2015.7.14

TimeStamp
2015:07:14 06:19:50+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
1.0.0.0

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Copyright 2010 eSupport.com. All Rights Reserved.

CodeSize
606208

ProductName
DriverAgent Application

ProductVersionNumber
2.2015.7.14

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
Compressed bundles
File identification
MD5 60dc1b29934803c06e79b4097ea55eeb
SHA1 6a0585371e6c75094d80d5c0ad17597579686343
SHA256 e6ee1c7fdec1a48d850ec281636288f059865cc8dfbe2a83b6437ff6206c4d7d
ssdeep
12288:hzc3ztP/92xmsQxaKmn3Bj5e/AbKKJA2ta0/+NhAow6D9Xyw:6jtPMxmhxaL3BjgAbKKGz0/+VbDz

authentihash 7e0182444a1e137dbab2d4f8b92b1b0bf2df1055d8feb4a0063f663a56a7e3e6
imphash 20ea82b385478321fdd5a3c755756a79
File size 648.2 KB ( 663768 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (37.1%)
Win32 EXE Yoda's Crypter (36.4%)
Win32 Dynamic Link Library (generic) (9.0%)
Win32 Executable (generic) (6.1%)
Win16/32 Executable Delphi generic (2.8%)
Tags
peexe overlay signed upx via-tor

VirusTotal metadata
First submission 2015-07-14 18:04:24 UTC ( 3 years, 4 months ago )
Last submission 2018-10-23 10:38:02 UTC ( 4 weeks ago )
File names output.13655334.txt
biosagentplus_875.exe
biosagentplus_1218.exe
biosagentplus_875.exe
output.13663562.txt
output.110809747.txt
biosagentplus_1218.exe
biosagentplus_1218.exe
BIOSAgentPlus_6_17.exe
output.14582393.txt
biosagentplus_872.exe
biosagentplus_1218.exe
biosagentplus_796.exe
biosagentplus_1218.exe
output.14518344.txt
biosagentplus_796(1).exe
biosagentplus_36 (1).exe
biosagentplus_849.exe
output.10068116.txt
output.13663267.txt
biosagentplus_875.exe
output.14574620.txt
output.10135084.txt
biosagentplus_604.exe
output.13693795.txt
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Created processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.