× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e95eca399dfe95500c4de569efc4cc77b75e2b66a864d467df37733ec06a0ff2
File name: TrueCrypt Setup 7.1a.exe
Detection ratio: 0 / 57
Analysis date: 2015-05-12 09:13:19 UTC ( 1 year, 11 months ago ) View latest
Probably harmless! There are strong indicators suggesting that this file is safe to use.
Antivirus Result Update
Ad-Aware 20150512
AegisLab 20150512
Yandex 20150511
AhnLab-V3 20150512
Alibaba 20150512
ALYac 20150512
Antiy-AVL 20150512
Avast 20150512
AVG 20150512
Avira (no cloud) 20150512
AVware 20150512
Baidu-International 20150511
BitDefender 20150512
Bkav 20150511
ByteHero 20150512
CAT-QuickHeal 20150512
ClamAV 20150512
CMC 20150508
Comodo 20150512
Cyren 20150512
DrWeb 20150512
Emsisoft 20150512
ESET-NOD32 20150512
F-Prot 20150512
F-Secure 20150512
Fortinet 20150512
GData 20150512
Ikarus 20150512
Jiangmin 20150511
K7AntiVirus 20150512
K7GW 20150512
Kaspersky 20150512
Kingsoft 20150512
Malwarebytes 20150512
McAfee 20150512
McAfee-GW-Edition 20150511
Microsoft 20150512
eScan 20150512
NANO-Antivirus 20150512
Norman 20150512
nProtect 20150512
Panda 20150511
Qihoo-360 20150512
Rising 20150511
Sophos 20150512
SUPERAntiSpyware 20150512
Symantec 20150512
Tencent 20150512
TheHacker 20150511
TotalDefense 20150511
TrendMicro 20150512
TrendMicro-HouseCall 20150512
VBA32 20150511
VIPRE 20150512
ViRobot 20150512
Zillya 20150510
Zoner 20150511
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Product TrueCrypt
Original name TrueCrypt Setup.exe
File version 7.1a
Description TrueCrypt Setup
Signature verification Signed file, verified signature
Signing date 9:56 PM 2/7/2012
Signers
[+] TrueCrypt Foundation
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer GlobalSign ObjectSign CA
Valid from 7:54 PM 11/9/2009
Valid to 7:54 PM 11/9/2012
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 5820FDCE18FB9580E1A59D2B58FC2BDA3D6D08F6
Serial number 01 00 00 00 00 01 24 DA 79 A3 F3
[+] GlobalSign ObjectSign CA
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer GlobalSign Primary Object Publishing CA
Valid from 10:00 AM 1/22/2004
Valid to 11:00 AM 1/27/2014
Valid usage All
Algorithm sha1RSA
Thumbprint 4A19146D67BD20843A3A0713587557BF519213CC
Serial number 04 00 00 00 00 01 08 D9 61 24 48
[+] GlobalSign Primary Object Publishing CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer GlobalSign Root CA
Valid from 1:00 PM 1/28/1999
Valid to 12:00 PM 1/27/2014
Valid usage All
Algorithm sha1RSA
Thumbprint 987FD000DCB121517D72453EE5176EB92B1363B9
Serial number 04 00 00 00 00 01 08 D9 61 1C D6
[+] GlobalSign
Status Valid
Issuer GlobalSign Root CA
Valid from 1:00 PM 9/1/1998
Valid to 1:00 PM 1/28/2028
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, OCSP Signing, EFS, IPSEC Tunnel, IPSEC User, IPSEC IKE Intermediate
Algorithm sha1RSA
Thumbprint B1BC968BD4F49D622AA89A81F2150152A41D829C
Serial number 04 00 00 00 00 01 15 4B 5A C3 94
Counter signers
[+] VeriSign Time Stamping Services Signer - G2
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 1:00 AM 6/15/2007
Valid to 12:59 AM 6/15/2012
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Serial number 38 25 D7 FA F8 61 AF 9E F4 90 E7 26 B5 D6 5A D5
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/4/2003
Valid to 12:59 AM 12/4/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-02-07 09:09:48
Entry Point 0x00028653
Number of sections 4
PE sections
Overlays
MD5 42ed08c7492c700a0f15615c88019ae7
File type data
Offset 1058816
Size 2407432
Entropy 8.00
PE imports
RegDeleteKeyA
LookupPrivilegeValueA
RegCloseKey
OpenServiceA
RegQueryValueExA
AdjustTokenPrivileges
ControlService
RegCreateKeyExA
DeleteService
CloseServiceHandle
OpenProcessToken
CreateServiceA
QueryServiceStatus
RegOpenKeyExA
CryptReleaseContext
CryptAcquireContextA
CryptGenRandom
RegEnumKeyExA
RegQueryInfoKeyA
ChangeServiceConfigA
RegSetValueExA
StartServiceA
RegDeleteValueA
OpenSCManagerA
SetMapMode
TextOutW
CreateFontIndirectW
GetTextMetricsA
SetStretchBltMode
GetObjectA
DeleteDC
SetBkMode
BitBlt
SetTextColor
GetDeviceCaps
GetCurrentObject
GetTextExtentPoint32W
GetStockObject
SetTextAlign
CreateCompatibleDC
StretchBlt
SelectObject
CreateSolidBrush
SetBkColor
DeleteObject
CreateCompatibleBitmap
GetStdHandle
GetConsoleOutputCP
ReleaseMutex
FileTimeToSystemTime
GetFileAttributesA
WaitForSingleObject
GetDriveTypeA
GetVolumePathNameA
GetFileAttributesW
FreeEnvironmentStringsA
CreatePipe
GetCurrentProcess
GetConsoleMode
GetLocaleInfoA
LocalAlloc
SetErrorMode
FreeEnvironmentStringsW
GetLocaleInfoW
SetStdHandle
GetFileTime
GetTempPathA
GetCPInfo
GetStringTypeA
InterlockedExchange
WriteFile
MoveFileA
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
GetFullPathNameA
FreeLibrary
LocalFree
FormatMessageW
ResumeThread
InitializeCriticalSection
LoadResource
FindClose
TlsGetValue
QueryDosDeviceW
FormatMessageA
SetLastError
PeekNamedPipe
DeviceIoControl
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
GetVersionExA
RemoveDirectoryA
FindNextVolumeW
EnumSystemLocalesA
LoadLibraryExA
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
SetFilePointerEx
CreateMutexA
GetModuleHandleA
CreateThread
DeleteCriticalSection
SetUnhandledExceptionFilter
ExitThread
SetHandleInformation
SetEnvironmentVariableA
TerminateProcess
WriteConsoleA
VirtualQuery
SetEndOfFile
GetCurrentThreadId
LeaveCriticalSection
SetCurrentDirectoryA
WriteConsoleW
CloseHandle
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
lstrcmpiA
FindVolumeClose
GetOEMCP
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetSystemDirectoryA
GetStartupInfoA
GetFileSize
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
GetUserDefaultLCID
GetProcessHeap
CompareStringW
GetFileSizeEx
GetFileInformationByHandle
FindNextFileW
CompareStringA
FindFirstFileW
IsValidLocale
GetProcAddress
GetTimeZoneInformation
CreateFileW
CopyFileA
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
FindFirstVolumeW
InterlockedIncrement
GetLastError
LCMapStringW
GetSystemInfo
lstrlenA
GetConsoleCP
LCMapStringA
GetEnvironmentStringsW
IsDBCSLeadByte
GetModuleFileNameA
GetShortPathNameA
FileTimeToLocalFileTime
SizeofResource
GetCurrentProcessId
LockResource
SetFileTime
lstrlenW
GetCurrentDirectoryA
HeapSize
GetCommandLineA
InterlockedCompareExchange
GetCurrentThread
RaiseException
TlsFree
SetFilePointer
ReadFile
FindFirstFileA
GetVolumeInformationA
GetACP
GetModuleHandleW
GetEnvironmentStrings
CreateProcessA
WideCharToMultiByte
IsValidCodePage
HeapCreate
VirtualFree
Sleep
FindResourceA
VirtualAlloc
VarUI4FromStr
LoadTypeLib
UnRegisterTypeLib
RegisterTypeLib
SetupOpenInfFileA
SetupInstallFromInfSectionA
SetupCloseInfFile
SetupDiOpenClassRegKey
SHBrowseForFolderW
SHChangeNotify
SHGetMalloc
SHGetSpecialFolderPathA
SHGetSpecialFolderLocation
SHGetFolderPathA
SHGetPathFromIDListA
Ord(680)
ShellExecuteA
SHStrDupW
SetFocus
AppendMenuW
GetParent
EnableWindow
ReleaseDC
EndDialog
BeginPaint
SetWindowTextW
EnumWindows
TrackMouseEvent
ShowWindow
SetWindowTextA
MessageBeep
LoadBitmapA
SetWindowPos
SendDlgItemMessageA
GetSystemMetrics
MessageBoxW
AppendMenuA
GetWindowRect
EndPaint
SetDlgItemTextA
PostMessageA
MoveWindow
EnumChildWindows
MessageBoxA
GetSystemMenu
SetWindowLongA
SendDlgItemMessageW
GetDC
GetKeyState
CreateDialogParamW
MapDialogRect
GetDlgCtrlID
GetClassInfoA
SendMessageW
UnregisterClassA
SendMessageA
GetClientRect
GetDlgItem
SystemParametersInfoW
RegisterClassA
InvalidateRect
GetWindowLongA
GetWindowTextLengthA
LoadCursorA
LoadIconA
FillRect
DefDlgProcA
DialogBoxParamW
CharNextA
GetWindowTextW
CallWindowProcA
GetClassNameA
wsprintfW
GetWindowTextA
GetWindowInfo
DestroyWindow
ExitWindowsEx
SetCursor
OleUninitialize
CoUninitialize
CoInitialize
OleInitialize
CoTaskMemRealloc
CoCreateInstance
PropVariantClear
CoTaskMemFree
CoTaskMemAlloc
Number of PE resources by type
RT_DIALOG 26
BIN 17
RT_ICON 17
RT_BITMAP 5
RT_GROUP_ICON 4
HEADER 2
XML 1
RT_MANIFEST 1
TEXT 1
REGISTRY 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 76
PE resources
ExifTool file metadata
LegalTrademarks
TrueCrypt

UninitializedDataSize
0

LinkerVersion
9.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
7.1.1.0

LanguageCode
English (U.S.)

FileFlagsMask
0x0017

CharacterSet
Unicode

InitializedDataSize
792576

EntryPoint
0x28653

OriginalFileName
TrueCrypt Setup.exe

MIMEType
application/octet-stream

FileVersion
7.1a

TimeStamp
2012:02:07 10:09:48+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
5.0

ProductVersion
7.1a

FileDescription
TrueCrypt Setup

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
TrueCrypt Foundation

CodeSize
265216

ProductName
TrueCrypt

ProductVersionNumber
7.1.1.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 7a23ac83a0856c352025a6f7c9cc1526
SHA1 7689d038c76bd1df695d295c026961e50e4a62ea
SHA256 e95eca399dfe95500c4de569efc4cc77b75e2b66a864d467df37733ec06a0ff2
ssdeep
98304:cYoVF1jLBam4KBcDxJhL2+fZAwwjaJ2mLsn:IRLIgwxzLRfOoJ2mQ

authentihash 6b186563b0af15c00483da511c8763fdcc527c402bc2842cccbc844967e49fd2
imphash 0c7af55c765056ec39300936876bf6b9
File size 3.3 MB ( 3466248 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.4%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe overlay revoked-cert signed via-tor software-collection

VirusTotal metadata
First submission 2012-02-07 23:23:36 UTC ( 5 years, 2 months ago )
Last submission 2017-04-22 20:13:37 UTC ( 19 hours, 39 minutes ago )
File names o2e5aoghnpi562k5ffoae2lb4uheuyxk.exe
TrueCrypt Setup7.1a.exe
2d7341.tmpscan
TrueCrypt Setup 7.1a .exe
TrueCrypt_Setup_7.1a.exe
TrueCrypt7.1a_www.INSTALKI.pl.exe
TrueCrypt_Setup_7.1a (von chip.de).exe
TrueCrypt Setup 7.1a.exe.xxx
TrueCrypt Setup 7.1a_ver.exe
truecrypt setup 7.1a.exe
Tr1ueCrypt Setup 7.1a.exe
TrueCrypt20Setup207,1a.exe
7.1a_TrueCryptSetup7.1a.exe
tc7.1a.exe
truecrypt_setup_7.1a.exe
true.exe
TrCrypt.exe
TrueCryptSetup7.1a.exe
TrueCrypt Setup.exe
truecrypt_setup_7.1a (von heise.de).exe
truecrypt setup 7.1a.exe.xv951ch.partial
TrueCrypt_Setup%207.1a(dobreprogramy.pl).exe
TrueCrypt_Rus_Setup.exe
TrueCrypt_Setup7.1a--from cdrinfo.exe
TrueCrypt Setup 7.1a_RECHECK.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.