× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e9be12095a395553e673397f1505a707d1fd36975e4d1f9482056543ebf08f3b
File name: 7zS.sfx
Detection ratio: 1 / 68
Analysis date: 2019-02-11 07:52:57 UTC ( 1 week ago )
Antivirus Result Update
Yandex Trojan.Agent!H592XWb6S9o 20190210
Acronis 20190208
Ad-Aware 20190211
AegisLab 20190211
AhnLab-V3 20190211
Alibaba 20180921
ALYac 20190211
Antiy-AVL 20190211
Arcabit 20190210
Avast 20190211
Avast-Mobile 20190210
AVG 20190211
Avira (no cloud) 20190211
Babable 20180918
Baidu 20190202
BitDefender 20190211
Bkav 20190201
CAT-QuickHeal 20190210
ClamAV 20190210
CMC 20190210
Comodo 20190211
CrowdStrike Falcon (ML) 20181023
Cybereason 20190109
Cylance 20190211
Cyren 20190211
DrWeb 20190211
eGambit 20190211
Emsisoft 20190211
Endgame 20181108
ESET-NOD32 20190211
F-Prot 20190211
F-Secure 20190211
Fortinet 20190211
GData 20190211
Ikarus 20190210
Sophos ML 20181128
Jiangmin 20190211
K7AntiVirus 20190211
K7GW 20190211
Kaspersky 20190211
Kingsoft 20190211
Malwarebytes 20190211
MAX 20190211
McAfee 20190211
McAfee-GW-Edition 20190211
Microsoft 20190211
eScan 20190211
NANO-Antivirus 20190211
Palo Alto Networks (Known Signatures) 20190211
Panda 20190210
Qihoo-360 20190211
Rising 20190211
SentinelOne (Static ML) 20190203
Sophos AV 20190211
SUPERAntiSpyware 20190206
Symantec 20190210
Symantec Mobile Insight 20190207
TACHYON 20190211
Tencent 20190211
TheHacker 20190203
Trapmine 20190123
Trustlook 20190211
VBA32 20190208
VIPRE 20190210
ViRobot 20190211
Webroot 20190211
Zillya 20190208
ZoneAlarm by Check Point 20190211
Zoner 20190211
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (c) 1999-2007 Igor Pavlov

Product 7-Zip
Original name 7zS.sfx.exe
Internal name 7zS.sfx
File version 4.57
Description 7z Setup SFX
Signature verification Signed file, verified signature
Signing date 5:40 PM 8/26/2016
Signers
[+] Lagerkvist Teknisk Rådgivning i Borås HB
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer GlobalSign Extended Validation CodeSigning CA - SHA256 - G2
Valid from 04:22 PM 02/23/2016
Valid to 03:13 PM 02/10/2019
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 6638FD50FC07D157DE2914BE13AC6DEED0742F0D
Serial number 11 21 01 0F F2 71 77 94 5C 4E 36 C5 FC 7A 4C 98 78 8A
[+] GlobalSign Extended Validation CodeSigning CA - SHA256 - G2
Status Valid
Issuer GlobalSign
Valid from 10:00 AM 08/02/2011
Valid to 10:00 AM 08/02/2019
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 4F5EA6A9E4BA30A4575DEAD4E4E9D3B2DA66EA7B
Serial number 04 00 00 00 00 01 31 89 C6 4D E1
[+] GlobalSign
Status Valid
Issuer GlobalSign Root CA
Valid from 10:00 AM 11/18/2009
Valid to 10:00 AM 03/18/2019
Valid usage All
Algorithm sha256RSA
Thumbprint 4765557AF418C68A641199146A7E556AA8242996
Serial number 04 00 00 00 00 01 25 07 1D F9 AF
[+] GlobalSign Root CA - R1
Status Valid
Issuer GlobalSign Root CA
Valid from 12:00 PM 09/01/1998
Valid to 12:00 PM 01/28/2028
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, OCSP Signing, EFS, IPSEC Tunnel, IPSEC User, IPSEC IKE Intermediate
Algorithm sha1RSA
Thumbprint B1BC968BD4F49D622AA89A81F2150152A41D829C
Serial number 04 00 00 00 00 01 15 4B 5A C3 94
Counter signers
[+] COMODO SHA-1 Time Stamping Signer
Status Valid
Issuer UTN-USERFirst-Object
Valid from 12:00 AM 12/31/2015
Valid to 06:40 PM 07/09/2019
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 03A5B14663EB12023091B84A6D6A68BC871DE66B
Serial number 16 88 F0 39 25 5E 63 8E 69 14 39 07 E6 33 0B
[+] USERTrust (Code Signing)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 06:31 PM 07/09/1999
Valid to 06:40 PM 07/09/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Packers identified
F-PROT 7Z
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2007-12-06 08:39:15
Entry Point 0x00010FC6
Number of sections 4
PE sections
Overlays
MD5 042b2431ab08616cd41a5f13c12d9975
File type data
Offset 93184
Size 283872
Entropy 8.00
PE imports
AreFileApisANSI
GetLastError
EnterCriticalSection
lstrlenA
RemoveDirectoryW
WaitForSingleObject
SetEvent
FindFirstFileW
SetFileTime
GetVersionExA
RemoveDirectoryA
GetCommandLineW
GetModuleFileNameA
DeleteCriticalSection
GetStartupInfoA
GetWindowsDirectoryA
GetFileSize
CreateDirectoryA
DeleteFileA
GetCurrentDirectoryA
MultiByteToWideChar
CreateDirectoryW
DeleteFileW
WaitForMultipleObjects
SetFileAttributesA
SetFilePointer
GetTempPathA
GetFullPathNameW
CloseHandle
WideCharToMultiByte
GetModuleFileNameW
GetModuleHandleA
ReadFile
WriteFile
FindFirstFileA
GetTempFileNameA
FindNextFileA
SetFileAttributesW
GetFullPathNameA
LocalFree
FormatMessageW
CreateProcessA
InitializeCriticalSection
CreateFileW
VirtualFree
CreateEventA
FindClose
Sleep
FormatMessageA
SetEndOfFile
CreateFileA
LeaveCriticalSection
VirtualAlloc
SetCurrentDirectoryA
ResetEvent
_purecall
__p__fmode
malloc
__CxxFrameHandler
??1type_info@@UAE@XZ
__dllonexit
_controlfp
_except_handler3
_onexit
exit
_XcptFilter
memcmp
__setusermatherr
__p__commode
_acmdln
_CxxThrowException
_adjust_fdiv
free
__getmainargs
memcpy
memmove
_beginthreadex
_initterm
_exit
__set_app_type
VariantClear
SysAllocString
ShellExecuteExA
GetWindowLongA
SetTimer
SetWindowTextA
LoadStringA
EndDialog
PostMessageA
SetWindowTextW
DialogBoxParamW
CharUpperW
SendMessageA
LoadStringW
KillTimer
MessageBoxW
GetDlgItem
SetWindowLongA
DialogBoxParamA
ShowWindow
CharUpperA
DestroyWindow
Number of PE resources by type
RT_ICON 2
RT_STRING 2
RT_DIALOG 1
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 8
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
4.57.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
7z Setup SFX

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
19968

EntryPoint
0x10fc6

OriginalFileName
7zS.sfx.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright (c) 1999-2007 Igor Pavlov

FileVersion
4.57

TimeStamp
2007:12:06 09:39:15+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
7zS.sfx

ProductVersion
4.57

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Igor Pavlov

CodeSize
72192

ProductName
7-Zip

ProductVersionNumber
4.57.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
Compressed bundles
File identification
MD5 86f30c47b28e990f0878274ed1e62109
SHA1 9038567029683998e40874680e08de3f5324f7b6
SHA256 e9be12095a395553e673397f1505a707d1fd36975e4d1f9482056543ebf08f3b
ssdeep
6144:7RGl1g99jCQmPbIOhlur0K5loA0Cpky3pp4uSz1YkGL52D79yly:7RQsjCL8glbK5GA0NyZp4uay1s79yk

authentihash 5a3c48349a85e14deaacab60331df4b450722083210250216067668e4b2d41ed
imphash 43d031fee4fabbf224448cfe01b59e8a
File size 368.2 KB ( 377056 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (33.7%)
Win64 Executable (generic) (29.8%)
Microsoft Visual C++ compiled executable (generic) (17.8%)
Win32 Dynamic Link Library (generic) (7.1%)
Win32 Executable (generic) (4.8%)
Tags
peexe via-tor signed overlay

VirusTotal metadata
First submission 2016-08-26 18:36:53 UTC ( 2 years, 5 months ago )
Last submission 2019-02-07 16:27:43 UTC ( 1 week, 3 days ago )
File names imdisk-virtual-disk-driver-8047-jetelecharge.exe
_files_imdisk_imdiskinst.exe
ImDiskVirtualDiskDriver.exe
7zS.sfx.exe
rsload.net.imdiskinst.exe
ImDisk_2.0.9_Win2k-10(32-64).exe
imdiskinst 2.0.9.exe
imdiskinst.exe
imdiskinst .exe
imdiskinst_2.0.9.exe
imdiskinst.exe
imdiskinst.exe
ImDiskInst_Setup_v2.0.9.exe
ImDisk install package stable version 2.0.9 built 26 August 2016 - imdiskinst.exe
ImDisk Virtual Disk Driver 2.0.9.24 = Virtual disk driver.exe
ImDisk-2.0.9-2016-08-26-imdiskinst.exe
imdiskinst.exe
imdiskinst.exe
imdiskinst (1).exe
ImDisk Virtual Disk Driver_2.0.9 (RAM disk).exe
imdiskinst(1).exe
211629bfr99r3999gf9fs9.attach
imdiskinst (version 2.0.9 built 26 August 2016).exe
apk.tw_imdiskinst.exe
imdiskinst.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Deleted files
UDP communications