× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: f499aee5c60e167d486ab5393efbed1020fed5c81e80ee581be68150582fb9c9
File name: reg_server
Detection ratio: 53 / 64
Analysis date: 2017-07-14 04:40:07 UTC ( 1 week, 4 days ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Strictor.6853 20170714
AhnLab-V3 Trojan/Win32.Dapato.R133671 20170714
ALYac Gen:Variant.Strictor.6853 20170714
Antiy-AVL Trojan[Dropper]/Win32.Dapato 20170714
Arcabit Trojan.Strictor.D1AC5 20170714
Avast Win32:Trojan-gen 20170714
AVG Win32:Trojan-gen 20170714
Avira (no cloud) TR/Strictor.6853.5 20170713
AVware Trojan.Win32.Generic!BT 20170714
BitDefender Gen:Variant.Strictor.6853 20170714
CAT-QuickHeal TrojanDownloaderAPT.Dapato.J4 20170713
ClamAV Win.Trojan.Hydraq-208 20170714
CMC Trojan-Dropper.Win32.Dapato!O 20170713
Comodo UnclassifiedMalware 20170714
CrowdStrike Falcon (ML) malicious_confidence_60% (D) 20170710
Cylance Unsafe 20170714
Cyren W32/Trojan.VCDM-0250 20170714
DrWeb Trojan.DownLoader6.61987 20170714
Emsisoft Gen:Variant.Strictor.6853 (B) 20170714
Endgame malicious (high confidence) 20170713
ESET-NOD32 Win32/Agent.UFI 20170714
F-Secure Gen:Variant.Strictor.6853 20170714
Fortinet W32/Dapato.CCHD!tr 20170629
GData Gen:Variant.Strictor.6853 20170714
Ikarus Trojan-Dropper.Win32.Dapato 20170713
Sophos ML heuristic 20170607
Kaspersky Trojan-Dropper.Win32.Dapato.bscc 20170714
Kingsoft Win32.Troj.Dapato.b.(kcloud) 20170714
MAX malware (ai score=80) 20170714
McAfee Downloader-FRE!6B4AA596E5A4 20170714
McAfee-GW-Edition Downloader-FRE!6B4AA596E5A4 20170714
Microsoft TrojanDownloader:Win32/Dapato.J 20170714
eScan Gen:Variant.Strictor.6853 20170714
NANO-Antivirus Trojan.Win32.Dapato.cqkgug 20170714
nProtect Trojan-Dropper/W32.Dapato.126728 20170714
Palo Alto Networks (Known Signatures) generic.ml 20170714
Panda Generic Malware 20170713
Qihoo-360 Win32/Trojan.Dropper.fda 20170714
Rising Trojan.Generic (cloud:EwKxhRfzz2B) 20170714
Sophos AV Mal/Generic-S 20170714
Symantec Trojan.Gen 20170714
Tencent Win32.Trojan-dropper.Dapato.Wpju 20170714
TheHacker Trojan/Dropper.Dapato.bscc 20170712
TrendMicro TROJ_GEN.R047C0DG617 20170714
TrendMicro-HouseCall TROJ_GEN.R047C0DG617 20170714
VBA32 TrojanDropper.Dapato 20170713
VIPRE Trojan.Win32.Generic!BT 20170714
ViRobot Trojan.Win32.Z.Dapato.126728.A 20170714
Webroot W32.Malware.Gen 20170714
Yandex Trojan.Agent!5ggLQ0K1UtE 20170713
Zillya Trojan.AgentCRTD.Win32.7787 20170713
ZoneAlarm by Check Point Trojan-Dropper.Win32.Dapato.bscc 20170714
Zoner Trojan.Small.PMA 20170714
AegisLab 20170714
Alibaba 20170714
Baidu 20170713
Bkav 20170713
F-Prot 20170714
Jiangmin 20170714
K7AntiVirus 20170714
K7GW 20170714
Malwarebytes 20170714
SentinelOne (Static ML) 20170516
SUPERAntiSpyware 20170714
Symantec Mobile Insight 20170713
TotalDefense 20170713
Trustlook 20170714
WhiteArmor 20170713
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyrigte (C) 2012

Product FlashUpdate
Original name FlashUpdate.EXE
Internal name reg_server
File version 11, 6, 2, 1
Description FlashUpdate
Comments Adobe? Flash?
Signature verification A certificate was explicitly revoked by its issuer.
Signers
[+] MGAME Corp.
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer Thawte Code Signing CA
Valid from 1:00 AM 6/19/2009
Valid to 12:59 AM 6/20/2011
Valid usage Code Signing, 1.3.6.1.4.1.311.2.1.22
Algorithm sha1RSA
Thumbprint 529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56
Serial number 4E EB 08 05 55 F1 AB F7 09 BB A9 CA E3 2F 13 CD
[+] Thawte Code Signing CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Premium Server CA
Valid from 1:00 AM 8/6/2003
Valid to 12:59 AM 8/6/2013
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint A706BA1ECAB6A2AB18699FC0D7DD8C7DE36F290F
Serial number 0A
[+] thawte
Status Valid
Issuer Thawte Premium Server CA
Valid from 1:00 AM 8/1/1996
Valid to 12:59 AM 1/1/2021
Valid usage Server Auth, Code Signing
Algorithm md5RSA
Thumbprint 627F8D7827656399D27D7F9044C9FEB3F33EFA9A
Serial number 01
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-09-19 22:07:41
Entry Point 0x00001CD0
Number of sections 4
PE sections
Overlays
MD5 b5d0f2ee0ec940bedcfb53715b7be365
File type data
Offset 122880
Size 3848
Entropy 7.06
PE imports
RegOpenKeyA
RegCloseKey
RegQueryValueExA
RegSetValueExA
RegDeleteValueA
RegOpenKeyExA
GetStartupInfoA
CreateThread
GetEnvironmentVariableA
lstrcatA
DeleteFileA
Sleep
CloseHandle
CreateFileA
GetModuleFileNameA
VirtualAlloc
GetModuleHandleA
Ord(2379)
Ord(1775)
Ord(3147)
Ord(4080)
Ord(2124)
Ord(1146)
Ord(3830)
Ord(470)
Ord(4627)
Ord(3597)
Ord(2725)
Ord(4673)
Ord(3738)
Ord(755)
Ord(6375)
Ord(6376)
Ord(3136)
Ord(2982)
Ord(5199)
Ord(3079)
Ord(2512)
Ord(3262)
Ord(2055)
Ord(4234)
Ord(1576)
Ord(825)
Ord(3081)
Ord(4837)
Ord(5307)
Ord(5241)
Ord(3798)
Ord(6052)
Ord(3259)
Ord(4424)
Ord(2648)
Ord(5714)
Ord(5289)
Ord(4710)
Ord(4407)
Ord(4078)
Ord(2985)
Ord(5065)
Ord(2446)
Ord(3346)
Ord(4622)
Ord(561)
Ord(3831)
Ord(6374)
Ord(5280)
Ord(5302)
Ord(324)
Ord(1727)
Ord(3825)
Ord(4425)
Ord(2976)
Ord(2396)
Ord(2554)
Ord(2385)
Ord(815)
Ord(1089)
Ord(4486)
Ord(1168)
Ord(5277)
Ord(641)
Ord(5731)
Ord(4698)
Ord(4998)
Ord(3922)
Ord(823)
Ord(5163)
Ord(2514)
Ord(6199)
Ord(5265)
Ord(3749)
Ord(4299)
Ord(5300)
Ord(4853)
Ord(4353)
Ord(4441)
Ord(4274)
Ord(4376)
Ord(5261)
Ord(4465)
Ord(4079)
_except_handler3
__p__fmode
_acmdln
__CxxFrameHandler
_setmbcp
_exit
__p__commode
_strcmpi
__dllonexit
_onexit
_controlfp
exit
_XcptFilter
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__set_app_type
GetSystemMetrics
LoadIconA
EnableWindow
DrawIcon
SendMessageA
GetClientRect
SetWindowLongA
FindWindowA
IsIconic
Number of PE resources by type
RT_ICON 3
RT_MANIFEST 1
RT_DIALOG 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
CHINESE SIMPLIFIED 7
PE resources
ExifTool file metadata
SubsystemVersion
4.0

Comments
Adobe? Flash?

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
11.6.2.1

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
FlashUpdate

CharacterSet
Unicode

InitializedDataSize
114688

EntryPoint
0x1cd0

OriginalFileName
FlashUpdate.EXE

MIMEType
application/octet-stream

LegalCopyright
Copyrigte (C) 2012

FileVersion
11, 6, 2, 1

TimeStamp
2012:09:19 23:07:41+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
reg_server

ProductVersion
11, 6, 2, 1

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Adobe Systems Incorporated

CodeSize
4096

ProductName
FlashUpdate

ProductVersionNumber
11.6.2.1

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 6b4aa596e5a4208371942cdb0e04dfd9
SHA1 b3876e630a2fa4ba136089ba3ab145ba7feb8f57
SHA256 f499aee5c60e167d486ab5393efbed1020fed5c81e80ee581be68150582fb9c9
ssdeep
3072:QnUrbTmYzFkO0A0RHlb3zdHwQhG5XrWG1RWEXnxnD:QUr50tjjzddsq4RWu

authentihash 576ffd72c79cca54daa5c56c2744c81fe1b1a640318ba1ef1f824d1dbaaf0c65
imphash d355d697b8857e8dc43ea0f90401aa11
File size 123.8 KB ( 126728 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
revoked-cert peexe armadillo signed overlay

VirusTotal metadata
First submission 2012-09-21 04:35:18 UTC ( 4 years, 10 months ago )
Last submission 2017-07-11 11:55:55 UTC ( 2 weeks ago )
File names test4295846396105.bin
test91515043992621.bin
test56981852609764.bin
test91996685341175.bin
test31992224817584.bin
test6175705025500.bin
6b4aa596e5a4208371942cdb0e04dfd9.b3876e630a2fa4ba136089ba3ab145ba7feb8f57
test75277133263904.bin
test67857756695243.bin
test84762793346667.bin
test54029550181553.bin
test40955797194646.bin
test19215694395303.bin
test9757237294739.bin
test68075600538301.bin
test78344342624403.bin
test86411696161344.bin
test57061799662652.bin
test40837385252815.bin
test48725507201570.bin
test27630268227321.bin
test65659913648950.bin
output.9845466.txt
VirusShare_6b4aa596e5a4208371942cdb0e04dfd9
test49465163848331.bin
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.