× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: f499aee5c60e167d486ab5393efbed1020fed5c81e80ee581be68150582fb9c9
File name: reg_server
Detection ratio: 45 / 57
Analysis date: 2016-08-30 12:56:22 UTC ( 8 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Strictor.6853 20160830
AegisLab Troj.Dropper.W32.Dapato.bscc!c 20160830
AhnLab-V3 Trojan/Win32.Dapato.N664686571 20160830
ALYac Gen:Variant.Strictor.6853 20160830
Antiy-AVL Trojan[Dropper]/Win32.Dapato 20160830
Arcabit Trojan.Strictor.D1AC5 20160830
Avast Win32:Trojan-gen 20160830
AVG Dropper.Generic6.CBIE 20160830
Avira (no cloud) TR/Strictor.6853.5 20160830
AVware Trojan.Win32.Generic!BT 20160830
BitDefender Gen:Variant.Strictor.6853 20160830
Bkav HW32.Packed.C0F1 20160830
CAT-QuickHeal TrojanDownloaderAPT.Dapato.J4 20160830
ClamAV Win.Trojan.Hydraq-208 20160830
CMC Trojan-Dropper.Win32.Dapato!O 20160830
Comodo UnclassifiedMalware 20160830
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20160725
Cyren W32/Trojan.VCDM-0250 20160830
DrWeb Trojan.DownLoader6.61987 20160830
Emsisoft Gen:Variant.Strictor.6853 (B) 20160830
ESET-NOD32 Win32/Agent.UFI 20160830
F-Secure Gen:Variant.Strictor.6853 20160830
Fortinet W32/Dapato.CCHD!tr 20160830
GData Gen:Variant.Strictor.6853 20160830
Ikarus Trojan-Dropper.Win32.Dapato 20160830
Kaspersky Trojan-Dropper.Win32.Dapato.bscc 20160830
McAfee Downloader-FRE!6B4AA596E5A4 20160830
McAfee-GW-Edition Downloader-FRE!6B4AA596E5A4 20160830
Microsoft TrojanDownloader:Win32/Dapato.J 20160830
eScan Gen:Variant.Strictor.6853 20160830
NANO-Antivirus Trojan.Win32.Dapato.cqkgug 20160830
Panda Generic Malware 20160830
Qihoo-360 Win32/Trojan.Dropper.fda 20160830
Rising Trojan.Generic-EwKxhRfzz2B (cloud) 20160830
Sophos Mal/Generic-S 20160830
Symantec Heur.AdvML.C 20160830
Tencent Win32.Trojan-dropper.Dapato.Wpju 20160830
TheHacker Trojan/Dropper.Dapato.bscc 20160829
TrendMicro TROJ_GEN.R00JC0CDA16 20160830
TrendMicro-HouseCall TROJ_GEN.R00JC0CDA16 20160830
VBA32 TrojanDropper.Dapato 20160830
VIPRE Trojan.Win32.Generic!BT 20160830
Yandex Trojan.Agent!5ggLQ0K1UtE 20160830
Zillya Dropper.Dapato.Win32.14266 20160830
Zoner Trojan.Small.PMA 20160830
Alibaba 20160830
Baidu 20160830
F-Prot 20160830
Invincea 20160830
Jiangmin 20160830
K7AntiVirus 20160830
K7GW 20160830
Kingsoft 20160830
Malwarebytes 20160830
nProtect 20160830
SUPERAntiSpyware 20160830
TotalDefense 20160830
ViRobot 20160830
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyrigte (C) 2012

Product FlashUpdate
Original name FlashUpdate.EXE
Internal name reg_server
File version 11, 6, 2, 1
Description FlashUpdate
Comments Adobe? Flash?
Signature verification A certificate was explicitly revoked by its issuer.
Signers
[+] MGAME Corp.
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer Thawte Code Signing CA
Valid from 1:00 AM 6/19/2009
Valid to 12:59 AM 6/20/2011
Valid usage Code Signing, 1.3.6.1.4.1.311.2.1.22
Algorithm sha1RSA
Thumbprint 529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56
Serial number 4E EB 08 05 55 F1 AB F7 09 BB A9 CA E3 2F 13 CD
[+] Thawte Code Signing CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Premium Server CA
Valid from 1:00 AM 8/6/2003
Valid to 12:59 AM 8/6/2013
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint A706BA1ECAB6A2AB18699FC0D7DD8C7DE36F290F
Serial number 0A
[+] thawte
Status Valid
Issuer Thawte Premium Server CA
Valid from 1:00 AM 8/1/1996
Valid to 12:59 AM 1/1/2021
Valid usage Server Auth, Code Signing
Algorithm md5RSA
Thumbprint 627F8D7827656399D27D7F9044C9FEB3F33EFA9A
Serial number 01
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-09-19 22:07:41
Entry Point 0x00001CD0
Number of sections 4
PE sections
Overlays
MD5 b5d0f2ee0ec940bedcfb53715b7be365
File type data
Offset 122880
Size 3848
Entropy 7.06
PE imports
RegOpenKeyA
RegCloseKey
RegQueryValueExA
RegSetValueExA
RegDeleteValueA
RegOpenKeyExA
GetStartupInfoA
CreateThread
GetEnvironmentVariableA
lstrcatA
DeleteFileA
Sleep
CloseHandle
CreateFileA
GetModuleFileNameA
VirtualAlloc
GetModuleHandleA
Ord(2379)
Ord(1775)
Ord(3147)
Ord(4080)
Ord(2124)
Ord(1146)
Ord(3830)
Ord(470)
Ord(4627)
Ord(3597)
Ord(2725)
Ord(4673)
Ord(3738)
Ord(755)
Ord(6375)
Ord(6376)
Ord(3136)
Ord(2982)
Ord(5199)
Ord(3079)
Ord(2512)
Ord(3262)
Ord(2055)
Ord(4234)
Ord(1576)
Ord(825)
Ord(3081)
Ord(4837)
Ord(5307)
Ord(5241)
Ord(3798)
Ord(6052)
Ord(3259)
Ord(4424)
Ord(2648)
Ord(5714)
Ord(5289)
Ord(4710)
Ord(4407)
Ord(4078)
Ord(2985)
Ord(5065)
Ord(2446)
Ord(3346)
Ord(4622)
Ord(561)
Ord(3831)
Ord(6374)
Ord(5280)
Ord(5302)
Ord(324)
Ord(1727)
Ord(3825)
Ord(4425)
Ord(2976)
Ord(2396)
Ord(2554)
Ord(2385)
Ord(815)
Ord(1089)
Ord(4486)
Ord(1168)
Ord(5277)
Ord(641)
Ord(5731)
Ord(4698)
Ord(4998)
Ord(3922)
Ord(823)
Ord(5163)
Ord(2514)
Ord(6199)
Ord(5265)
Ord(3749)
Ord(4299)
Ord(5300)
Ord(4853)
Ord(4353)
Ord(4441)
Ord(4274)
Ord(4376)
Ord(5261)
Ord(4465)
Ord(4079)
_except_handler3
__p__fmode
_acmdln
__CxxFrameHandler
_setmbcp
_exit
__p__commode
_strcmpi
__dllonexit
_onexit
_controlfp
exit
_XcptFilter
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__set_app_type
GetSystemMetrics
LoadIconA
EnableWindow
DrawIcon
SendMessageA
GetClientRect
SetWindowLongA
FindWindowA
IsIconic
Number of PE resources by type
RT_ICON 3
RT_MANIFEST 1
RT_DIALOG 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
CHINESE SIMPLIFIED 7
PE resources
ExifTool file metadata
SubsystemVersion
4.0

Comments
Adobe? Flash?

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
11.6.2.1

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
FlashUpdate

CharacterSet
Unicode

InitializedDataSize
114688

EntryPoint
0x1cd0

OriginalFileName
FlashUpdate.EXE

MIMEType
application/octet-stream

LegalCopyright
Copyrigte (C) 2012

FileVersion
11, 6, 2, 1

TimeStamp
2012:09:19 23:07:41+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
reg_server

ProductVersion
11, 6, 2, 1

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Adobe Systems Incorporated

CodeSize
4096

ProductName
FlashUpdate

ProductVersionNumber
11.6.2.1

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 6b4aa596e5a4208371942cdb0e04dfd9
SHA1 b3876e630a2fa4ba136089ba3ab145ba7feb8f57
SHA256 f499aee5c60e167d486ab5393efbed1020fed5c81e80ee581be68150582fb9c9
ssdeep
3072:QnUrbTmYzFkO0A0RHlb3zdHwQhG5XrWG1RWEXnxnD:QUr50tjjzddsq4RWu

authentihash 576ffd72c79cca54daa5c56c2744c81fe1b1a640318ba1ef1f824d1dbaaf0c65
imphash d355d697b8857e8dc43ea0f90401aa11
File size 123.8 KB ( 126728 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.4%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
revoked-cert peexe armadillo signed overlay

VirusTotal metadata
First submission 2012-09-21 04:35:18 UTC ( 4 years, 7 months ago )
Last submission 2014-01-01 19:59:02 UTC ( 3 years, 3 months ago )
File names test4295846396105.bin
test91515043992621.bin
test56981852609764.bin
test91996685341175.bin
test31992224817584.bin
test6175705025500.bin
6b4aa596e5a4208371942cdb0e04dfd9.b3876e630a2fa4ba136089ba3ab145ba7feb8f57
test75277133263904.bin
test67857756695243.bin
test84762793346667.bin
test54029550181553.bin
test40955797194646.bin
test19215694395303.bin
test9757237294739.bin
test68075600538301.bin
test78344342624403.bin
test86411696161344.bin
test57061799662652.bin
test40837385252815.bin
test48725507201570.bin
test27630268227321.bin
test65659913648950.bin
output.9845466.txt
VirusShare_6b4aa596e5a4208371942cdb0e04dfd9
test49465163848331.bin
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.