× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: f4f27fa49dccdf120d14f6cd2f11835846858008cfe2c041bd54a92e74c5ff53
File name: HI1.DLL
Detection ratio: 21 / 42
Analysis date: 2012-06-08 13:34:11 UTC ( 6 years, 6 months ago ) View latest
Antivirus Result Update
AhnLab-V3 Backdoor/Win32.Svchost 20120608
AntiVir BDS/Zegost.Q.292 20120608
AVG BackDoor.Generic_r.AIE 20120608
BitDefender Gen:Variant.Graftor.984 20120608
ClamAV PUA.Win32.Packer.Armadillo-93 20120608
Comodo TrojWare.Win32.MMM.~CKA 20120608
DrWeb Trojan.KeyLogger.13581 20120608
F-Secure Gen:Variant.Graftor.984 20120608
GData Gen:Variant.Graftor.984 20120608
Ikarus Backdoor.Win32.Inject 20120608
McAfee Artemis!55C020F39AE0 20120608
McAfee-GW-Edition Artemis!55C020F39AE0 20120608
Microsoft Backdoor:Win32/Zegost.Q 20120607
NOD32 a variant of Win32/Farfli.LS 20120608
Norman W32/Farfli.IEO 20120607
Panda Suspicious file 20120608
PCTools Trojan.ADH 20120608
Sophos AV Mal/Behav-170 20120608
Symantec Trojan.ADH.2 20120608
VIPRE Trojan.Win32.Redosdru.C (v) 20120608
ViRobot Trojan.Win32.S.RT-Agent.115800 20120608
Antiy-AVL 20120608
Avast 20120608
ByteHero 20120606
CAT-QuickHeal 20120608
Commtouch 20120608
Emsisoft 20120608
eSafe 20120607
F-Prot 20120607
Fortinet 20120608
Jiangmin 20120608
K7AntiVirus 20120607
Kaspersky 20120608
nProtect 20120608
Rising 20120608
SUPERAntiSpyware 20120608
TheHacker 20120607
TotalDefense 20120608
TrendMicro 20120608
TrendMicro-HouseCall 20120607
VBA32 20120607
VirusBuster 20120608
The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Signature verification Signed file, verified signature
Signing date 1:59 PM 6/3/2012
Signers
[+] Fuzhou Dingxin Trade Co.
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Code Signing CA - G2
Valid from 1:00 AM 5/11/2012
Valid to 12:59 AM 5/12/2013
Valid usage Code Signing, 1.3.6.1.4.1.311.2.1.22
Algorithm sha1RSA
Thumbprint 9B67CD3D0674E08C7073B8E859E077E12362D3FC
Serial number 2A 5B 09 46 7A 7D 7D 7B 7D 7A 5F 0B A8 FB AE D8
[+] Thawte Code Signing CA - G2
Status Valid
Issuer thawte Primary Root CA
Valid from 1:00 AM 2/8/2010
Valid to 12:59 AM 2/8/2020
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7
Serial number 47 97 4D 78 73 A5 BC AB 0D 2F B3 70 19 2F CE 5E
[+] thawte
Status Valid
Issuer thawte Primary Root CA
Valid from 1:00 AM 11/17/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 91C6D6EE3E8AC86384E548C299295C756C817B81
Serial number 34 4E D5 57 20 D5 ED EC 49 F4 2F CE 37 DB 2B 6D
Counter signers
[+] Symantec Time Stamping Services Signer - G3
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 1:00 AM 5/1/2012
Valid to 12:59 AM 1/1/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 8FD99D63FB3AFBD534A4F6E31DACD27F59504021
Serial number 79 A2 A5 85 F9 D1 15 42 13 D9 B8 3E F6 B6 8D ED
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/4/2003
Valid to 12:59 AM 12/4/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
PEiD Armadillo v1.xx - v2.xx
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-06-03 12:58:34
Entry Point 0x00010939
Number of sections 5
PE sections
Overlays
MD5 ef6da28307397715bab13b99f4dd891c
File type data
Offset 108544
Size 7256
Entropy 7.37
PE imports
CreateToolhelp32Snapshot
PeekNamedPipe
GetLastError
DisconnectNamedPipe
HeapFree
EnterCriticalSection
ReleaseMutex
TerminateThread
lstrlenA
lstrcmpiA
DeviceIoControl
WaitForSingleObject
SetEvent
CopyFileA
GetTickCount
GetVersionExA
LoadLibraryA
WinExec
DeleteCriticalSection
GetStartupInfoA
GetPrivateProfileStringA
GetCurrentProcessId
lstrcatA
GetPrivateProfileIntA
DeleteFileA
Process32Next
SetErrorMode
MultiByteToWideChar
GetLocalTime
GetProcAddress
GetSystemInfo
CancelIo
GetProcessHeap
CreateMutexA
RaiseException
CreateThread
CreatePipe
ReadFile
InterlockedExchange
SetUnhandledExceptionFilter
WriteFile
FindFirstFileA
CloseHandle
FreeConsole
GlobalMemoryStatus
GetSystemDirectoryA
WaitForMultipleObjects
FreeLibrary
LocalFree
OpenEventA
TerminateProcess
CreateProcessA
InitializeCriticalSection
lstrcpyA
VirtualFree
CreateEventA
FindClose
Sleep
CreateFileA
HeapAlloc
GetCurrentThreadId
LeaveCriticalSection
VirtualAlloc
LocalAlloc
SetLastError
ResetEvent
rand
malloc
_ftol
srand
strncat
printf
strncpy
strchr
clock
??2@YAPAXI@Z
sprintf
??1type_info@@UAE@XZ
strrchr
__CxxFrameHandler
_CxxThrowException
strcspn
_adjust_fdiv
??3@YAXPAX@Z
_strcmpi
free
ceil
atoi
_except_handler3
calloc
strstr
memmove
wcstombs
_beginthreadex
_strnicmp
_initterm
PE exports
Number of PE resources by type
RT_VERSION 1
Number of PE resources by language
CHINESE SIMPLIFIED 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

FileFlagsMask
0x003f

MachineType
Intel 386 or later, and compatibles

TimeStamp
2012:06:03 13:58:34+01:00

FileType
Win32 DLL

PEType
PE32

CodeSize
65536

LinkerVersion
6.0

FileSubtype
0

ProductVersionNumber
1.0.0.1

UninitializedDataSize
0

FileTypeExtension
dll

InitializedDataSize
47104

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

FileVersionNumber
1.0.0.1

EntryPoint
0x10939

FileOS
Windows NT 32-bit

ObjectFileType
Executable application

PE resource-wise parents
File identification
MD5 55c020f39ae0bd64dbd431cbd0e84433
SHA1 3cf90ac7dcdef750796fc972930b9edbb28bc9fb
SHA256 f4f27fa49dccdf120d14f6cd2f11835846858008cfe2c041bd54a92e74c5ff53
ssdeep
3072:SgPYKva5Or+jZ8VVvep5U14ZQwmhNmL4ecKsjKGnbJ1:SgPY4a5XWV9+U1gQwmhNvjrT

authentihash 3fef715411e2b7b79b8dc777cc157b7d9078935cc5ab80d7038e74eb024ba1a6
imphash 6b69d86e5b4a8a05c928c0d7f667e1f7
File size 113.1 KB ( 115800 bytes )
File type Win32 DLL
Magic literal
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Tags
armadillo pedll signed overlay

VirusTotal metadata
First submission 2012-06-05 16:03:41 UTC ( 6 years, 6 months ago )
Last submission 2014-02-02 19:43:42 UTC ( 4 years, 10 months ago )
File names HI1.DLL
f11fc734b060d97716d9dc6c5b867cbd60d289a8e6bf6fdc90f8add7e244413a646649bdca13d727156e37cd1e45ebc5b74918595edc32a2a7529aecc91f91de
HI1.dl
3cf90ac7dcdef750796fc972930b9edbb28bc9fb_HI1.dl
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!