× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: bdc26f7a2313ab637fdbeefca705c5df5c6f73f28f4bbb4c5ff2bb6b3f551ce6
File name: Pokemon GO Mods.exe
Detection ratio: 0 / 57
Analysis date: 2017-02-12 17:30:01 UTC ( 1 metai, 4 mėnesiai ago ) View latest
Antivirus Result Update
Ad-Aware 20170212
AegisLab 20170212
AhnLab-V3 20170212
Alibaba 20170122
ALYac 20170212
Antiy-AVL 20170212
Arcabit 20170212
Avast 20170212
AVG 20170212
Avira (no cloud) 20170212
AVware 20170212
Baidu 20170210
BitDefender 20170212
Bkav 20170211
CAT-QuickHeal 20170211
ClamAV 20170212
CMC 20170212
Comodo 20170212
CrowdStrike Falcon (ML) 20170130
Cyren 20170212
DrWeb 20170212
Emsisoft 20170212
Endgame 20170208
ESET-NOD32 20170212
F-Prot 20170212
F-Secure 20170212
Fortinet 20170212
GData 20170212
Ikarus 20170212
Sophos ML 20170203
Jiangmin 20170212
K7AntiVirus 20170210
K7GW 20170212
Kaspersky 20170212
Kingsoft 20170212
Malwarebytes 20170212
McAfee 20170212
McAfee-GW-Edition 20170212
Microsoft 20170212
eScan 20170212
NANO-Antivirus 20170212
nProtect 20170212
Panda 20170212
Qihoo-360 20170212
Rising 20170212
Sophos AV 20170212
SUPERAntiSpyware 20170212
Symantec 20170212
Tencent 20170212
TheHacker 20170211
TrendMicro 20170212
TrendMicro-HouseCall 20170212
Trustlook 20170212
VBA32 20170210
VIPRE 20170212
ViRobot 20170212
WhiteArmor 20170202
Yandex 20170212
Zillya 20170210
Zoner 20170212
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2010 Valve Corporation

Product Steam Client Bootstrapper
Original name steam.exe
Internal name steamcmd (buildbot_steam-relclient-win32-builder_steam_rel_client_win32@steam-relclient-win32-builder)
File version 03.78.49.52
Description Steam Client Bootstrapper
Signature verification Signed file, verified signature
Signing date 1:24 AM 1/19/2017
Signers
[+] Valve
Status Valid
Issuer DigiCert SHA2 Assured ID Code Signing CA
Valid from 12:00 AM 9/25/2015
Valid to 12:00 PM 10/3/2018
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint FA71189A8BD9FDF62DE757A3FC2978B24A0275DD
Serial number 08 4C AF 4D F4 99 14 1D 40 4B 71 99 AA 2C 21 31
[+] DigiCert SHA2 Assured ID Code Signing CA
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 12:00 PM 10/22/2013
Valid to 12:00 PM 10/22/2028
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 92C1588E85AF2201CE7915E8538B492F605B80C6
Serial number 04 09 18 1B 5F D5 BB 66 75 53 43 B5 6F 95 50 08
[+] DigiCert
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 12:00 AM 11/10/2006
Valid to 12:00 AM 11/10/2031
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm sha1RSA
Thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial number 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 12:00 AM 10/18/2012
Valid to 11:59 PM 12/29/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 12/21/2012
Valid to 11:59 PM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 1/1/1997
Valid to 11:59 PM 12/31/2020
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-01-19 01:23:54
Entry Point 0x000C9CBB
Number of sections 5
PE sections
Overlays
MD5 f71dc505b88461dd215dbd954efaac1f
File type data
Offset 2874880
Size 6944
Entropy 7.40
PE imports
RegOpenKeyA
RegCloseKey
DeregisterEventSource
RegQueryValueExA
RegSetValueExA
RegisterEventSourceA
RegOpenKeyExA
ReportEventA
RegQueryValueExW
InitCommonControlsEx
SwapBuffers
CreateICA
DeleteDC
TextOutW
SetBkMode
CreateFontA
GetStockObject
AddFontMemResourceEx
SelectObject
DeleteObject
RemoveFontMemResourceEx
SetPixelFormat
SetBkColor
CreateDIBSection
CreateCompatibleDC
GetTextExtentPoint32W
SetTextColor
ChoosePixelFormat
GetStdHandle
GetDriveTypeW
FileTimeToSystemTime
SetEvent
SetEndOfFile
DebugBreak
GetFileAttributesW
GetProcessHeaps
GetLocalTime
DeleteCriticalSection
GetCurrentProcess
GetCurrentDirectoryA
GetConsoleMode
SetErrorMode
FreeEnvironmentStringsW
HeapWalk
SetStdHandle
GetFileTime
WideCharToMultiByte
InterlockedExchange
WriteFile
WaitForSingleObject
GetSystemTimeAsFileTime
GetCommandLineA
GlobalMemoryStatusEx
HeapReAlloc
GetStringTypeW
GetThreadPriority
GetFullPathNameA
FreeLibrary
LocalFree
HeapLock
ResumeThread
GetExitCodeProcess
InitializeCriticalSection
OutputDebugStringW
FindClose
InterlockedDecrement
GetFullPathNameW
OutputDebugStringA
SetLastError
PeekNamedPipe
DeviceIoControl
ReadConsoleInputA
CopyFileW
RemoveDirectoryW
TryEnterCriticalSection
IsDebuggerPresent
ExitProcess
FlushFileBuffers
GetModuleFileNameA
VerSetConditionMask
HeapSetInformation
LoadLibraryExA
SetConsoleCtrlHandler
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
VerifyVersionInfoW
SetFilePointerEx
SetProcessAffinityMask
SetFilePointer
SetFileAttributesW
InterlockedExchangeAdd
CreateThread
SetEnvironmentVariableW
MoveFileExW
GetExitCodeThread
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
SetEnvironmentVariableA
GlobalMemoryStatus
GetModuleHandleExW
SetCurrentDirectoryW
GlobalAlloc
GetDiskFreeSpaceExW
ReadConsoleW
GetCurrentThreadId
LeaveCriticalSection
SleepEx
WriteConsoleW
AreFileApisANSI
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
TerminateThread
LoadLibraryW
OpenThread
GetOEMCP
QueryPerformanceCounter
GetTickCount
TlsAlloc
GetVersionExA
LoadLibraryA
RtlUnwind
GetDateFormatA
GetFileSize
OpenProcess
GetDateFormatW
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GlobalLock
GetProcessHeap
CompareStringW
GetFileSizeEx
GetModuleFileNameW
GetFileInformationByHandle
FindNextFileW
GetDiskFreeSpaceA
HeapValidate
GetTimeFormatA
FindFirstFileW
TerminateProcess
FindFirstFileExW
GetProcAddress
GetProcessAffinityMask
GetTimeZoneInformation
CreateFileW
CreateEventA
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
InterlockedIncrement
GetLastError
LoadLibraryExW
FlushConsoleInputBuffer
LCMapStringW
GetSystemInfo
GlobalFree
GetConsoleCP
GetTimeFormatW
GetEnvironmentStringsW
GlobalUnlock
QueryPerformanceFrequency
VirtualQuery
FileTimeToLocalFileTime
GetCurrentDirectoryW
GetCurrentProcessId
CreateIoCompletionPort
SetFileTime
GetCommandLineW
HeapQueryInformation
GetCPInfo
HeapSize
SetThreadAffinityMask
InterlockedCompareExchange
GetCurrentThread
SuspendThread
RaiseException
TlsFree
GetModuleHandleA
HeapUnlock
ReadFile
CloseHandle
GetACP
GetModuleHandleW
SwitchToThread
GetFileAttributesExW
IsValidCodePage
SetConsoleMode
PostQueuedCompletionStatus
CreateProcessW
Sleep
SetThreadPriority
SystemTimeToTzSpecificLocalTime
OpenEventA
VirtualAlloc
VariantClear
GetProcessMemoryInfo
Ord(680)
CommandLineToArgvW
SHGetFileInfoW
EmptyClipboard
GetUserObjectInformationW
GetMessageA
EndDialog
BeginPaint
EnumWindows
KillTimer
GetMonitorInfoA
DefWindowProcA
ShowWindow
SetClassLongA
SetWindowPos
GetWindowThreadProcessId
SetDlgItemInt
MessageBoxW
GetWindowRect
DispatchMessageA
EndPaint
SetDlgItemTextA
PostMessageA
MoveWindow
MessageBoxA
PeekMessageA
SetWindowLongA
TranslateMessage
DialogBoxParamA
GetProcessWindowStation
GetDlgItemInt
GetDC
RegisterClassExA
ReleaseDC
GetWindowLongA
SetClipboardData
IsWindowVisible
SendMessageA
SetWindowTextW
SetTimer
GetDlgItem
MonitorFromWindow
UpdateWindow
wsprintfA
GetWindowTextLengthA
CreateWindowExA
LoadCursorA
LoadIconA
GetDesktopWindow
RedrawWindow
MsgWaitForMultipleObjects
CloseClipboard
DestroyWindow
OpenClipboard
WSASocketA
htonl
getsockname
WSARecvFrom
accept
ioctlsocket
WSAStartup
connect
shutdown
htons
select
closesocket
ntohl
send
ntohs
WSAGetLastError
__WSAFDIsSet
WSACleanup
gethostbyname
WSASetLastError
recv
WSAIoctl
setsockopt
bind
WSASendTo
PE exports
Number of PE resources by type
RT_ICON 9
RT_VERSION 2
RT_GROUP_ICON 1
SCID 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 12
NEUTRAL 2
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

InitializedDataSize
1054208

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
3.78.49.52

LanguageCode
English (U.S.)

FileFlagsMask
0x0017

LinkerVersion
12.0

FileDescription
Steam Client Bootstrapper

CharacterSet
Unicode

SourceControlID
3784952

EntryPoint
0xc9cbb

OriginalFileName
steam.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 2010 Valve Corporation

FileVersion
03.78.49.52

TimeStamp
2017:01:19 01:23:54+00:00

FileType
Win32 EXE

PEType
PE32

InternalName
steamcmd (buildbot_steam-relclient-win32-builder_steam_rel_client_win32@steam-relclient-win32-builder)

ProductVersion
01.00.00.01

SubsystemVersion
5.1

OSVersion
5.1

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Valve Corporation

CodeSize
1819648

ProductName
Steam Client Bootstrapper

ProductVersionNumber
1.0.0.1

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 5710e80eab62305c4fd4d968567448d2
SHA1 58710691e57ac46a85a6dae58335e1d9d8ee73e7
SHA256 bdc26f7a2313ab637fdbeefca705c5df5c6f73f28f4bbb4c5ff2bb6b3f551ce6
ssdeep
49152:rqdJs1rO7Pb4vMEjIBQ7usTolwa6LSeUn3YUdMd6CwbG4gGmyKIpOPBo/mmqmqtE:rBxW8v/jsFZ6LSn3YeMdN4gFyhKmp

authentihash c312e6cfcea7e55fc0efd4984b5045ebf4e938fc851192e3e5a2f088c9467ff5
imphash 857ee627fbf4db386caa954b06cafcc9
File size 2.7 MB ( 2881824 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID OS/2 Executable (generic) (33.6%)
Generic Win/DOS Executable (33.1%)
DOS Executable Generic (33.1%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2017-01-19 03:38:28 UTC ( 1 metai, 5 mėnesiai ago )
Last submission 2018-05-28 17:16:31 UTC ( 3 savaitės, 1 diena ago )
File names steam.exe_
Steam.exe
steamcmd (buildbot_steam-relclient-win32-builder_steam_rel_client_win32@steam-relclient-win32-builder)
steam.exe
Pokemon GO Mods.exe
Hearthstone hack tool.exe
steam.exe
steam.exe
Steam.exe
Steam.exe
SteamRoof.exe
1o7cjsoavd0w6xu1xf1l8qpw9cttf91t
Steam.exe
Steam.exe
Steam.exe
Steam.exe
Steam(1).exe
steam.exe
Steam.exe
bdc26f7a2313ab637fdbeefca705c5df5c6f73f28f4bbb4c5ff2bb6b3f551ce6.bin
Steam.exe
Steam.exe
steam.exe
Steam.exe
Behaviour characterization
Zemana
screen-capture

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
UDP communications