× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 738740db028b9a9838466714914a844af72a669bae1243123780f2c2fcd132cc
File name: Infrastructure.dll
Detection ratio: 0 / 65
Analysis date: 2017-09-08 08:01:20 UTC ( 1 month, 1 week ago )
Antivirus Result Update
Ad-Aware 20170908
AegisLab 20170908
AhnLab-V3 20170907
Alibaba 20170908
ALYac 20170908
Antiy-AVL 20170908
Arcabit 20170908
Avast 20170908
AVG 20170908
Avira (no cloud) 20170908
AVware 20170906
Baidu 20170908
BitDefender 20170908
Bkav 20170907
CAT-QuickHeal 20170908
ClamAV 20170908
CMC 20170902
Comodo 20170908
CrowdStrike Falcon (ML) 20170804
Cylance 20170908
Cyren 20170908
DrWeb 20170908
Emsisoft 20170908
Endgame 20170821
ESET-NOD32 20170908
F-Prot 20170908
F-Secure 20170908
Fortinet 20170908
GData 20170908
Ikarus 20170907
Sophos ML 20170822
Jiangmin 20170908
K7AntiVirus 20170908
K7GW 20170908
Kaspersky 20170908
Kingsoft 20170908
Malwarebytes 20170908
MAX 20170908
McAfee 20170908
McAfee-GW-Edition 20170908
Microsoft 20170908
eScan 20170908
NANO-Antivirus 20170908
nProtect 20170908
Palo Alto Networks (Known Signatures) 20170908
Panda 20170906
Qihoo-360 20170908
Rising 20170908
SentinelOne (Static ML) 20170806
Sophos AV 20170907
SUPERAntiSpyware 20170908
Symantec 20170908
Symantec Mobile Insight 20170908
Tencent 20170908
TheHacker 20170907
TotalDefense 20170908
TrendMicro 20170908
TrendMicro-HouseCall 20170908
Trustlook 20170908
VBA32 20170907
VIPRE 20170908
ViRobot 20170908
Webroot 20170908
WhiteArmor 20170829
Yandex 20170907
Zillya 20170907
ZoneAlarm by Check Point 20170908
Zoner 20170908
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© 1989-2014 Sophos Limited, www.sophos.com

Product Sophos Anti-Virus
Original name Infrastructure.dll
Internal name Infrastructure.dll
File version 10.3.11.86
Description Performs virus scanning and disinfection functions
Signature verification Signed file, verified signature
Signing date 4:27 PM 7/29/2014
Signers
[+] Sophos Limited
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid from 1:00 AM 10/24/2013
Valid to 12:59 AM 12/23/2016
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint EC510F6AEFCC5EC44CFD4C7D4A1079BA71CC45E4
Serial number 2B C0 BB 54 AB 4C 36 B2 17 95 3F D3 03 25 22 A8
[+] VeriSign Class 3 Code Signing 2010 CA
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 2/8/2010
Valid to 12:59 AM 2/8/2020
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 495847A93187CFB8C71F840CB7B41497AD95C64F
Serial number 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7
[+] VeriSign
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 1:00 AM 11/8/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-07-29 15:11:49
Entry Point 0x000199B4
Number of sections 5
PE sections
Overlays
MD5 d838de9b0bb02e657b451adb5ffadd3b
File type data
Offset 201728
Size 6440
Entropy 7.32
PE imports
RegCreateKeyExW
SetSecurityDescriptorOwner
GetSidLengthRequired
RegCloseKey
CopySid
GetSecurityDescriptorControl
GetAce
OpenServiceW
ControlService
InitializeAcl
DeleteService
GetSecurityInfo
InitializeSecurityDescriptor
RegQueryValueExW
GetSecurityDescriptorLength
SetSecurityDescriptorDacl
CloseServiceHandle
GetAclInformation
RegisterEventSourceW
OpenProcessToken
GetSecurityDescriptorGroup
MakeAbsoluteSD
RegOpenKeyExW
GetSecurityDescriptorOwner
CreateServiceW
GetTokenInformation
SetServiceStatus
IsValidSid
GetSecurityDescriptorDacl
RegEnumKeyExW
GetSecurityDescriptorSacl
GetSidSubAuthority
GetLengthSid
InitializeSid
SetSecurityInfo
RegDeleteValueW
RegSetValueExW
MakeSelfRelativeSD
OpenSCManagerW
ReportEventW
CheckTokenMembership
RegisterServiceCtrlHandlerExW
DeregisterEventSource
StartServiceCtrlDispatcherW
AddAce
Ord(12)
Ord(68)
Ord(25)
Ord(49)
Ord(23)
Ord(58)
Ord(61)
Ord(20)
Ord(67)
Ord(56)
Ord(31)
Ord(30)
Ord(64)
Ord(17)
Ord(32)
Ord(14)
Ord(13)
GetLastError
HeapFree
LoadLibraryExW
EnterCriticalSection
lstrlenA
LoadLibraryW
GlobalFree
WaitForSingleObject
FindResourceW
FreeLibrary
QueryPerformanceCounter
HeapDestroy
GetTickCount
SetProcessShutdownParameters
GetProcessHeap
lstrlenW
GetLocalTime
DeleteCriticalSection
GetCurrentProcess
GetStartupInfoW
SizeofResource
SetConsoleCtrlHandler
LocalAlloc
LockResource
GetCommandLineW
UnhandledExceptionFilter
SetErrorMode
MultiByteToWideChar
HeapSize
IsDebuggerPresent
GetProcAddress
InterlockedCompareExchange
GetCurrentThread
LeaveCriticalSection
GetModuleFileNameW
RaiseException
CreateThread
SetEnvironmentVariableW
InterlockedExchange
SetUnhandledExceptionFilter
GetTempPathW
ResetEvent
GetSystemTimeAsFileTime
HeapReAlloc
GetModuleHandleW
SetEvent
LocalFree
FormatMessageW
TerminateProcess
GetThreadPriority
CreateEventW
InitializeCriticalSection
LoadResource
FindResourceExW
InterlockedDecrement
Sleep
SetThreadPriority
HeapAlloc
GetCurrentThreadId
InterlockedIncrement
GetCurrentProcessId
SetLastError
CloseHandle
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
_purecall
__p__fmode
malloc
?what@exception@std@@UBEPBDXZ
__wgetmainargs
srand
fclose
_time64
__dllonexit
_controlfp_s
swprintf_s
memset
wcscpy_s
_invoke_watson
??_V@YAXPAX@Z
_amsg_exit
?terminate@@YAXXZ
_ultow
?_type_info_dtor_internal_method@type_info@@QAEXXZ
floor
??2@YAPAXI@Z
fwrite
_lock
_onexit
wcslen
exit
_XcptFilter
memcmp
_encode_pointer
__setusermatherr
_recalloc
_initterm_e
__p__commode
_wcmdln
_adjust_fdiv
_cexit
_CxxThrowException
_putws
memmove_s
_unlock
_crt_debugger_hook
??3@YAXPAX@Z
free
ceil
__CxxFrameHandler3
_except_handler4_common
_wfopen
calloc
_initterm
??0exception@std@@QAE@ABV01@@Z
vswprintf_s
_swprintf
??1exception@std@@UAE@XZ
_resetstkoflw
memcpy_s
_vsnwprintf_s
_decode_pointer
wcsncpy_s
??0exception@std@@QAE@ABQBD@Z
wcsstr
_localtime64_s
_vscwprintf
_beginthreadex
_wcslwr_s
wcsnlen
_set_error_mode
_configthreadlocale
??0exception@std@@QAE@XZ
_exit
__set_app_type
LoadRegTypeLib
VarBstrCat
VariantTimeToSystemTime
SysStringLen
UnRegisterTypeLib
SysAllocStringLen
RegisterTypeLib
SystemTimeToVariantTime
SysAllocString
SysStringByteLen
LoadTypeLib
SysFreeString
SysAllocStringByteLen
CommandLineToArgvW
PathRemoveFileSpecW
MessageBoxW
LoadStringW
PostThreadMessageW
TranslateMessage
CharUpperW
UnregisterDeviceNotification
RegisterDeviceNotificationW
GetMessageW
CharNextW
DispatchMessageW
UnloadUserProfile
CoInitializeEx
CoUninitialize
CoImpersonateClient
CoResumeClassObjects
CoCreateInstance
CoSuspendClassObjects
CoInitializeSecurity
CLSIDFromProgID
CoWaitForMultipleHandles
StringFromGUID2
CoSetProxyBlanket
Number of PE resources by type
RT_ICON 14
REGISTRY 2
TYPELIB 1
RT_MANIFEST 1
RT_STRING 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH UK 18
ENGLISH US 3
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
5.0

InitializedDataSize
87552

ImageVersion
0.0

ProductName
Sophos Anti-Virus

FileVersionNumber
10.3.11.86

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
9.0

FileTypeExtension
exe

OriginalFileName
Infrastructure.dll

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
10.3.11.86

TimeStamp
2014:07:29 16:11:49+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Infrastructure.dll

ProductVersion
10.3.11

FileDescription
Performs virus scanning and disinfection functions

OSVersion
5.0

FileOS
Windows NT 32-bit

LegalCopyright
1989-2014 Sophos Limited, www.sophos.com

MachineType
Intel 386 or later, and compatibles

CompanyName
Sophos Limited

CodeSize
113152

FileSubtype
0

ProductVersionNumber
10.3.11.0

EntryPoint
0x199b4

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Compressed bundles
File identification
MD5 d99f39d77432d1e979c1d918597c8a3e
SHA1 f4fb4c70a800ec1b0b923a7b3d75c76db9b3ba6d
SHA256 738740db028b9a9838466714914a844af72a669bae1243123780f2c2fcd132cc
ssdeep
3072:JnJevrXJDnwnx8SM8PvS+F7LQJin1aeb82YSeYOeE1AJBj5:JnJM98xTMmF7LF1Q1SeYOefX

authentihash 65e4bf4766ee508f11fed72817ca911ad9e4e16f333d85fc33b2405f454b81cd
imphash 846a91553df16a685fd3e57e5d3b7c2c
File size 203.3 KB ( 208168 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (64.6%)
Win32 Dynamic Link Library (generic) (15.4%)
Win32 Executable (generic) (10.5%)
Generic Win/DOS Executable (4.6%)
DOS Executable Generic (4.6%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2014-08-21 14:17:05 UTC ( 3 years, 1 month ago )
Last submission 2017-05-27 03:50:13 UTC ( 4 months, 3 weeks ago )
File names {de5f816e-b849-4eca-8067-afb43cd47dfe}
altc7f2.tmp
alt1a8e.tmp
{41e235cd-f594-4230-998f-16108ad947d0}
alt75ee.tmp
altf406.tmp
altbd3f.tmp
bit8df7.tmp
altc80f.tmp
altbd24.tmp
405
alt72be.tmp
544
bitcb5.tmp
548
alt3b6f.tmp
alt3b70.tmp
altf423.tmp
alt1a8c.tmp
{df3a7118-c41c-48f9-a941-846b3af1cb46}
alt1a8d.tmp
alt72bd.tmp
{13e81937-723d-4c2e-8d4c-fc15ff51b4b3}
d99f39d77432d1e979c1d918597c8a3ex000.dat
bitedf2.tmp
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Written files
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.