Risk analysis for klwtblfs.exe MD5:1ba2ecaa945c89e11cc4a0b1429aabc6 - Threat analysis: Safe

File extenstion shows this is a exe file.

Analysis MD5: 1ba2ecaa945c89e11cc4a0b1429aabc6

Analysis of the file classifies it as a class A (Safe). The file is safe to use. The trust index of this analysis is 83 % (high).

D+

D-

E+

E-

Description

klwtblfs.exe is a Kaspersky Anti-Virus. It is part of the application Kaspersky Internet Security, developed by Kaspersky Lab. This program protect your system against viruses, Trojan horses and other threats

Filename:	klwtblfs.exe (Kaspersky Anti-Virus)
Threat analysis:	Safe
Analysis trust:	83%
Recent activity:
First seen:	17 Oct, 2014
Last seen:	26 Oct, 2019
Last analysis:	10 Dec, 2019
Possible infection:	Clean

klwtblfs.exe Kaspersky Anti-Virus

Application:	Kaspersky Internet Security
Developer:	Kaspersky Lab
Stability:	69%
File version:	4.0.9.111
File size:	359104 bytes (351 KB.)
Recent activity:
Historic activity:
CRC32 hash:	1048999516
MD5 hash:	1ba2ecaa945c89e11cc4a0b1429aabc6
SHA1 hash:	03f132f09ee0ffbb43e98429aa961c03fc6968cf
SHA256 hash:	063c44d6021d5e009a3c4409db259964daaa031454f00fc900f432c7a3770d87

Signature verification

Signed and verified

This file is signed. The publisher is verified.

Publisher Kaspersky Lab

Product Plugins PDK

Description WebToolBar component

Signingdate 2014-04-19 23:41:00

Signers

Kaspersky Lab

Status	Valid
Signer trust	100%
Serial	`02 26 E6 BD A7 6D AE 71 1E 3D B2 32 1E 3B 53 08`
Algorithm	SHA1
Thumprint	5698BCFAB92B567BDDFBB5B71AE1B35E2BC73571
Valid usage	Code Signing
Valid from	2013-02-22 02:00:00
Valid to	2015-04-28 14:00:00

DigiCert High Assurance Code Signing CA-1

Status	Valid
Signer trust	100%
Serial	`02 C4 D1 E5 8A 4A 68 0C 56 8D A3 04 7E 7E 4D 5F`
Algorithm	SHA1
Thumprint	E308F829DC77E80AF15EDD4151EA47C59399AB46
Valid usage	Code Signing
Valid from	2011-02-11 14:00:00
Valid to	2026-02-10 14:00:00

DigiCert High Assurance EV Root CA

Status	Valid
Signer trust	100%
Serial	`07 27 58 3D`
Algorithm	SHA1
Thumprint	6751188F0E5563593233300564359411585B0C33
Valid usage	All
Valid from	2010-01-13 21:20:00
Valid to	2015-09-30 20:19:00

GTE CyberTrust Global Root

Status	Valid
Signer trust	100%
Serial	`01 A5`
Algorithm	MD5
Thumprint	97817950D81C9670CC34D809CF794431367EF474
Valid usage	Email Protection, Client Auth, Server Auth, Code Signing
Valid from	1998-08-13 02:29:00
Valid to	2018-08-14 01:59:00

Counter signers

COMODO Time Stamping Signer

Status	Valid
Signer trust	91%
Serial	`47 8A 8E FB 59 E1 D8 3F 0C E1 42 D2 A2 87 07 BE`
Algorithm	SHA1
Thumprint	3DBB6DB5085C6DD5A1CA7F9CF84ECB1A3910CAC8
Valid usage	Timestamp Signing
Valid from	2010-05-10 02:00:00
Valid to	2015-05-11 01:59:00

USERTrust

Status	Valid
Signer trust	88%
Serial	`44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B`
Algorithm	SHA1
Thumprint	E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Valid usage	EFS, Timestamp Signing, Code Signing
Valid from	1999-07-09 20:31:00
Valid to	2019-07-09 20:40:00

D+

File entropy

File entropy match: Encrypted

Parts of this file are encrypted. The reasons might be benign but it makes the analysis more difficult.

| 0 b.359104 b. |

Plain Data Text Code Compressed Encrypted Random

File signature

Microsoft Visual C++ 10

C++ is a general purpose programming language that is free-form and compiled. It is regarded as an intermediate-level language, as it comprises both high-level and low-level language features. It provides imperative, object-oriented and generic programming features

The determination of a file type is done with a signature or magic-numbers. Files are identified using by comparing the first set of bytes in the file header. Using this method type of files are recognised no matter the extension used. This information is useful to for example recognise executable files cloaked as images or movies.

Malicious code scan

No malicious code found

Agics makes een analysis of the source code of the file. We look for comparisons with known malicious source code. This is a good way to detect new malicious files which are in fact variations of existing, and known malicious files.

Scan results:

0 %

Fuzzy hash a.k.a. Context Triggered Piecewise Hashing

SSDEEP

Context Triggered Piecewise Hashing, also called Fuzzy Hashing, can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length. Comparing a fuzzyhash is a good way to detect morphing malware. Malware which include random code in every copy to change its properties. Agics uses ssdeep to make create a fuzzyhash.

SSDEEP: 6144:OX0sUoZXNmofaht57KUKklNH7qKt2ijuJEz8upIc+xiFKx:CXUoZXNmLh32+uJEzLmc+xp

No match found

Online virus scanners

Detection ration:

0 %

VirusShare.com

Not available on virusshare.com

VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of live malicious code. Presence of the sample on this site indicates that the file is (Once considered) being malicious.
Website: virusshare.com

National Software Reference Library

Not on the nsrl list

The NSRL contains a collection of digital signatures of known, traceable software applications. There are application hash values in the hash set which may be considered malicious, i.e. steganography tools and hacking scripts.
Website: www.nsrl.nist.gov

Behaviour

Sandbox behaviour analysis:

The file is executed in a safe environment to track its behaviour. The behaviour analysis can help with detecting new malware which is not recognized by virusscanners yet. However it has a high chance on a false-positive, especially with installers, uninstallers and virusscanners.

Network activity

No internet connection

Dropped files

File name	md5

Import hashing

Imphash 536e7cf9ba83f30da493c9cdaa0b11d9

Fingerprinting files can be done in various way. One way is to make a hash of the PE Imports. PE Imports are relative unique and this is a great way to find new variants of existing malware. The chance of false-positives is relative high. The resulting hash is often called an imphash.

0% Match

Statistic analysis

Statistic analysis of the file

	Deviates from other files with the same name (imitation)
	The file does have a certificate
	This is a very common file

Neural network analysis

Analysis: Low risk

A neural network is a type of artificial intelligence. It recognized patterns nog clear for a human viewer. Our neural network is surprisingly accurate in recognizing dangerous files. The value below is the predicted chance the file is malicious.

11 %

User feedback

Read feedback on this file from other users. Help other users by providing feedback yourself.

You can earn reputation points !

You are currently not logged in. Login, or Create an account

Feedback users:

There has been no user feedback provided yet.

You are not logged in. Only registered users can provide feedback. Login and help other users.

Login Create an account