home

173323c5df9ea26178173891b8c3c873.exe

Installer

Shan Feng

The application 173323c5df9ea26178173891b8c3c873.exe by Shan Feng has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘iIlVPRDBKKy5v0Bx’. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Airware Inc.  (signed by Shan Feng)

Product:
Installer

Version:
3,7,8,1

MD5:
173323c5df9ea26178173891b8c3c873

SHA-1:
7a1cad90a57ae26a963f22892170ae4f1f6d5db5

SHA-256:
f13afd570658bab1b2f138b2ddb82403ae17970f7a249e4cae769e2e165e0576

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/16/2024 3:53:42 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Elex (M)
16.8.10.20

File size:
351.8 KB (360,216 bytes)

Product version:
3,5,8,5

Copyright:
(C) Airware Inc.

Trademarks:
(C) Airware Inc.

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
German (Germany)

Common path:
C:\users\{user}\appdata\roaming\173323c5df9ea26178173891b8c3c873.exe

Digital Signature
Signed by:
Shan Feng

Authority:
thawte, Inc.

Valid from:
2/4/2016 3:00:00 AM

Valid to:
2/4/2017 2:59:59 AM

Subject:
CN=Shan Feng, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
35000007A9C98043CA459BAC1DA3B29C

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
6144:6J+GuiN8vppF8JqR+bEmxCLCmqvu3nakFYQOOSPAxr+eNaCjWbGX3:TXiV1NMakFYBOSPAomaCjWbi3

Entry address:
0x13B3

Entry point:
55, 89, E5, 83, EC, 08, C7, 05, F8, 4A, 45, 00, 01, 00, 00, 00, E8, 48, 29, 04, 00, C9, E9, 66, FD, FF, FF, 55, 89, E5, 83, EC, 08, C7, 05, F8, 4A, 45, 00, 00, 00, 00, 00, E8, 2D, 29, 04, 00, C9, E9, 4B, FD, FF, FF, 90, 90, 90, 66, 90, 66, 90, 55, 89, E5, 83, EC, 18, A1, A8, 89, 44, 00, 85, C0, 74, 3C, C7, 04, 24, 00, 90, 44, 00, FF, 15, 34, 53, 45, 00, 83, EC, 04, 85, C0, BA, 00, 00, 00, 00, 74, 16, C7, 44, 24, 04, 0E, 90, 44, 00, 89, 04, 24, FF, 15, 38, 53, 45, 00, 83, EC, 08, 89, C2, 85, D2, 74, 09, C7...
 
[+]

Entropy:
6.5139

Code size:
274 KB (280,576 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
iIlVPRDBKKy5v0Bx

Command:
"C:\users\{user}\appdata\roaming\173323c5df9ea26178173891b8c3c873.exe" \skipreg


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

Remove 173323c5df9ea26178173891b8c3c873.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.