2-12391_pika.exe

raonmedia

The application 2-12391_pika.exe by raonmedia has been detected as a potentially unwanted program by 6 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from dlaghktn.tistory.com and multiple other hosts. While running, it connects to the Internet address ip144.ip-5-196-108.eu on port 80 using the HTTP protocol.
Publisher:
raonmedia  (signed and verified)

Version:
1.0.0.0

MD5:
c478547889753b7ccda024120748e963

SHA-1:
2700e717a46eb06baa065b10608b5e9cf9d20aa0

SHA-256:
62f28f1a56e90b9bc7585f64710df5851fc395f31076052ad5ab42512fed9948

Scanner detections:
6 / 68

Status:
Potentially unwanted

Analysis date:
11/24/2024 11:08:46 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Agent.869992
8.3.1.6

Dr.Web
Trojan.Adkor.138
9.0.1.0240

G Data
Win32.Application.RaonMedia
15.8.25

IKARUS anti.virus
Trojan.Agent
t3scan.1.9.5.0

McAfee
Artemis!C47854788975
5600.6660

Reason Heuristics
PUP.raonmedia (M)
15.8.28.1

File size:
849.6 KB (869,992 bytes)

Product version:
1.0.0.0

File type:
Executable application (Win32 EXE)

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/14/2015 9:00:00 AM

Valid to:
3/15/2016 8:59:59 AM

Subject:
CN=raonmedia, O=raonmedia, L=Suyeong-gu, S=Busan, C=KR

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
30AC69A766B50D2767BF48710EFF48AD

File PE Metadata
Compilation timestamp:
1/23/2015 2:14:33 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:OEvW2iL6wumdFeSHSm9zBFi6eESouEO46KFsC7/mX:OIW2I6wumdFj9dRe9dEO9K1mX

Entry address:
0x31E850

Entry point:
60, BE, 00, 40, 65, 00, 8D, BE, 00, D0, DA, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.8875

Packer / compiler:
UPX 2.90LZMA

Code size:
812 KB (831,488 bytes)

The file 2-12391_pika.exe has been seen being distributed by the following 8 URLs.

http://dlaghktn.tistory.com/.../cfile6.uf@2336B83E5829572B08583D.exe

http://wnrdjeh.tistory.com/.../cfile10.uf@2729334A5821741534EE27.exe

http://cfile7.uf.tistory.com/.../22336A3E582EA1B82F6019

http://vapa9ei14.tistory.com/.../cfile10.uf@22053D475819A39C14C970.exe

http://utilroom.com/.../file_down.php?u=-12329_k.j_130329.exe

http://dkqnwlakfrh.tistory.com/.../cfile28.uf@273FB141581701B00A349A.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static-ip-212-48-90-113.inaddr.ip-pool.com  (212.48.90.113:80)

TCP (HTTP SSL):
Connects to ec2-52-55-195-249.compute-1.amazonaws.com  (52.55.195.249:443)

TCP (HTTP):

TCP (HTTP SSL):
Connects to ec2-52-201-97-156.compute-1.amazonaws.com  (52.201.97.156:443)

TCP (HTTP):

TCP (HTTP):
Connects to ip184.ip-176-31-18.eu  (176.31.18.184:80)

TCP (HTTP SSL):
Connects to cache.google.com  (59.20.132.29:443)

TCP (HTTP):
Connects to ip144.ip-5-196-108.eu  (5.196.108.144:80)

TCP (HTTP):
Connects to 222-239-78-250.youiwe.co.kr  (222.239.78.250:80)

TCP (HTTP):
Connects to 114-207-112-11.tongkni.co.kr  (114.207.112.11:80)

Remove 2-12391_pika.exe - Powered by Reason Core Security