228736-670560-skymonk.exe

Skymonk Solutions Limited

The application 228736-670560-skymonk.exe by Skymonk Solutions Limited has been detected as adware by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from letitbit.net and multiple other hosts. While running, it connects to the Internet address 80-92-65-214.ip.dclux.com on port 80 using the HTTP protocol.
Publisher:
Skymonk Solutions Limited  (signed and verified)

MD5:
8e4a05d37e11e514ebde1128d1982e9b

SHA-1:
0713a666726ac65e08a34123d67f51a95c123a9b

SHA-256:
ef524f5b5dc55bfdcecb8dbf00dfe16aaa07e5ef053cca4bc6629051353faad7

Scanner detections:
3 / 68

Status:
Adware

Analysis date:
11/27/2024 2:47:21 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Tool.Skymonk.14
9.0.1.02

ESET NOD32
Win32/Skymonk
8.9029

Reason Heuristics
PUP.SkymonkSolutionsLimited.V
14.5.19.1

File size:
100 KB (102,368 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\228736-670560-skymonk.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/9/2012 1:00:00 AM

Valid to:
4/10/2015 12:59:59 AM

Subject:
CN=Skymonk Solutions Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Skymonk Solutions Limited, L=Tortola, S=Tortola, C=VG

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
632A5F301191DF03C4933D982BAD525F

File PE Metadata
Compilation timestamp:
2/24/2012 7:22:01 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:6tKr1f0hzRjeWsH5b2S8+sLbS1ydrYr+wnM:QEG71cb2V+sLp6nM

Entry address:
0x36DA

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 1C, C7, 44, 24, 10, C0, 8A, 40, 00, 89, 5C, 24, 18, C6, 44, 24, 14, 20, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, AC, 80, 40, 00, 53, FF, 15, A4, 82, 40, 00, 6A, 08, A3, 18, 36, 45, 00, E8, FD, 28, 00, 00, 53, 68, 60, 01, 00, 00, A3, 28, 35, 45, 00, 8D, 44, 24, 3C, 50, 53, 68, BF, 8A, 40, 00, FF, 15, 70, 81, 40, 00, 68, B4, 8A, 40, 00, 68, 20, F5, 44, 00, E8, 27, 26, 00, 00, FF, 15, A8, 80, 40, 00, 50, BF, 50, C0, 47, 00, 57, E8, 15, 26...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file 228736-670560-skymonk.exe has been seen being distributed by the following 4 URLs.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 80-92-65-214.ip.dclux.com  (80.92.65.214:80)

Remove 228736-670560-skymonk.exe - Powered by Reason Core Security