» 31861e.exe
Overview
Analysis
File Details
Behaviors (1)
Network (4)

31861e.exe

The executable 31861e.exe has been detected as malware by 9 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘31861E’. While running, it connects to the Internet address hostingpool001.isp.belgacom.be on port 80 using the HTTP protocol.

File name:

31861e.exe

MD5:

e04b80e49de41d9e9e24a64ed82f256e

SHA-1:

f7dd8d7bbade3539d69ec7d75261404d293de029

Scanner detections:

9 / 68

Status:

Malware

Analysis date:

11/14/2024 9:40:57 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Kukacka

160216-0

AVG

Win32/Tanatos.M

2015.0.4530

Dr.Web

Win32.Sector.11

9.0.1.05190

Emsisoft Anti-Malware

Win32.Sality.OG

11.5.0.6191

ESET NOD32

Win32/Sality.NAT virus

8.0.319.0

F-Prot

W32/FlyStudio.A.gen

4.6.5.141

F-Secure

Win32.Sality.OG

5.15.21

Kaspersky

Virus.Win32.Sality

15.0.0.562

Microsoft Security Essentials

Threat.Undefined

1.213.7751.0

File size:

1.4 MB (1,482,461 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Windows\System32\120215\31861e.exe

File PE Metadata

Compilation timestamp:

12/25/1972 2:33:23 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

4.0

CTPH (ssdeep):

24576:2/vKvl34WTxmapMnlPNCNnKSpadCzgzpT7AW+9F8j53Ovd6v:2/v23pmapglPNSnKSxczpT7AXAlOvgv

Entry address:

0x61FD

Entry point:

4D, 5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D8, 00, 00, 00, 0E, 1F, BA, 0E, 00, B4, 09, CD, 21, B8, 01, 4C, CD, 21, 54, 68, 69, 73, 20, 70, 72, 6F, 67, 72, 61, 6D, 20, 63, 61, 6E, 6E, 6F, 74, 20, 62, 65, 20, 72, 75, 6E, 20, 69, 6E, 20, 44, 4F, 53, 20, 6D, 6F, 64, 65, 2E, 0D, 0D, 0A, 24, 00, 00, 00, 00, 00, 00, 00... 
[+]

Code size:

24 KB (24,576 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

31861E

Command:

C:\Windows\System32\120215\31861e.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to p3nlhg14c037.shr.prod.phx3.secureserver.net (97.74.182.1:80)

TCP (HTTP):

Connects to hostingpool001.isp.belgacom.be (195.238.0.64:80)

TCP (HTTP):

Connects to debian.strace.net (195.49.200.163:80)

TCP (HTTP):

Connects to unknown.prolexic.com (72.52.4.120:80)

Remove 31861e.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.