382_tlwg.exe

Zen Bros Media

The file 382_tlwg.exe by Zen Bros Media has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from intva31.menutelegraph.info and multiple other hosts.
Publisher:
Zen Bros Media  (signed and verified)

MD5:
27ca58bb514cc6b0fd81dfbbe8686684

SHA-1:
45ec5d482f641e6a655f5dfbf418948b9586426b

SHA-256:
529a226b5b101d5f8cff393580920cb36f3d9cb012f5b3436341c3c48e7672ff

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/2/2024 1:37:03 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.DownloadAdmin.ZenBrosM
16.5.26.14

File size:
471.3 KB (482,576 bytes)

Common path:
C:\users\{user}\appdata\local\temp\382_tlwg.exe.part

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
3/9/2016 3:12:43 AM

Valid to:
3/9/2017 3:12:43 AM

Subject:
CN=Zen Bros Media, O=Zen Bros Media, L=SAN FRANCISCO, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00DA69A0BD854BB554

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
3.0

CTPH (ssdeep):
12288:3ThKd6hIaNYLNcYM4+Q3sMnMbI7cRFUJ/DNF99GIRYe:3VKd62AYJcYM4+Q3sMMbIIRFUJ/DNF97

Entry address:
0x4C6E0

Entry point:
C6, 05, 70, D2, 44, 00, 00, B9, 00, 00, 46, 00, BA, 04, 00, 46, 00, B8, B0, F6, 44, 00, E8, 65, FF, FF, FF, E8, 70, FF, FF, FF, B8, 90, F6, 44, 00, E8, 16, 4B, FC, FF, C3, 00, 00, 00, 00, 00, FF, FF, FF, FF, 00, 00, 00, 00, FF, FF, FF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.7059

Code size:
301.8 KB (309,024 bytes)

The file 382_tlwg.exe has been seen being distributed by the following 21 URLs.

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=45017076&ephemeral=1&filename=adobe_flash_player.exe&cb=1391700107&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

Remove 382_tlwg.exe - Powered by Reason Core Security