3ancyc5zb.exe

Ding Ruan

The application 3ancyc5zb.exe by Ding Ruan has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from dgkytklfjrqkb.cloudfront.net. While running, it connects to the Internet address server-52-84-230-116.sfo9.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Ding Ruan  (signed and verified)

MD5:
d5314a48a10dc443f3dd20ea635a8360

SHA-1:
c3276106a6a938cc1b2cc75ef1274379f6b0bd85

SHA-256:
91af9360f7ba8e2166fea4b81ba7409112be2df322256a9772593adc1de36f6d

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 11:53:46 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ELEX (M)
17.2.13.4

File size:
406.1 KB (415,896 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\3ancyc5zb.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/23/2017 10:00:00 PM

Valid to:
4/13/2017 8:59:59 PM

Subject:
CN=Ding Ruan, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
026BAC258E12D9F49DFF90E11ADB2D06

File PE Metadata
Compilation timestamp:
2/9/2017 8:17:57 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x61B2

Entry point:
E8, 76, C7, FF, FF, E9, BA, 67, 00, 00, 55, 8B, EC, 56, 57, 8B, 7D, 08, 8B, F1, 3B, F7, 74, 1D, E8, A7, 13, 00, 00, 80, 7F, 08, 00, 74, 0C, FF, 77, 04, 8B, CE, E8, C8, B3, FF, FF, EB, 06, 8B, 47, 04, 89, 46, 04, 5F, 8B, C6, 5E, 5D, C2, 04, 00, 6A, 64, 68, 78, 25, 46, 00, E8, 35, 69, 00, 00, 6A, 0B, E8, F1, FB, FF, FF, 59, 33, DB, 89, 5D, FC, 6A, 40, 6A, 20, 5F, 57, E8, 5E, 1A, 00, 00, 59, 59, 8B, C8, 89, 4D, DC, 85, C9, 75, 1B, 6A, FE, 8D, 45, F0, 50, 68, 00, 40, 46, 00, E8, D2, 76, 00, 00, 83, C4, 0C, 83...
 
[+]

Code size:
364.5 KB (373,248 bytes)

The file 3ancyc5zb.exe has been seen being distributed by the following URL.

http://dgkytklfjrqkb.cloudfront.net/.../yomz.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-55-183.jfk6.r.cloudfront.net  (54.192.55.183:80)

TCP (HTTP):
Connects to server-54-230-216-73.mrs50.r.cloudfront.net  (54.230.216.73:80)

TCP (HTTP):
Connects to server-54-230-187-250.cdg51.r.cloudfront.net  (54.230.187.250:80)

TCP (HTTP):
Connects to server-52-85-83-96.lax1.r.cloudfront.net  (52.85.83.96:80)

TCP (HTTP):
Connects to server-52-84-230-31.sfo9.r.cloudfront.net  (52.84.230.31:80)

TCP (HTTP):
Connects to server-54-192-55-242.jfk6.r.cloudfront.net  (54.192.55.242:80)

TCP (HTTP):
Connects to server-54-230-216-245.mrs50.r.cloudfront.net  (54.230.216.245:80)

TCP (HTTP):
Connects to server-54-230-187-164.cdg51.r.cloudfront.net  (54.230.187.164:80)

TCP (HTTP):
Connects to server-54-230-187-16.cdg51.r.cloudfront.net  (54.230.187.16:80)

TCP (HTTP):
Connects to server-52-85-83-7.lax1.r.cloudfront.net  (52.85.83.7:80)

TCP (HTTP):
Connects to server-52-85-83-191.lax1.r.cloudfront.net  (52.85.83.191:80)

TCP (HTTP):
Connects to server-52-84-230-116.sfo9.r.cloudfront.net  (52.84.230.116:80)

Remove 3ancyc5zb.exe - Powered by Reason Core Security