480.exe

RapidMediaConverterSetup.exe

Valcan Labs

The application 480.exe by Valcan Labs has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from ogdelivery.com and multiple other hosts. While running, it connects to the Internet address server-52-84-230-58.sfo9.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Valcan Labs  (signed and verified)

Product:
RapidMediaConverterSetup.exe

Version:
1.0.0.29

MD5:
e3e5a8bfc0cc2c5d7a7626115c11ac23

SHA-1:
ea344c79c94b3294312987058758fca2a1c00c2e

SHA-256:
0a2966eb1287f5e931e7bd5dcc421518e565fe5c29df47fa4ba60aaa0f76a658

Scanner detections:
9 / 68

Status:
Potentially unwanted

Analysis date:
11/5/2024 9:51:35 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Evo-gen [Susp]
2014.9-150824

AVG
Generic
2016.0.3007

Bkav FE
W32.HfsAdware
1.3.0.6979

Dr.Web
Adware.Downware.11240
9.0.1.0236

ESET NOD32
Win32/Verti.O potentially unwanted
9.11939

herdProtect (fuzzy)
2015.8.24.23

Malwarebytes
PUP.Optional.ValcanLabs.A
v2015.08.24.11

Reason Heuristics
PUP.ValcanLabs.Optional (L)
16.12.5.7

VIPRE Antivirus
Blinkx/LeadImpact
42008

File size:
138.4 KB (141,760 bytes)

Product version:
1.0.0.29

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\480.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/7/2014 5:00:00 PM

Valid to:
7/7/2016 4:59:59 PM

Subject:
CN=Valcan Labs, O=Valcan Labs, STREET=44 Primrose Crst, L=Sunderland, S=Tyne and Wear, PostalCode=SR69RJ, C=GB

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F10CF846C9B2AEFF0D4CBB3E10178A72

File PE Metadata
Compilation timestamp:
12/5/2009 2:52:06 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:YuxkZuTXJsCDBNvizuDruT1bRF0tK4J0zg5:YSGCDLiq3uxlF08NG

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 6F, 44, 00, E8, 09, 2C, 00, 00, A3, A4, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 2E, 44, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.3550

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file 480.exe has been seen being distributed by the following 3 URLs.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-0-164-105.compute-1.amazonaws.com  (52.0.164.105:80)

TCP (HTTP):
Connects to server-52-84-246-253.sfo20.r.cloudfront.net  (52.84.246.253:80)

TCP (HTTP):
Connects to server-52-84-230-58.sfo9.r.cloudfront.net  (52.84.230.58:80)

TCP (HTTP):
Connects to server-52-84-132-44.atl52.r.cloudfront.net  (52.84.132.44:80)

TCP (HTTP):
Connects to ec2-52-1-175-151.compute-1.amazonaws.com  (52.1.175.151:80)

Remove 480.exe - Powered by Reason Core Security