4efece5b5586ee29871717baacdf4c7b.exe

The application 4efece5b5586ee29871717baacdf4c7b.exe has been detected as a potentially unwanted program by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from d16hr9n7t75k58.cloudfront.net. While running, it connects to the Internet address server-54-230-37-63.jfk1.r.cloudfront.net on port 443.
MD5:
3de3beb44e6bbddb99f1f10574eb37f6

SHA-1:
8a2f8c397036d254d2d9f10b68489742b6d3c328

SHA-256:
663be2df69874b5c9b4e05d2825046a7a7fdc9b6ebd6c2df15ab3dce6ea55f9c

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 1:12:59 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.VOPackage
2015.11.26

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.1063

Malwarebytes
PUP.Optional.VOPackage
v2016.01.03.12

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1077

File size:
52.5 KB (53,804 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\4efece5b5586ee29871717baacdf4c7b.exe

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:4pgpHzb9dZVX9fHMvG0D3XJORDB5nKsoo41ahfQ:ugXdZt9P6D3XJ8Io4sC

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.1564

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file 4efece5b5586ee29871717baacdf4c7b.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-52-254.jfk6.r.cloudfront.net  (54.230.52.254:80)

TCP (HTTP):
Connects to server-54-230-52-168.jfk6.r.cloudfront.net  (54.230.52.168:80)

TCP (HTTP SSL):
Connects to server-54-230-39-12.jfk1.r.cloudfront.net  (54.230.39.12:443)

TCP (HTTP):
Connects to server-54-230-38-59.jfk1.r.cloudfront.net  (54.230.38.59:80)

TCP (HTTP SSL):
Connects to server-54-230-38-36.jfk1.r.cloudfront.net  (54.230.38.36:443)

TCP (HTTP SSL):
Connects to server-54-230-37-63.jfk1.r.cloudfront.net  (54.230.37.63:443)

TCP (HTTP SSL):
Connects to server-54-192-55-26.jfk6.r.cloudfront.net  (54.192.55.26:443)

TCP (HTTP):
Connects to server-54-192-55-17.jfk6.r.cloudfront.net  (54.192.55.17:80)

TCP (HTTP SSL):
Connects to server-54-192-55-164.jfk6.r.cloudfront.net  (54.192.55.164:443)

TCP (HTTP):
Connects to server-54-192-55-160.jfk6.r.cloudfront.net  (54.192.55.160:80)

TCP (HTTP):
Connects to server-205-251-251-236.jfk5.r.cloudfront.net  (205.251.251.236:80)

TCP (HTTP):
Connects to server-205-251-251-230.jfk5.r.cloudfront.net  (205.251.251.230:80)

TCP (HTTP SSL):
Connects to server-205-251-251-174.jfk5.r.cloudfront.net  (205.251.251.174:443)

TCP (HTTP SSL):
Connects to server-205-251-251-167.jfk5.r.cloudfront.net  (205.251.251.167:443)

TCP (HTTP SSL):
Connects to server-205-251-251-142.jfk5.r.cloudfront.net  (205.251.251.142:443)

TCP (HTTP):
Connects to server-205-251-251-122.jfk5.r.cloudfront.net  (205.251.251.122:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):

Remove 4efece5b5586ee29871717baacdf4c7b.exe - Powered by Reason Core Security