6d421ebb36337e4959c20d170cabc109.exe

The application 6d421ebb36337e4959c20d170cabc109.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This executable runs as a local area network (LAN) Internet proxy server listening on port 53386 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address poppy.shishnet.org on port 80 using the HTTP protocol.
Version:
2.40.2.56

MD5:
d79cfef1d01553f3d54f2d87fb751d92

SHA-1:
52c5897606911a02d78cf875aaf90cf447d844ec

SHA-256:
7f0aabbfb427fb04876cb7eccd91c483f2742419603f33f02f051fd24d856a55

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 5:48:29 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Wajam.Meta (M)
16.2.3.15

File size:
493.5 KB (505,344 bytes)

Product version:
2.40.2.56

Original file name:
XVF189.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\wanetworkenhancer\wanetworkenhancer internet enhancer\6d421ebb36337e4959c20d170cabc109.exe

File PE Metadata
Compilation timestamp:
1/27/2016 4:15:19 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:KiOFtGfYXzIyxdjG0a3XmxU4F3qKrgPRXpP5wiHDybRs:9OjhjUftH/

Entry address:
0x7CA5E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.7960

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
491 KB (502,784 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:53386/

Local host port:
53386

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to edge-star-shv-01-eze1.facebook.com  (31.13.94.19:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-eze1.facebook.com  (31.13.94.35:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-eze1.fbcdn.net  (31.13.94.24:443)

TCP (HTTP):
Connects to 52-125-232-198.static.unitasglobal.net  (198.232.125.52:80)

TCP (HTTP):
Connects to poppy.shishnet.org  (83.149.126.30:80)

TCP (HTTP):
Connects to lotus.shishnet.org  (95.211.138.19:80)

TCP (HTTP):
Connects to clover.shishnet.org  (5.79.87.150:80)

TCP (HTTP):
Connects to heather.shishnet.org  (185.17.184.196:80)

TCP (HTTP):
Connects to tulip.shishnet.org  (83.149.126.35:80)

TCP (HTTP):
Connects to holly.shishnet.org  (95.211.149.208:80)

TCP (HTTP):
Connects to i1-h0-s1001.p0-mia.cdngp.net  (174.35.37.6:80)

TCP (HTTP SSL):
Connects to edge-z-m-mini-shv-01-eze1.facebook.com  (31.13.94.36:443)

TCP (HTTP):
Connects to zeus.biloud.com  (86.105.231.130:80)

TCP (HTTP):
Connects to t2.ycpi.vip.bra.yahoo.com  (200.152.162.171:80)

TCP (HTTP):
Connects to server-54-192-192-136.iad53.r.cloudfront.net  (54.192.192.136:80)

TCP (HTTP):
Connects to server-54-192-192-117.iad53.r.cloudfront.net  (54.192.192.117:80)

TCP (HTTP):
Connects to server-52-84-179-62.gru50.r.cloudfront.net  (52.84.179.62:80)

TCP (HTTP SSL):
Connects to server-52-84-179-170.gru50.r.cloudfront.net  (52.84.179.170:443)

TCP (HTTP SSL):
Connects to s19772378.onlinehome-server.info  (87.106.18.237:443)

TCP (HTTP):
Connects to rule34.xxx  (178.21.23.134:80)

Remove 6d421ebb36337e4959c20d170cabc109.exe - Powered by Reason Core Security