770bc6656ddf6c8f26bf2a92e4b368e3.exe

TUnet2015版

清华大学信息化技术中心

It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘{0D5AF2B5-F3AE-4fb4-A7F9-0DC68E21E8B4}’. The file has been seen being downloaded from net.tsinghua.edu.cn.
Publisher:
清华大学信息化技术中心

Product:
TUnet2015版

Version:
1, 0, 13462, 51127

MD5:
ef6aa0c487dbdeae93909d012c5bfa76

SHA-1:
88359f3d6f2de90083081c0e0434cecb2356fd89

SHA-256:
05993c51e0f99b6d8d39421e5a8576a9facda625d7d7c32f0cd2300b52218279

Scanner detections:
1 / 68

Status:
Inconclusive  (not enough data for an accurate detection)

Analysis date:
11/24/2024 6:01:35 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
probably BACKDOOR.Trojan
9.0.1.05190

File size:
1.9 MB (1,955,328 bytes)

Product version:
1, 0, 13462, 51127

Copyright:
Copyright 2009-2014 清华大学信息化技术中心

Original file name:
TUnet2015.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, China)

Common path:
C:\users\{user}\appdata\local\770bc6656ddf6c8f26bf2a92e4b368e3\770bc6656ddf6c8f26bf2a92e4b368e3.exe

File PE Metadata
Compilation timestamp:
6/1/2016 1:02:07 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:9rmcbuCKn/dnpjaENt8okpG/obwP0HIgbCvQ7w:xm/xnFnpmENt8o2GiNd7

Entry address:
0xB66F7

Entry point:
E8, D5, F1, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 30, 53, 33, DB, F6, 45, 10, 80, 56, 8B, F0, 89, 5D, DC, 88, 5D, FE, 89, 5D, F8, C7, 45, D0, 0C, 00, 00, 00, 89, 5D, D4, 74, 09, 89, 5D, D8, C6, 45, FF, 10, EB, 0A, C7, 45, D8, 01, 00, 00, 00, 88, 5D, FF, 8D, 45, DC, 50, E8, 99, F4, 00, 00, 59, 85, C0, 0F, 85, DD, 06, 00, 00, B8, 00, 80, 00, 00, 85, 45, 10, 75, 12, F7, 45, 10, 00, 40, 07, 00, 75, 05, 39, 45, DC, 74, 04, 80, 4D, FF, 80, 8B, 45, 10, 83, E0, 03, 2B, C3, B9, 00, 00, 00, C0, BA...
 
[+]

Entropy:
7.2065

Code size:
834.5 KB (854,528 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
{0D5AF2B5-F3AE-4fb4-A7F9-0DC68E21E8B4}

Command:
"C:\users\{user}\appdata\local\770bc6656ddf6c8f26bf2a92e4b368e3\770bc6656ddf6c8f26bf2a92e4b368e3.exe" startupby sysstart


The file 770bc6656ddf6c8f26bf2a92e4b368e3.exe has been seen being distributed by the following URL.

Scan 770bc6656ddf6c8f26bf2a92e4b368e3.exe - Powered by Reason Core Security