9adyyzf8.exe

All Team Incorporated

The file 9adyyzf8.exe by All Team has been detected as a potentially unwanted program by 10 anti-malware scanners. The file has been seen being downloaded from intva31.controlemail.info and multiple other hosts.
Publisher:
All Team Incorporated  (signed and verified)

MD5:
de58bcd1a484baf2e72421a1a98cc495

SHA-1:
2ac4f5953804fcb8fcc455bc9af82b5e147cecd8

SHA-256:
2957dc78e0b0ca3ce41ffa7f5ad03a854ffbed046d9efe368548454256c24661

Scanner detections:
10 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 12:12:52 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Razy.73471
217

AhnLab V3 Security
Malware/Gen.Generic.C1472348
3.7.4.14

Arcabit
Trojan.Application.Razy.D11EFF
1.0.0.741

Bitdefender
Gen:Variant.Application.Razy.73471
1.0.20.915

F-Secure
Gen:Variant.Application.Razy
11.2016-01-07_6

G Data
Gen:Variant.Application.Razy.73471
16.7.25

IKARUS anti.virus
PUA.DownloadAdmin
t3scan.2.1.6.0

MicroWorld eScan
Gen:Variant.Application.Razy.73471
17.0.0.549

Panda Antivirus
Trj/Genetic.gen
16.07.01.01

Qihoo 360 Security
HEUR/QVM20.1.0000.Malware.Gen
1.0.0.1120

File size:
492.8 KB (504,616 bytes)

Common path:
C:\users\{user}\appdata\local\temp\9adyyzf8.exe.part

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
5/19/2016 5:51:38 PM

Valid to:
5/19/2017 5:51:38 PM

Subject:
CN=All Team Incorporated, O=All Team Incorporated, L=San Francisco, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00A3C7D36051C78896

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
3.0

CTPH (ssdeep):
12288:FBiNSW8yrxC+9QypSGbGQ3juMBcGUxBsKF465X3/Wn7ywA8SP:FUNSWBVC+9tpSGbGQ3juMeGUxBn55/1h

Entry address:
0x3D340

Entry point:
C6, 05, 50, E2, 43, 00, 00, B9, 00, E0, 44, 00, BA, 04, E0, 44, 00, B8, 40, 12, 44, 00, E8, 65, FF, FF, FF, E8, 70, FF, FF, FF, B8, 20, 12, 44, 00, E8, 36, 3B, FD, FF, C3, 00, 00, 00, 00, 00, FF, FF, FF, FF, 00, 00, 00, 00, FF, FF, FF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Code size:
240.9 KB (246,656 bytes)

The file 9adyyzf8.exe has been seen being distributed by the following 50 URLs.

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=74997689&ephemeral=1&filename=adobe_flash_player.exe&cb=-266298125&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=74946991&ephemeral=1&filename=adobe_flash_player.exe&cb=1709978685&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=75295648&ephemeral=1&filename=adobe_flash_player.exe&cb=-1322618851&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=75340733&ephemeral=1&filename=adobe_flash_player.exe&cb=-827678890&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=75181717&ephemeral=1&filename=adobe_flash_player.exe&cb=453609382&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=75240796&ephemeral=1&filename=adobe_flash_player.exe&cb=-513502456&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=74932009&ephemeral=1&filename=adobe_flash_player.exe&cb=1446925582&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=75140168&ephemeral=1&filename=adobe_flash_player.exe&cb=957079601&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=74898843&ephemeral=1&filename=adobe_flash_player.exe&cb=1174746149&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=75209053&ephemeral=1&filename=adobe_flash_player.exe&cb=-868057778&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=74687590&ephemeral=1&filename=adobe_flash_player.exe&cb=-1025337176&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=75216531&ephemeral=1&filename=adobe_flash_player.exe&cb=1034351508&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

http://intva31.controlemail.info/dl-pure/1203367/.../?bc=1203367&checksum=75319038&ephemeral=1&filename=adobe_flash_player.exe&cb=-992499670&hashstring=CQm4rQTvfmU3&usefilename=true&executableroutePath=1203867&stub=true

Latest 30 of 52 download URLs

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-52-6-18-250.compute-1.amazonaws.com  (52.6.18.250:80)

Remove 9adyyzf8.exe - Powered by Reason Core Security