9d8a.tmp

Mars

Underline research - www.Mars.com

The file 9d8a.tmp, “Influence select syllable combination” has been detected as malware by 9 anti-virus scanners. While running, it connects to the Internet address server.yaway.de on port 25.
Publisher:
Underline research - www.Mars.com

Product:
Mars

Description:
Influence select syllable combination

Version:
3.0.0.2

MD5:
53a826a7b9cbde30e28acb204d03ff2e

SHA-1:
779f4412538a571191ace6277df8ca7c4d33d9ed

SHA-256:
909e6b37d43b8638327382c7bf53b554188abacc711b166025345f58b3e534e2

Scanner detections:
9 / 68

Status:
Malware

Analysis date:
12/28/2024 4:31:34 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.165798
796

Avira AntiVirus
TR/ATRAPS.Gen4
7.11.189.158

Bitdefender
Gen:Variant.Graftor.165798
1.0.20.1675

Emsisoft Anti-Malware
Gen:Variant.Graftor.165798
8.14.12.01.07

ESET NOD32
Win32/Injector.BQKF (variant)
8.10805

G Data
Gen:Variant.Graftor.165798
14.12.24

Malwarebytes
Trojan.Agent.DED
v2014.12.01.07

McAfee
PWSZbot-FAGM!53A826A7B9CB
5600.6930

MicroWorld eScan
Gen:Variant.Graftor.165798
15.0.0.1005

File size:
706 KB (722,944 bytes)

Product version:
5.0

Copyright:
Copyright (C) Mars 2003-2013

Language:
Arabisch (Saudi-Arabien)

Common path:
C:\users\{user}\appdata\local\temp\9d8a.tmp

File PE Metadata
Compilation timestamp:
12/1/2014 7:20:16 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:D75guTcN9K4KCkQ5ydy9pq0dM/l0q/KiLLAyBfe4coAwBH:JBINEsf0y9pq0dET/KiLMytH/pH

Entry address:
0x174E2

Entry point:
E8, 35, 21, 00, 00, E9, 78, FE, FF, FF, 6A, 0C, 68, 98, F4, 41, 00, E8, 38, 1F, 00, 00, 83, 65, E4, 00, 8B, 75, 08, 3B, 35, 04, 4C, 42, 00, 77, 22, 6A, 04, E8, 20, 23, 00, 00, 59, 83, 65, FC, 00, 56, E8, 27, 2B, 00, 00, 59, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 09, 00, 00, 00, 8B, 45, E4, E8, 44, 1F, 00, 00, C3, 6A, 04, E8, 1B, 22, 00, 00, 59, C3, 8B, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, FE, E0, 0F, 87, A1, 00, 00, 00, 53, 57, 8B, 3D, 34, E1, 41, 00, 83, 3D, 2C, 46, 42, 00, 00, 75, 18, E8, 98, 15, 00...
 
[+]

Code size:
115.5 KB (118,272 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to webserver1.swing-server.de  (80.237.209.28:465)

TCP (SMTP):
Connects to us2.outbound.mailhostbox.com  (208.91.199.224:25)

TCP (SMTP):
Connects to stade4.de  (91.250.103.29:25)

TCP:
Connects to sopfge.de  (216.55.105.78:587)

TCP:
Connects to smtpauth.wanadoo.fr  (193.252.22.86:465)

TCP (SMTP):
Connects to smtpauth.mhs.ch  (213.188.32.100:25)

TCP:
Connects to smtp.strato.de  (81.169.145.133:465)

TCP:
Connects to smtp.mail.ru  (94.100.180.160:587)

TCP (SMTP):
Connects to smtp.fr.oleane.com  (194.2.0.81:25)

TCP (SMTP):
Connects to smtp.1und1.de  (212.227.15.167:25)

TCP:
Connects to smtp.1und1.com  (212.227.15.129:587)

TCP:
Connects to shu.visualnetworks.es  (213.149.231.2:587)

TCP:
Connects to sh16-63.1blu.de  (178.254.0.189:587)

TCP:
Connects to sfwd01.sul.t-online.com  (194.25.134.110:465)

TCP (SMTP):
Connects to server12.assali.com  (107.6.173.40:25)

TCP:
Connects to server1.mediahost.sk  (82.208.7.138:465)

TCP (SMTP):
Connects to server-0116.whmpanels.com  (89.42.216.152:25)

TCP (SMTP):
Connects to server-0090.whmpanels.com  (89.42.216.241:25)

TCP (SMTP):
Connects to server.yaway.de  (212.227.89.235:25)

TCP (SMTP):
Connects to s15257966.onlinehome-server.info  (87.106.64.146:25)

Remove 9d8a.tmp - Powered by Reason Core Security