a2.exe

Windows 7 Loader Extreme Edition v3

The application a2.exe, “Universal Windows Activation Tool” has been detected as a potentially unwanted program by 18 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from docs.google.com and multiple other hosts.
Product:
Windows 7 Loader Extreme Edition v3

Description:
Universal Windows Activation Tool

Version:
3.5.0.3

MD5:
8f9ccbdb647d6a7ff0c693a2700727aa

SHA-1:
5a703b7fd91ade87e63ecfe890e49761d596b1eb

SHA-256:
9df418c9b62ae059279babe614a6649d7a714ef12c06f11f104f33155d7a2b7d

Scanner detections:
18 / 68

Status:
Potentially unwanted

Analysis date:
12/27/2024 4:14:23 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
HackTool.Keygen
7.1.1

AhnLab V3 Security
Trojan/Win32.ADH
2014.01.05

avast!
Win32:PUP-gen [PUP]
2014.9-131218

AVG
Crack.CO.dropper
2014.0.3621

Bkav FE
W32.Clod5f2.Trojan
1.3.0.4613

Comodo Security
UnclassifiedMalware
17553

ESET NOD32
Win32/HackTool.WinActivator
8.9250

F-Prot
W32/Backdoor2.HMTC
v6.4.7.1.166

IKARUS anti.virus
possible-Threat.HackTool.Windows7
t3scan.2.2.29

K7 AntiVirus
Hacktool
13.175.10735

McAfee
Artemis!8F9CCBDB647D
5600.7277

Norman
Suspicious_Gen2.JAOIE
11.20131218

Reason Heuristics
Unnamed.Threat.28
14.3.1.14

Rising Antivirus
PE:Trojan.Win32.Generic.124A6074!306864244
23.00.65.14102

Sophos
Troj/Keygen-DX
4.96

Trend Micro House Call
HKTL_ACTIVATOR
7.2.4

Trend Micro
HKTL_ACTIVATOR
10.465.18

VIPRE Antivirus
Trojan.Win32.Generic
25084

File size:
26.8 MB (28,135,936 bytes)

Product version:
3.5

Copyright:
napalum

Original file name:
w7lxe.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\2\a2.exe

File PE Metadata
Compilation timestamp:
5/22/2010 5:58:47 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
98304:9IdrOBfemFW48xf3GuhskSsY3erhsmJGg/NgLgbB4m8mcic:bemCfWuCkZC0sepB4m8W

Entry address:
0x2AF388

Entry point:
55, 8B, EC, B9, 06, 00, 00, 00, 6A, 00, 6A, 00, 49, 75, F9, 51, 53, 56, 57, B8, 70, 7F, 69, 00, E8, 47, C8, D5, FF, 33, C0, 55, 68, E7, F5, 6A, 00, 64, FF, 30, 64, 89, 20, A1, 40, D0, 6C, 00, 8B, 00, E8, 81, 7E, E2, FF, A1, 40, D0, 6C, 00, 8B, 00, BA, 04, F6, 6A, 00, E8, 8C, 78, E2, FF, 8D, 55, EC, A1, 40, D0, 6C, 00, 8B, 00, E8, 9D, 77, E2, FF, 8B, 55, EC, B8, 30, 66, 75, 00, E8, 1C, 89, D5, FF, 33, C0, 55, 68, 6E, F4, 6A, 00, 64, FF, 30, 64, 89, 20, 8D, 55, E4, A1, 40, D0, 6C, 00, 8B, 00, E8, 8F, 88, E2...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
2.7 MB (2,809,856 bytes)

The file a2.exe has been seen being distributed by the following 14 URLs.

https://docs.google.com/uc?export=download&confirm=NwbN&id=0B3Xj4zp1Swh-cEJxUTZQRmpuVXc

https://download.poczta.onet.pl/10387670/.../Windows 7 Loader eXtreme Edition v3 3.503.exe

http://n0dupdate.no-ip.org:8888/Files/Microsoft Windows OEM ISO/.../????????? Windows 7.exe

https://docs.google.com/uc?export=download&confirm=3Lmv&id=0B-0NyAn84CbFbFpQLUVtajh0LUk

https://mega.co.nz/temporary/.../dsYn1BxR

http://dc372.4shared.com/download/.../w7lxe.exe

http://dc198.4shared.com/download/.../w7lxe.exe

http://178.173.19.2:1987/.../Windows 7 Loader (version 3.503).exe

ftp://88.199.134.217/D:/.../w7lxe.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to etg-01-008.etg.ras.cantv.net  (200.44.26.8:80)

TCP (HTTP):
Connects to etg-01-011.etg.ras.cantv.net  (200.44.26.11:80)

TCP (HTTP):
Connects to a72-246-97-43.deploy.akamaitechnologies.com  (72.246.97.43:80)

TCP (HTTP):

TCP (HTTP):
Connects to host-213.158.175.74.tedata.net  (213.158.175.74:80)

TCP (HTTP):
Connects to a72-246-97-34.deploy.akamaitechnologies.com  (72.246.97.34:80)

TCP (HTTP):
Connects to a23-77-193-139.deploy.static.akamaitechnologies.com  (23.77.193.139:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to a104-86-248-215.deploy.static.akamaitechnologies.com  (104.86.248.215:80)

TCP (HTTP):
Connects to a104-81-105-105.deploy.static.akamaitechnologies.com  (104.81.105.105:80)

TCP (HTTP):
Connects to 201-0-217-32.dial-up.telesp.net.br  (201.0.217.32:80)

TCP (HTTP):
Connects to 178.18.231.97.ua.dataix.ru  (178.18.231.97:80)

TCP (HTTP):
Connects to www.turktelekom.com.tr  (195.175.112.184:80)

TCP (HTTP):
Connects to subs14-223-255-230-144.three.co.id  (223.255.230.144:80)

TCP (HTTP):
Connects to static.ill.117.239.91.48/24.bsnl.in  (117.239.91.48:80)

TCP (HTTP):
Connects to ic-dinamica-200-114-43-96.intercable.net.co  (200.114.43.96:80)

TCP (HTTP):
Connects to host-static-212-0-219-17.moldtelecom.md  (212.0.219.17:80)

TCP (HTTP):
Connects to host-213.158.175.72.tedata.net  (213.158.175.72:80)

TCP (HTTP):
Connects to host-213.158.175.66.tedata.net  (213.158.175.66:80)

Remove a2.exe - Powered by Reason Core Security