home

a820159_4

Игровой центр@Mail.Ru

LLC Mail.Ru

The file a820159_4 has been detected as malware by 1 anti-virus scanner. While running, it connects to the Internet address dynamicip-176-215-34-206.pppoe.ekat.ertelecom.ru on port 6881.
Publisher:
LLC Mail.Ru  (signed and verified)

Product:
Игровой центр@Mail.Ru

Version:
2.0.0.323

MD5:
d0cc1720249e0d8c9285c895ebd10f21

SHA-1:
d1741e45be34320af862941e7772b74c087a69cc

SHA-256:
7dbaeed6d91b4a6c5edc4fd7a8f39702c5f9657e624dfbc2828b1d73c378df0a

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/27/2024 3:49:26 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Win32.Generic.MailRu.Meta
15.11.24.22

File size:
4 MB (4,221,976 bytes)

Product version:
2.0.0.323

Copyright:
Copyright (C) 2013 LLC Mail.Ru

Original file name:
Игровой центр@Mail.Ru.exe

Common path:
C:\users\{user}\appdata\local\temp\a820159_4

Digital Signature
Signed by:
LLC Mail.Ru

Authority:
Thawte, Inc.

Valid from:
12/9/2011 7:00:00 AM

Valid to:
2/7/2014 6:59:59 AM

Subject:
CN=LLC Mail.Ru, O=LLC Mail.Ru, L=Moscow, S=Moscow, C=RU

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
1C09DBBC732D4B58F7A88EBACF323417

File PE Metadata
Compilation timestamp:
9/10/2013 2:48:27 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
98304:3sgN4SKqeq7G4elrLeHS94xa+lDTmdfkxiTc7p0drR:3sxcY4elrLeHSmLUfkwTc7pW

Entry address:
0x1BB670

Entry point:
55, 8B, EC, 83, C4, F0, B8, 74, C9, 5A, 00, E8, B0, EB, E4, FF, A1, 84, 0A, 5C, 00, 80, 38, 00, A1, E0, 08, 5C, 00, 0F, 95, 00, E8, EB, 64, FC, FF, E8, 46, AC, E4, FF, 8B, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
1.7 MB (1,810,432 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to USER-PC  (2.95.155.103:6881)

TCP:
Connects to user-22.81.118.217.in-addr.arpa  (217.118.81.22:59175)

TCP:
Connects to user-203.81.118.217.in-addr.arpa  (217.118.81.203:16610)

TCP:
Connects to ucomline.net  (93.178.219.132:51345)

TCP:
Connects to shpd-92-101-187-81.vologda.ru  (92.101.187.81:6881)

TCP:
Connects to pppoe-dyn-85-113-214-195.kosnet.ru  (85.113.214.195:6866)

TCP:
Connects to pppoe-client.243.102.218.91.kvartal-net.ru  (91.218.102.243:6882)

TCP:
Connects to ppp91-77-51-187.pppoe.mtu-net.ru  (91.77.51.187:6881)

TCP:
Connects to ppp85-140-1-249.pppoe.mtu-net.ru  (85.140.1.249:30543)

TCP:
Connects to ppp79-139-247-174.pppoe.spdop.ru  (79.139.247.174:6881)

TCP:
Connects to ppp17-120.tis-dialog.ru  (213.149.17.120:6881)

TCP:
Connects to ppp109-252-73-21.pppoe.spdop.ru  (109.252.73.21:12638)

TCP:
Connects to node-139-225-139-95.domolink.tula.net  (95.139.225.139:6881)

TCP:
Connects to netcluster.quantumart.ru  (213.87.136.16:36857)

TCP:
Connects to nat-98-0.nsk.sibset.net  (5.44.169.133:6881)

TCP:
Connects to ip-188-113-134-254.z6.ysk.scts.tv  (188.113.134.254:6881)

TCP:
Connects to ip-122-1.users.unetcom.ru  (91.215.122.1:6881)

TCP:
Connects to host-2-60-19-95.pppoe.omsknet.ru  (2.60.19.95:28847)

TCP:
Connects to host-2-60-147-87.pppoe.omsknet.ru  (2.60.147.87:6881)

TCP:
Connects to host-2-60-147-253.pppoe.omsknet.ru  (2.60.147.253:6881)

Remove a820159_4 - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.