aspentechqtlite.exe

The executable aspentechqtlite.exe has been detected as malware by 5 anti-virus scanners. It runs as a windows Service named “AspenTechQTLite”. This file is typically installed with the program StartIsBack++ by startisback.com. While running, it connects to the Internet address server-52-84-7-45.ord54.r.cloudfront.net on port 80 using the HTTP protocol.
MD5:
9507f1f75df7a7c72a6ba3fb70017a4b

SHA-1:
ebd4f1c94005c55271c28fbdfa2c7e309e48277e

SHA-256:
72eda0c712161bd77a77006cecd4019c95006e011a008bdecec627566eef3d36

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
11/5/2024 1:00:18 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Agent.YJR trojan
6.3.12010.0

F-Secure
Variant.Katusha.5
5.15.154

Kaspersky
Trojan.Win32.Agentb
15.0.2.529

Microsoft Security Essentials
BrowserModifier:Win32/Sasquor
1.233.892.0

Reason Heuristics
Trojan.Katusha (M)
16.10.17.23

File size:
223 KB (228,352 bytes)

File type:
Executable application (Win32 EXE)

Language:
Chinese

Common path:
C:\Program Files\aspentech\aspentechqtlite.exe

File PE Metadata
Compilation timestamp:
10/11/2016 5:10:02 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
3072:4ZpLEYn+U9J3gsiCmKDM6YTOil7Q6HT6gIrFyRulKn35EmKxXSfO:2EbUJ3/mc679lIr98G/VSf

Entry address:
0x11927

Entry point:
E8, 39, A7, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, E4, 59, 43, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 68, 37, 43, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, E4, 59, 43, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03...
 
[+]

Code size:
155 KB (158,720 bytes)

Service
Display name:
AspenTechQTLite

Type:
Win32OwnProcess, InteractiveProcess


The file aspentechqtlite.exe has been discovered within the following program.

StartIsBack++  by startisback.com
About 1% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-159-92.sin3.r.cloudfront.net  (54.192.159.92:80)

TCP (HTTP):
Connects to euve246913.serverprofi24.com  (62.75.142.165:80)

TCP (HTTP):
Connects to server-54-192-19-180.iad12.r.cloudfront.net  (54.192.19.180:80)

TCP (HTTP):
Connects to server-52-84-63-174.ord51.r.cloudfront.net  (52.84.63.174:80)

TCP (HTTP):
Connects to server-54-192-159-38.sin3.r.cloudfront.net  (54.192.159.38:80)

TCP (HTTP):
Connects to server-52-85-151-95.hkg51.r.cloudfront.net  (52.85.151.95:80)

TCP (HTTP):
Connects to server-54-192-159-15.sin3.r.cloudfront.net  (54.192.159.15:80)

TCP (HTTP):
Connects to server-54-230-150-144.sin2.r.cloudfront.net  (54.230.150.144:80)

TCP (HTTP):
Connects to server-54-230-122-116.dfw50.r.cloudfront.net  (54.230.122.116:80)

TCP (HTTP):
Connects to server-52-84-63-111.ord51.r.cloudfront.net  (52.84.63.111:80)

TCP (HTTP):
Connects to server-54-230-95-16.fra2.r.cloudfront.net  (54.230.95.16:80)

TCP (HTTP):
Connects to server-54-192-75-42.hkg50.r.cloudfront.net  (54.192.75.42:80)

TCP (HTTP):
Connects to server-54-230-206-130.atl50.r.cloudfront.net  (54.230.206.130:80)

TCP (HTTP):
Connects to server-54-230-95-33.fra2.r.cloudfront.net  (54.230.95.33:80)

TCP (HTTP):
Connects to server-54-192-75-129.hkg50.r.cloudfront.net  (54.192.75.129:80)

TCP (HTTP):
Connects to server-54-192-159-35.sin3.r.cloudfront.net  (54.192.159.35:80)

TCP (HTTP):
Connects to server-54-192-159-244.sin3.r.cloudfront.net  (54.192.159.244:80)

TCP (HTTP):
Connects to server-52-85-33-253.mnl50.r.cloudfront.net  (52.85.33.253:80)

TCP (HTTP):
Connects to server-54-230-95-245.fra2.r.cloudfront.net  (54.230.95.245:80)

TCP (HTTP):
Connects to server-54-230-95-165.fra2.r.cloudfront.net  (54.230.95.165:80)

Remove aspentechqtlite.exe - Powered by Reason Core Security