» AutoUpdate.exe
Overview
Analysis
File Details
Network (9)

AutoUpdate.exe

FSOnline AutoUpdate Application

VNG Corporation

The executable AutoUpdate.exe, “FS3Online AutoUpdate 20150515 Build 1.4” has been detected as malware by 3 anti-virus scanners. While running, it connects to the Internet address 125.235.4.59.adsl.viettel.vn on port 80 using the HTTP protocol.

File name:

AutoUpdate.exe

Publisher:

VNG Corporation (signed and verified)

Product:

FSOnline AutoUpdate Application

Description:

FS3Online AutoUpdate 20150515 Build 1.4

Version:

1, 0, 0, 4

MD5:

85870ecde80064ede1414a94a46cc83d

SHA-1:

34b3d09dd0ac550872ee38a873a192ed745d7b40

SHA-256:

e3ecbb9c9c0d73f0a11bbf41675866fbc49409f86f6299f9a5cc059558c11763

Scanner detections:

3 / 68

Status:

Malware

Analysis date:

11/15/2024 10:51:03 PM UTC (today)

Scan engine

Detection

Engine version

Bkav FE

HW32.Packed

1.3.0.6979

ESET NOD32

Win32/RiskWare.StartPage.I application

6.3.12010.0

Kaspersky

Trojan.Win32.StartPage

15.0.2.529

File size:

2 MB (2,081,576 bytes)

Product version:

1, 0, 0, 4

Original file name:

AutoUpdate.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\vng\phongthan3\autoupdate.exe

Digital Signature

Signed by:

VNG Corporation

Authority:

VeriSign, Inc.

Valid from:

8/13/2012 7:00:00 AM

Valid to:

8/14/2015 6:59:59 AM

Subject:

CN=VNG Corporation, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=VNG Corporation, L=Ho Chi Minh, S=Vietnam, C=VN

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

1E2E72EFA5CC0D5289DFF53DA87A35EB

File PE Metadata

Compilation timestamp:

6/15/2015 5:44:56 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

49152:+EkVLx/Cu+g8IN70hxhLVxyYIs5uoWzOalF8NoclqR3ioyr:+fVdCu+ri70hXhxyYIMuZZL8iccyr

Entry address:

0x2542A6

Entry point:

56, 9C, C7, 44, 24, 04, FF, 64, 3C, BA, 68, 82, 77, E6, 96, C7, 44, 24, 04, ED, 54, 66, 15, 88, 04, 24, C6, 04, 24, 7F, 68, C1, D0, 10, 32, 8D, 64, 24, 08, E9, C6, 14, 1F, 00, F8, 30, C0, E9, F1, D7, 1E, 00, 58, BA, E3, C2, 90, 6E, 65, DD, F9, 31, 5D, F4, 11, 1A, 43, 78, 00, B7, 40, 50, 02, 91, E8, CE, 65, 98, CC, D9, C4, 42, 47, 82, A6, 95, 49, 33, DF, B5, DB, 8E, 7D, 13, 38, FC, 0A, AF, FC, 20, 8D, 3B, 90, DF, D6, 31, 09, 48, 2B, 1C, C4, 22, F5, 7E, 7C, C9, 0A, BC, F8, C1, 4C, 78, 01, 7E, 13, D8, CA, DC... 
[+]

Entropy:

7.9978 (probably packed)

Code size:

4.3 MB (4,486,144 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ptr.vng.vn (49.213.68.34:80)

TCP (HTTP):

Connects to zing.vn (118.102.1.140:80)

TCP (HTTP):

Connects to static.vdc.com.vn (113.164.15.36:80)

TCP (HTTP):

Connects to static.vnpt.vn (113.164.241.180:80)

TCP (HTTP):

Connects to static.vnpt-hanoi.com.vn (123.25.27.34:80)

TCP (HTTP):

Connects to 125.235.4.59.adsl.viettel.vn (125.235.4.59:80)

TCP (HTTP):

Connects to server-52-84-246-40.sfo20.r.cloudfront.net (52.84.246.40:80)

Remove AutoUpdate.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.