b1491282514de8f5858751db761c64a3.exe

The application b1491282514de8f5858751db761c64a3.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This executable runs as a local area network (LAN) Internet proxy server listening on port 1573 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host.
Version:
2.40.2.42

MD5:
23f2ba2c00ada6ec922720db7dee7b88

SHA-1:
52221593a97796252fa20087c9425ba7868bad32

SHA-256:
63f8dc965195d728497d40ed020677936f1145785f03b2587ed49d08cad0781b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 4:56:51 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Wajam.Meta (M)
16.1.19.19

File size:
492.5 KB (504,320 bytes)

Product version:
2.40.2.42

Original file name:
2Y1KGR.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\wanetworkenhancer\wanetworkenhancer internet enhancer\b1491282514de8f5858751db761c64a3.exe

File PE Metadata
Compilation timestamp:
1/14/2016 3:16:25 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:7j4PbTiO2o1U9TcJ2XrU7h8TGi/3BhfZriEbYGrDTmfdYybRs:7CPri9gJPGDBnsfU

Entry address:
0x7C77E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
490 KB (501,760 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:1573/

Local host port:
1573

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to edge-star-shv-01-sin6.facebook.com  (157.240.7.20:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-sin6.facebook.com  (157.240.7.35:443)

TCP (HTTP):
Connects to rtr3.l7.search.vip.sg3.yahoo.com  (106.10.162.43:80)

TCP (HTTP):
Connects to 69-55-234-246.in-addr.arpa.johncompanies.com  (69.55.234.246:80)

TCP (HTTP):
Connects to static.80.41.251.148.clients.your-server.de  (148.251.41.80:80)

TCP (HTTP):
Connects to m1140.contabo.host  (79.143.186.140:80)

TCP (HTTP SSL):
Connects to a184-29-72-230.deploy.static.akamaitechnologies.com  (184.29.72.230:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-sin6.fbcdn.net  (157.240.7.26:443)

TCP (HTTP):
Connects to usloft4436.serverprofi24.de  (209.126.117.210:80)

TCP (HTTP):
Connects to ns521291.ip-158-69-124.net  (158.69.124.93:80)

TCP (HTTP):
Connects to ee.99.b6.static.xlhost.com  (207.182.153.238:80)

TCP (HTTP SSL):
Connects to ec2-34-192-150-200.compute-1.amazonaws.com  (34.192.150.200:443)

TCP (HTTP SSL):
Connects to a104-105-7-157.deploy.static.akamaitechnologies.com  (104.105.7.157:443)

TCP (HTTP SSL):
Connects to a104-105-5-40.deploy.static.akamaitechnologies.com  (104.105.5.40:443)

TCP (HTTP SSL):
Connects to a104-105-13-161.deploy.static.akamaitechnologies.com  (104.105.13.161:443)

TCP (HTTP):
Connects to sync.1dmp.io  (136.243.44.222:80)

TCP (HTTP):
Connects to server-54-192-147-102.sfo4.r.cloudfront.net  (54.192.147.102:80)

TCP (HTTP SSL):
Connects to server-52-85-33-222.mnl50.r.cloudfront.net  (52.85.33.222:443)

TCP (HTTP SSL):
Connects to server-52-85-30-248.mnl50.r.cloudfront.net  (52.85.30.248:443)

TCP (HTTP SSL):
Connects to server2.wpclipart.com  (69.175.44.179:443)

Remove b1491282514de8f5858751db761c64a3.exe - Powered by Reason Core Security