home

babylon_2.2.4.0_cn.exe

The application babylon_2.2.4.0_cn.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler triggered by a time event. The file has been seen being downloaded from 49883610b2899a565445-f8bbcd60a34d32bcae8d0f1cb50205b0.r36.cf1.rackcdn.com. While running, it connects to the Internet address NY1WV3659 on port 80 using the HTTP protocol.
MD5:
b7c29adb20099549e5a5c746eca12a39

SHA-1:
fdd4df8677a9c5695ab2c4da5a245833fde3796f

SHA-256:
dbb5754c4842541d724dcdfd2520b85b72b987bfb71e4c698ff0f5993f7daac4

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/24/2024 7:20:13 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Toolbar
16.6.28.11

File size:
856 KB (876,544 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\babylon_2.2.4.0_cn.exe

File PE Metadata
Compilation timestamp:
6/9/2016 1:27:48 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:tD+F45yY1ml30CExDgkL/wd32yNmI2cqoUrdEWnehzTgq:ty28Qml0CExDgkL/wd32yNmIPqoUrdEF

Entry address:
0x60F0

Entry point:
56, EB, 03, 90, 90, 90, 90, 8B, 35, 7C, D0, 44, 00, 6A, 00, FF, D6, 50, E8, 99, FF, FF, FF, 83, C4, 04, 68, 7C, F1, 45, 00, 6A, 00, FF, D6, 50, FF, 15, 78, D0, 44, 00, 5E, 85, C0, 74, 02, FF, E0, 33, C0, C3, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 41, 04, 2B, 8B, 4D, FC, 89, 3E, 89, 4E, 08, 5F, 5E, 8B, E5, 5D, C3, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 56, 8B, F1, 8B, 06, 85, C0, 74, 16, 50, E8, 52, D3, 02, 00, 83, C4, 04, C7, 06, 00, 00, 00, 00, C7, 46, 08, 00, 00, 00, 00, 5E...
 
[+]

Entropy:
7.1382

Code size:
302.5 KB (309,760 bytes)

Scheduled Task
Task name:
Babylon Toolbar Updater

Trigger:
Time


The file babylon_2.2.4.0_cn.exe has been seen being distributed by the following URL.

http://49883610b2899a565445-f8bbcd60a34d32bcae8d0f1cb50205b0.r36.cf1.rackcdn.com/babylon_2.2.4.0_cn.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to NY1WV3659  (204.145.82.27:80)

TCP (HTTP):
Connects to ny1wv3280.xglobe.net  (204.145.82.20:80)

TCP (HTTP):
Connects to a92-122-48-50.deploy.akamaitechnologies.com  (92.122.48.50:80)

TCP (HTTP):
Connects to server-52-85-63-36.lhr50.r.cloudfront.net  (52.85.63.36:80)

TCP (HTTP):
Connects to NY1WV3438  (204.145.82.24:80)

TCP (HTTP):
Connects to ny1wv3283.xglobe.net  (204.145.82.23:80)

TCP (HTTP):
Connects to ec2-54-235-244-28.compute-1.amazonaws.com  (54.235.244.28:80)

TCP (HTTP):
Connects to ec2-54-225-239-132.compute-1.amazonaws.com  (54.225.239.132:80)

TCP (HTTP):
Connects to ec2-54-225-181-9.compute-1.amazonaws.com  (54.225.181.9:80)

TCP (HTTP):
Connects to a92-122-48-51.deploy.akamaitechnologies.com  (92.122.48.51:80)

TCP (HTTP):
Connects to a184-51-148-88.deploy.static.akamaitechnologies.com  (184.51.148.88:80)

TCP (HTTP):
Connects to a184-51-148-112.deploy.static.akamaitechnologies.com  (184.51.148.112:80)

TCP (HTTP):
Connects to NY1WV3561  (204.145.82.26:80)

TCP (HTTP):
Connects to ec2-52-3-215-241.compute-1.amazonaws.com  (52.3.215.241:80)

TCP (HTTP):
Connects to ec2-52-202-52-20.compute-1.amazonaws.com  (52.202.52.20:80)

Remove babylon_2.2.4.0_cn.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.