BearShare.exe

BearShare (Lite)

Free Peers, Inc.

The executable BearShare.exe has been detected as malware by 3 anti-virus scanners. This is a setup program which is used to install the application. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘BearShare’. The file has been seen being downloaded from s10093.chomikuj.pl. While running, it connects to the Internet address p5483D9F4.dip0.t-ipconnect.de on port 6346.
Publisher:
Free Peers, Inc.

Product:
BearShare (Lite)

Description:
BearShare

Version:
5.2.5.1

MD5:
a91d222a5c426ff90532f1bde53e4e55

SHA-1:
16339c700aac96a4f5d0156f44593f33570cb9e5

SHA-256:
b1fe863500f1f662e3fffeeed38d4520c5190a0cd136977a365e3c1689777630

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
12/24/2024 7:18:04 PM UTC  (today)

Scan engine
Detection
Engine version

Clam AntiVirus
PUA.Packed.Armadillo
0.98/18011

Reason Heuristics
Unnamed.Threat.11
14.3.8.3

Rising Antivirus
Suspicious
23.00.65.14130

File size:
3.2 MB (3,305,472 bytes)

Product version:
5.2.5

Copyright:
Copyright © 2003 Free Peers, Inc. All Rights Reserved Worldwide.

Original file name:
BearShare.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\bearshare\bearshare.exe

File PE Metadata
Compilation timestamp:
7/26/2006 10:45:41 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
83.82

CTPH (ssdeep):
49152:nfsqVP0pCVp3TToVflMjr51sCLkANoEojGI1qB5RGHQOuQevrWfXx:fsqupCvD2mjt1sCQAVojGhB5RseqfXx

Entry address:
0x523000

Entry point:
60, E8, 00, 00, 00, 00, 5D, 50, 51, 0F, CA, F7, D2, 9C, F7, D2, 0F, CA, EB, 0F, B9, EB, 0F, B8, EB, 07, B9, EB, 0F, 90, EB, 08, FD, EB, 0B, F2, EB, F5, EB, F6, F2, EB, 08, FD, EB, E9, F3, EB, E4, FC, E9, 9D, 0F, C9, 8B, CA, F7, D1, 59, 58, 50, 51, 0F, CA, F7, D2, 9C, F7, D2, 0F, CA, EB, 0F, B9, EB, 0F, B8, EB, 07, B9, EB, 0F, 90, EB, 08, FD, EB, 0B, F2, EB, F5, EB, F6, F2, EB, 08, FD, EB, E9, F3, EB, E4, FC, E9, 9D, 0F, C9, 8B, CA, F7, D1, 59, 58, 50, 51, 0F, CA, F7, D2, 9C, F7, D2, 0F, CA, EB, 0F, B9, EB...
 
[+]

Entropy:
7.8782

Packer / compiler:
ASPack v1.08.04

Code size:
320 KB (327,680 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
BearShare

Command:
"C:\Program Files\bearshare\bearshare.exe" \pause


The file BearShare.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 94.31.0.55.IPYX-076665-ZYO.above.net  (94.31.0.55:80)

TCP:
Connects to p54A25BFD.dip0.t-ipconnect.de  (84.162.91.253:6346)

TCP:
Connects to s529d9a59.adsl.online.nl  (82.157.154.89:6346)

TCP (HTTP):
Connects to host-213-14-227-50.reverse.superonline.net  (213.14.227.50:80)

TCP:
Connects to bba149866.alshamil.net.ae  (217.165.17.6:6346)

TCP:
Connects to ACCB167C.ipt.aol.com  (172.203.22.124:6346)

TCP:
Connects to a83-132-249-118.cpe.netcabo.pt  (83.132.249.118:6348)

TCP:
Connects to xplr-69-168-146-196.xplornet.com  (69.168.146.196:6348)

TCP:
Connects to user-24-214-166-251.knology.net  (24.214.166.251:6348)

TCP:
Connects to static-209-159-226-96.bhfc.net  (209.159.226.96:6348)

TCP:
Connects to p54AD55A2.dip0.t-ipconnect.de  (84.173.85.162:6348)

TCP:
Connects to p5483D9F4.dip0.t-ipconnect.de  (84.131.217.244:6346)

TCP:
Connects to host-70-34-134-223.host.ussignalcom.net  (70.34.134.223:6348)

TCP:
Connects to host124-241-static.40-85-b.business.telecomitalia.it  (85.40.241.124:6346)

TCP:

TCP:
Connects to h64-141-28-120.bigpipeinc.com  (64.141.28.120:6348)

TCP:
Connects to dyn-216-168-126-86.nexicom.net  (216.168.126.86:6346)

TCP:
Connects to dhcp-064-247-106-146.wg1.ohiou.edu  (64.247.106.146:6346)

TCP:
Connects to d53-64-223-128.nap.wideopenwest.com  (64.53.128.223:6346)

TCP:
Connects to cable-85.28.64.40.coditel.net  (85.28.64.40:6348)

Remove BearShare.exe - Powered by Reason Core Security