{blocked}.exe

RTK-TERMINAL, LLC

The application {blocked}.exe by RTK-TERMINAL has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address 67.215.238.66.static.quadranet.com on port 80 using the HTTP protocol.
Publisher:
RTK-TERMINAL, LLC  (signed and verified)

MD5:
91b64de77842c023d8ca64b6a7fbd87d

SHA-1:
1c7b472064eacab09863b6cdb05acbe3e0faaa57

SHA-256:
cbd29e722972dfe9e18eba7a0818b1ce22e5bb79ae44fa9c48d9a914270603e5

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 8:03:24 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Dropper.OO (M)
17.3.14.22

File size:
1.3 MB (1,319,952 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\canal_canalsat_beinsport.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
2/14/2017 1:00:00 AM

Valid to:
7/22/2017 1:59:59 AM

Subject:
CN="RTK-TERMINAL, LLC", O="RTK-TERMINAL, LLC", STREET="Rabochaja, 8", L=Belgorod, S=RU, PostalCode=308017, C=RU

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
59BCFA5B8FBB32BE06B1AC01AF5B4265

File PE Metadata
Compilation timestamp:
3/14/2017 11:08:10 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

Entry address:
0x1242E0

Entry point:
55, 8B, EC, 6A, FF, 68, 28, 81, 52, 00, 68, AC, 4F, 52, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, B0, 80, 52, 00, 33, D2, 8A, D4, 89, 15, 34, C1, 52, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 30, C1, 52, 00, C1, E1, 08, 03, CA, 89, 0D, 2C, C1, 52, 00, C1, E8, 10, A3, 28, C1, 52, 00, 33, F6, 56, E8, 16, 0B, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, B0, 00, 00, 00, 59, 89, 75, FC, E8, E1, 07, 00, 00, FF, 15, AC, 80, 52, 00, A3, 38, C6, 52, 00, E8...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
1.2 MB (1,208,320 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-240-186-6.mad50.r.cloudfront.net  (54.240.186.6:80)

TCP (HTTP):
Connects to ec2-54-154-230-42.eu-west-1.compute.amazonaws.com  (54.154.230.42:80)

TCP (HTTP):
Connects to 67.215.238.66.static.quadranet.com  (67.215.238.66:80)

Remove {blocked}.exe - Powered by Reason Core Security