» c.exe
Overview
Analysis
File Details
Downloads (1)

c.exe

Internet

Web Application

The executable c.exe, “Internet Setup ” has been detected as malware by 11 anti-virus scanners. The program is a setup application that uses the Inno Setup installer, however the file is not signed with an authenticode signature from a trusted source. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. The file has been seen being downloaded from www.hostsendpackage.com.

File name:

c.exe

Publisher:

Web Application

Product:

Internet

Description:

Internet Setup

MD5:

04d3dccdeed16170a766391467decd13

SHA-1:

ba3e87a553ec86a6e6405ef3dbe969a9b71c11ec

SHA-256:

d6616001c8f3dbca20f7a53a0dff7a6898b5db99bc435694156515453513ce4e

Scanner detections:

11 / 68

Status:

File is infected by a Virus

Explanation:

The file is infected by a polymorphic file infector virus.

Analysis date:

11/5/2024 2:23:14 AM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:SaliCode

160327-1

AVG

Win32/Sality

2015.0.4530

Dr.Web

Win32.Sector.30

9.0.1.05190

Emsisoft Anti-Malware

Win32.Sality

11.5.0.6191

ESET NOD32

Win32/Sality.NBA virus

8.0.319.0

F-Prot

W32/Sality.gen2

4.6.5.141

Kaspersky

Virus.Win32.Sality

15.0.0.562

McAfee

Trojan.Artemis!61F73859E14A

18.0.204.0

Microsoft Security Essentials

Threat.Undefined

1.217.1229.0

Norman

Win32.Sality.3

13.04.2016 10:11:06

VIPRE Antivirus

Threat.4721115

48238

File size:

1 MB (1,052,560 bytes)

Product version:

5.4.7

Program web

File type:

Executable application (Win32 EXE)

Installer:

Inno Setup

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\c.exe

File PE Metadata

Compilation timestamp:

6/20/1992 3:52:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:IHl6kT1+JinXu+fy6jFXsxRbvUyRzkDeQI+AMuuJVnsWbY:IFB+JWrjFIU+oDi+AwzbY

Entry address:

0x9C40

Entry point:

72, 03, 87, D2, F2, 68, FE, 6E, 91, 00, 50, 69, DD, 48, 54, A8, 5C, 88, EB, 80, D8, A8, 81, EA, 41, 89, CA, 5D, BF, 12, 04, 9A, 40, 84, FD, FE, C1, F7, C7, 4F, 2E, F8, E6, 3B, F0, C6, C7, B9, 04, 06, 4E, 0F, B7, C2, FE, CE, 86, FA, 74, 0C, 8D, 35, BC, DD, 1C, ED, F7, C2, F4, 14, BA, 12, E8, 00, 00, 00, 00, 8A, D5, 02, F5, 81, FD, 03, ED, DF, 10, 81, E3, 38, C1, E8, 69, F6, C4, 72, B1, BD, 4A, 42, 81, F7, 45, 32, 00, 00, 8D, 1D, 86, CF, E1, 5F, 5D, F2, 8D, 35, 5B, 9F, B4, B6, 84, D0, 80, ED, C1, 0F, AF, CE... 
[+]

Entropy:

7.9376 (probably packed)

Code size:

37 KB (37,888 bytes)

The file c.exe has been seen being distributed by the following URL.

http://www.hostsendpackage.com/.../2U0Jlql8jB6OA6QhOwkVC51bEUk5y7b3zCiILtKbnkwAX5a7CXV6v&downloadAs=Google Chrome.exe

Remove c.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.