cachemgr.exe

The executable cachemgr.exe has been detected as malware by 15 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address redirect.www.ibm.com on port 80 using the HTTP protocol.
MD5:
99ba36e14d2781cfbe6ad7f0c84b0f38

SHA-1:
01897d0f1fa6d5ca193f148c71ebd8b0a6bf21dc

SHA-256:
389b358ec2a30d8b08bf9f9cd0faad4fd589654e06532c14c8f1c352a08694f4

Scanner detections:
15 / 68

Status:
Malware

Analysis date:
12/26/2024 3:47:34 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Zusy.Elzob.5264
5813571

Avira AntiVirus
TR/Spy.116224.86
7.11.30.172

avast!
Win32:AutoRun-DAJ [Trj]
160118-1

Clam AntiVirus
Worm.Autorun-9877
0.98/21314

Dr.Web
Win32.HLLW.Autoruner1.889
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Zusy.Elzob.5264
10.0.0.5366

ESET NOD32
Win32/Agent.NJO worm
7.0.302.0

F-Prot
W32/Bifrost.AF.gen
4.6.5.141

F-Secure
Variant.Zusy.Elzob.5264
5.15.21

Kaspersky
Worm.Win32.AutoRun
15.0.0.562

McAfee
Virus.W32/Autorun.worm.ht
18.0.204.0

Microsoft Security Essentials
Threat.Undefined
1.213.4702.0

Norman
Gen:Variant.Zusy.Elzob.5264
11.01.2016 17:30:26

Sophos
Virus 'Mal/Behav-043'
5.23

VIPRE Antivirus
Threat.4657539
46782

File size:
113.9 KB (116,601 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\cachemgr.exe

File PE Metadata
Compilation timestamp:
1/15/1996 2:52:07 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
1536:7++fq6M5b9NqTxV67wAInyAeG+90MHJaOsp1gMIEELZ2G6CNgRtOOOOOOOOEQ6N:7++VMoTxyi9e7O1IXLoSWRqX

Entry address:
0x1198C

Entry point:
E8, 83, 27, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 78, AD, 41, 00, 89, 0D, 74, AD, 41, 00, 89, 15, 70, AD, 41, 00, 89, 1D, 6C, AD, 41, 00, 89, 35, 68, AD, 41, 00, 89, 3D, 64, AD, 41, 00, 66, 8C, 15, 90, AD, 41, 00, 66, 8C, 0D, 84, AD, 41, 00, 66, 8C, 1D, 60, AD, 41, 00, 66, 8C, 05, 5C, AD, 41, 00, 66, 8C, 25, 58, AD, 41, 00, 66, 8C, 2D, 54, AD, 41, 00, 9C, 8F, 05, 88, AD, 41, 00, 8B, 45, 00, A3, 7C, AD, 41, 00, 8B, 45, 04, A3, 80, AD, 41, 00, 8D, 45, 08, A3, 8C, AD, 41...
 
[+]

Entropy:
6.9277

Code size:
89.5 KB (91,648 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
StubPath

Command:
"C:\users\{user}\appdata\roaming\cachemgr.exe" -as


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to redirect.www.ibm.com  (129.42.38.1:80)

Remove cachemgr.exe - Powered by Reason Core Security