cachemgr.exe

The executable cachemgr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address windowsnt.int.az on port 80 using the HTTP protocol.
MD5:
90f4a192728e6188661a3d008dd82e41

SHA-1:
072fc7e0b35ba88e86b442131618b485ef44e393

SHA-256:
e37bb9e74f58e92357ded73b0e2976240943590edb6cb957d27c146991e588dd

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/15/2024 12:47:14 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Installer (M)
17.1.30.9

File size:
446.5 KB (457,183 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\cachemgr.exe

File PE Metadata
Compilation timestamp:
10/19/1996 3:53:42 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x3B000

Entry point:
60, E8, 00, 00, 00, 00, 5D, 8B, C5, 81, ED, A8, A6, 01, 20, 2B, 85, 0F, AE, 01, 20, 89, 85, 0B, AE, 01, 20, B0, 00, 86, 85, 40, B0, 01, 20, 3C, 01, 0F, 85, BC, 01, 00, 00, 83, BD, 3B, AF, 01, 20, 00, 74, 33, 83, BD, 3F, AF, 01, 20, 00, 74, 2A, 8B, 85, 0B, AE, 01, 20, 2B, 85, 3B, AF, 01, 20, 8B, 00, 89, 85, 78, AF, 01, 20, 8B, 85, 0B, AE, 01, 20, 2B, 85, 3F, AF, 01, 20, 8B, 00, 89, 85, 7C, AF, 01, 20, EB, 61, 83, BD, 43, AF, 01, 20, 00, 74, 58, 8B, 85, 0B, AE, 01, 20, 2B, 85, 43, AF, 01, 20, FF, 30, 8D, 85...
 
[+]

Entropy:
6.7000

Packer / compiler:
ASPack v1.08.04

Code size:
95 KB (97,280 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
StubPath

Command:
"C:\ProgramData\cachemgr.exe" -as


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to windowsnt.int.az  (207.46.232.182:80)

TCP (HTTP):
Connects to axapta.ru  (207.46.197.32:80)

TCP (HTTP):
Connects to redirect.www.ibm.com  (129.42.38.1:80)

Remove cachemgr.exe - Powered by Reason Core Security