cachemgr.exe

The executable cachemgr.exe has been detected as malware by 41 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address windowsxp.uz on port 80 using the HTTP protocol.
MD5:
7e993920c2c95fb4d3b103c42ad17ff6

SHA-1:
26c7ec19f72a26f80319acff771a5bc02ce19d12

SHA-256:
667a2e1a00f4b93460754d9be4b020c54cda00f815903ebe8dd3fe7ef002b9ec

Scanner detections:
41 / 68

Status:
Malware

Analysis date:
12/28/2024 5:06:29 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Dropper.58
569

Agnitum Outpost
Worm.Agent
7.1.1

AhnLab V3 Security
Worm/Win32.AutoRun
2015.03.18

Avira AntiVirus
TR/Finodes.B.275
7.11.218.6

avast!
Win32:AutoRun-DAJ [Trj]
2014.9-150715

AVG
Win32/DH{gRKBE3k2Aw9+ICIjJU4}
2016.0.3047

Baidu Antivirus
Worm.Win32.AutoRun
4.0.3.15715

Bitdefender
Gen:Variant.Dropper.58
1.0.20.980

Bkav FE
W32.OnGamesLT031012KGHN
1.3.0.6379

Clam AntiVirus
Worm.Autorun-9877
0.98/21511

Comodo Security
TrojWare.Win32.Kryptik.VARA
21443

Dr.Web
Win32.HLLW.Autoruner1.889
9.0.1.0196

Emsisoft Anti-Malware
Gen:Variant.Dropper.58
8.15.07.15.02

ESET NOD32
Win32/Agent.NJO
9.11334

Fortinet FortiGate
W32/Autorun.CXP!tr
7/15/2015

F-Prot
W32/AutoRun.AU.gen
v6.4.7.1.166

F-Secure
Gen:Variant.Dropper.58
11.2015-15-07_4

G Data
Gen:Variant.Dropper.58
15.7.25

IKARUS anti.virus
Trojan.Win32.Finodes
t3scan.1.8.6.0

K7 AntiVirus
Trojan
13.201.15291

Kaspersky
Worm.Win32.AutoRun
14.0.0.1732

Malwarebytes
Worm.Autorun
v2015.07.15.02

McAfee
W32/Autorun.worm.ht
5600.6703

Microsoft Security Essentials
Trojan:Win32/Finodes.B
1.1.11400.0

MicroWorld eScan
Gen:Variant.Dropper.58
16.0.0.588

NANO AntiVirus
Trojan.Win32.AutoRun.rfaml
0.30.0.296

Norman
FakeFolder.A
11.20150715

nProtect
Worm/W32.AutoRun.117763
15.03.17.01

Panda Antivirus
Trj/Agent.MIZ
15.07.15.02

Qihoo 360 Security
Win32/Worm.c4b
1.0.0.1015

Quick Heal
Trojan.Finodes.BB5
7.15.14.00

Rising Antivirus
PE:Worm.Win32.Autorun.twj!1075350275
23.00.65.15713

Sophos
Mal/Behav-043
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Autorun
9752

Total Defense
Win32/FakeFLDR_i
37.0.11500

Trend Micro House Call
Mal_OtorunN
7.2.196

Trend Micro
Mal_OtorunN
10.465.15

Vba32 AntiVirus
Worm.AutoRun.cxps
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic.pak!cobra
38510

ViRobot
Worm.Win32.A.AutoRun.117760.W[h]
2014.3.20.0

Zillya! Antivirus
Worm.AutoRun.Win32.46218
2.0.0.2103

File size:
115 KB (117,763 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\cachemgr.exe

File PE Metadata
Compilation timestamp:
7/23/2011 4:38:10 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
1536:+++fq6M5b9NqTxV67wAInyAeG+90MHJaOsp1gMIEELZ2G6CNgRtOOOOOOOOEQ6z:+++VMoTxyi9e7O1IXLoSWRqN

Entry address:
0x1198C

Entry point:
E8, 83, 27, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 78, AD, 41, 00, 89, 0D, 74, AD, 41, 00, 89, 15, 70, AD, 41, 00, 89, 1D, 6C, AD, 41, 00, 89, 35, 68, AD, 41, 00, 89, 3D, 64, AD, 41, 00, 66, 8C, 15, 90, AD, 41, 00, 66, 8C, 0D, 84, AD, 41, 00, 66, 8C, 1D, 60, AD, 41, 00, 66, 8C, 05, 5C, AD, 41, 00, 66, 8C, 25, 58, AD, 41, 00, 66, 8C, 2D, 54, AD, 41, 00, 9C, 8F, 05, 88, AD, 41, 00, 8B, 45, 00, A3, 7C, AD, 41, 00, 8B, 45, 04, A3, 80, AD, 41, 00, 8D, 45, 08, A3, 8C, AD, 41...
 
[+]

Entropy:
6.9424

Code size:
89.5 KB (91,648 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
StubPath

Command:
"C:\users\{user}\appdata\roaming\cachemgr.exe" -as


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to windowsxp.uz  (207.46.197.32:80)

TCP (HTTP):
Connects to maa03s05-in-f17.1e100.net  (74.125.236.81:80)

Remove cachemgr.exe - Powered by Reason Core Security