cachemgr.exe

The executable cachemgr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address estiempode.com on port 80 using the HTTP protocol.
MD5:
12ede6cc12c8dd71284b4039299fa501

SHA-1:
4a072e784e5fc3e4c33fc0fbb564a8eb9a7f5807

SHA-256:
4a29ecd03fdfe295f5baeb09ae7a30dc648fbe159b488dd1adbafb4fe0d29d04

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/26/2024 4:00:33 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Installer (M)
16.3.11.6

File size:
216.5 KB (221,696 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\cachemgr.exe

File PE Metadata
Compilation timestamp:
5/31/2007 10:19:51 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
1536:NX2tAh15hxrmf7VlBSBzD7TbNau3doRzEg0H86Lx8CAcf+SueGMLefNe6WE5RXQG:9v5hm7VmBP7PtReQJUdMLgEE5RXh

Entry address:
0x12ECC

Entry point:
E8, 72, 27, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 78, BD, 41, 00, 89, 0D, 74, BD, 41, 00, 89, 15, 70, BD, 41, 00, 89, 1D, 6C, BD, 41, 00, 89, 35, 68, BD, 41, 00, 89, 3D, 64, BD, 41, 00, 66, 8C, 15, 90, BD, 41, 00, 66, 8C, 0D, 84, BD, 41, 00, 66, 8C, 1D, 60, BD, 41, 00, 66, 8C, 05, 5C, BD, 41, 00, 66, 8C, 25, 58, BD, 41, 00, 66, 8C, 2D, 54, BD, 41, 00, 9C, 8F, 05, 88, BD, 41, 00, 8B, 45, 00, A3, 7C, BD, 41, 00, 8B, 45, 04, A3, 80, BD, 41, 00, 8D, 45, 08, A3, 8C, BD, 41...
 
[+]

Entropy:
4.7453

Code size:
95 KB (97,280 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
StubPath

Command:
"C:\ProgramData\cachemgr.exe" -as


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to offres-microsoft.org  (207.46.197.32:80)

TCP (HTTP):
Connects to estiempode.com  (207.46.232.182:80)

TCP (HTTP):
Connects to redirect.www.ibm.com  (129.42.38.1:80)

Remove cachemgr.exe - Powered by Reason Core Security