cachemgr.exe

The executable cachemgr.exe has been detected as malware by 40 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address windowsxp.gm on port 80 using the HTTP protocol.
MD5:
f3841d52a6f8766ab0eefb9bd84d824e

SHA-1:
5c235141e5715d60a9d1eff5fdef23d8ae167d7c

SHA-256:
baa1f19cbc0b4ab3f37d88c6c1322a0038163caa1b4231daac7fa29b3a993757

Scanner detections:
40 / 68

Status:
Malware

Analysis date:
12/28/2024 4:40:48 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Zusy.Elzob.5264
845

Agnitum Outpost
Worm.AutoRun
7.1.1

AhnLab V3 Security
Worm/Win32.AutoRun
2014.09.30

Avira AntiVirus
BDS/Bifrose.4478954
7.11.175.170

avast!
Win32:Downloader-LNT [Trj]
2014.9-141012

AVG
Generic31
2015.0.3323

Baidu Antivirus
Trojan.Win32.Generic
4.0.3.141012

Bitdefender
Gen:Variant.Zusy.Elzob.5264
1.0.20.1425

Bkav FE
W32.OnGameZ9ALI
1.3.0.4959

Clam AntiVirus
Worm.Autorun-9880
0.98/21411

Comodo Security
TrojWare.Win32.Kryptik.VARA
19659

Dr.Web
Win32.HLLW.Autoruner1.10200
9.0.1.0285

Emsisoft Anti-Malware
Gen:Variant.Zusy.Elzob.5264
8.14.10.12.12

ESET NOD32
Win32/Agent.NJO
8.10486

Fortinet FortiGate
W32/Autorun.CXP!tr
10/12/2014

F-Prot
W32/Bifrost.AF.gen
v6.4.7.1.166

F-Secure
Gen:Variant.Zusy.Elzob.5264
11.2014-12-10_1

G Data
Gen:Variant.Zusy.Elzob.5264
14.10.24

IKARUS anti.virus
Worm.Win32.AutoRun
t3scan.1.7.8.0

K7 AntiVirus
Trojan
13.183.13521

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.3112

Malwarebytes
Trojan.Inject
v2014.10.12.12

McAfee
W32/Autorun.worm.ht
5600.6979

Microsoft Security Essentials
Backdoor:Win32/Bifrose.IQ
1.11005

MicroWorld eScan
Gen:Variant.Zusy.Elzob.5264
15.0.0.855

NANO AntiVirus
Trojan.Win32.Autoruner1.rjjvz
0.28.2.62440

Norman
FakeFolder.A
11.20141012

Panda Antivirus
Generic Malware
14.10.12.12

Qihoo 360 Security
Win32/Worm.4ab
1.0.0.1015

Quick Heal
Backdoor.Bifrose.AE
10.14.14.00

Rising Antivirus
PE:Malware.FakeFolder@CV!1.6ABC
23.00.65.141010

Sophos
Mal/Behav-043
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-AutoRun
10304

Total Defense
Win32/SillyAutorun.FRO
37.0.11206

Trend Micro House Call
Suspicious_GEN.F47V0807
7.2.285

Trend Micro
Mal_OtorunN
10.465.12

Vba32 AntiVirus
Hoax.Blocker
3.12.26.3

VIPRE Antivirus
Worm.Win32.Autorun.cxp
33546

ViRobot
Worm.Win32.A.AutoRun.123392.B
2011.4.7.4223

Zillya! Antivirus
Worm.AutoRun.Win32.57147
2.0.0.1938

File size:
119 KB (121,856 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\cachemgr.exe

File PE Metadata
OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
1536:PX2tAh15hxrmf7VlBSBzD7TbNau3doRzEg0H86Lx8CAcf+SuqGMLefNe6WE5RXQ:Pv5hm7VmBP7PtReQJUhMLgEE5RX

Entry address:
0x12ECC

Entry point:
E8, 72, 27, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 78, BD, 41, 00, 89, 0D, 74, BD, 41, 00, 89, 15, 70, BD, 41, 00, 89, 1D, 6C, BD, 41, 00, 89, 35, 68, BD, 41, 00, 89, 3D, 64, BD, 41, 00, 66, 8C, 15, 90, BD, 41, 00, 66, 8C, 0D, 84, BD, 41, 00, 66, 8C, 1D, 60, BD, 41, 00, 66, 8C, 05, 5C, BD, 41, 00, 66, 8C, 25, 58, BD, 41, 00, 66, 8C, 2D, 54, BD, 41, 00, 9C, 8F, 05, 88, BD, 41, 00, 8B, 45, 00, A3, 7C, BD, 41, 00, 8B, 45, 04, A3, 80, BD, 41, 00, 8D, 45, 08, A3, 8C, BD, 41...
 
[+]

Entropy:
6.9350

Code size:
95 KB (97,280 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
StubPath

Command:
"C:\ProgramData\cachemgr.exe" -as


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to windowsxp.com.mu  (207.46.232.182:80)

TCP (HTTP):
Connects to windowsxp.gm  (207.46.197.32:80)

Remove cachemgr.exe - Powered by Reason Core Security