cachemgr.exe

The executable cachemgr.exe has been detected as malware by 38 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address redirect.www.ibm.com on port 80 using the HTTP protocol.
MD5:
38e3fa3c0913841501444f1d1c348b8a

SHA-1:
611270e8b3704fad9dc3dc8f91b0333a3a18be23

SHA-256:
17bf84abacbb2d67af3279b504b44b1c7d671d902d1bc16f4fe29756ee044376

Scanner detections:
38 / 68

Status:
Malware

Analysis date:
11/15/2024 12:26:38 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Symmi.30489
349

Agnitum Outpost
Worm.AutoRun
7.1.1

AhnLab V3 Security
Worm/Win32.AutoRun
2014.10.11

Avira AntiVirus
TR/Finodes.der
7.11.177.164

avast!
Win32:AutoRun-DAJ [Trj]
2014.9-160221

AVG
Win32/Ramnit.A
2017.0.2827

Bitdefender
Gen:Variant.Symmi.30489
1.0.20.260

Bkav FE
W32.OnGamesLT031012KGHN
1.3.0.4959

Clam AntiVirus
Worm.Autorun-9877
0.98/21411

Comodo Security
TrojWare.Win32.Kryptik.VARA
19765

Dr.Web
Win32.HLLW.Autoruner1.889
9.0.1.052

Emsisoft Anti-Malware
Gen:Variant.Symmi.30489
8.16.02.21.10

ESET NOD32
Win32/Agent.NJO
10.10545

Fortinet FortiGate
W32/Autorun.CXP!tr
2/21/2016

F-Prot
W32/Bifrost.AF.gen
v6.4.7.1.166

F-Secure
Gen:Variant.Symmi.30489
11.2016-21-02_1

G Data
Gen:Variant.Symmi.30489
16.2.24

IKARUS anti.virus
Trojan.Win32.Finodes
t3scan.1.7.8.0

K7 AntiVirus
Trojan
13.183.13642

Kaspersky
Worm.Win32.AutoRun
14.0.0.628

Malwarebytes
Worm.Autorun
v2016.02.21.10

McAfee
W32/Autorun.worm.ht
5600.6483

Microsoft Security Essentials
Trojan:Win32/Finodes.B
1.11005

MicroWorld eScan
Gen:Variant.Symmi.30489
17.0.0.156

NANO AntiVirus
Trojan.Win32.AutoRun.rfaml
0.28.2.62483

Norman
FakeFolder.A
11.20160221

Panda Antivirus
Generic Malware
16.02.21.10

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

Quick Heal
Trojan.Finodes.BB5
2.16.14.00

Rising Antivirus
PE:Malware.FakeFolder@CV!1.6ABC
23.00.65.16219

Sophos
Mal/Behav-043
4.98

Total Defense
Win32/FakeFLDR_i
37.0.11219

Trend Micro House Call
Mal_OtorunN
7.2.52

Trend Micro
Mal_OtorunN
10.465.21

Vba32 AntiVirus
Worm.AutoRun.cxps
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic.pak!cobra
33822

ViRobot
Worm.Win32.A.AutoRun.117760.W
2011.4.7.4223

Zillya! Antivirus
Worm.AutoRun.Win32.46218
2.0.0.1949

File size:
181.5 KB (185,856 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\cachemgr.exe

File PE Metadata
OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
1536:+++fq6M5b9NqTxV67wAInyAeG+90MHJaOsp1gMIEELZ2G6CNgRtOOOOOOOOEQ6:+++VMoTxyi9e7O1IXLoSWRq

Entry address:
0x1198C

Entry point:
E8, 83, 27, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 78, AD, 41, 00, 89, 0D, 74, AD, 41, 00, 89, 15, 70, AD, 41, 00, 89, 1D, 6C, AD, 41, 00, 89, 35, 68, AD, 41, 00, 89, 3D, 64, AD, 41, 00, 66, 8C, 15, 90, AD, 41, 00, 66, 8C, 0D, 84, AD, 41, 00, 66, 8C, 1D, 60, AD, 41, 00, 66, 8C, 05, 5C, AD, 41, 00, 66, 8C, 25, 58, AD, 41, 00, 66, 8C, 2D, 54, AD, 41, 00, 9C, 8F, 05, 88, AD, 41, 00, 8B, 45, 00, A3, 7C, AD, 41, 00, 8B, 45, 04, A3, 80, AD, 41, 00, 8D, 45, 08, A3, 8C, AD, 41...
 
[+]

Entropy:
4.9872

Code size:
89.5 KB (91,648 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
StubPath

Command:
"C:\users\{user}\appdata\roaming\cachemgr.exe" -as


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to redirect.www.ibm.com  (129.42.38.1:80)

Remove cachemgr.exe - Powered by Reason Core Security