cachemgr.exe

The executable cachemgr.exe has been detected as malware by 37 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address redirect.www.ibm.com on port 80 using the HTTP protocol.
MD5:
8cb23ec0e36eed471ab6f2ba8bd78c7a

SHA-1:
8c8ff1914ccea3e7502361164469a0bb300eb281

SHA-256:
c202952f404561cf06835e1a9aeae6877b19c4e552dabb34b1d2b9dd62d4997e

Scanner detections:
37 / 68

Status:
Malware

Analysis date:
12/26/2024 3:20:47 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Trojan.DL.Agent
7.1.1

AhnLab V3 Security
Worm/Win32.AutoRun
2013.09.05

Avira AntiVirus
TR/Dldr.VB.bxw
7.11.100.154

avast!
Win32:Malware-gen
2014.9-140330

AVG
Generic27
2015.0.3519

Baidu Antivirus
Trojan.Win32.Agent
4.0.3.14330

Bitdefender
Trojan.Generic.KDV.611579
1.0.20.445

Clam AntiVirus
Win.Trojan.Agent-119349
0.98/18155

Comodo Security
TrojWare.Win32.Kryptik.VARA
16877

Dr.Web
Trojan.DownLoad3.5776
9.0.1.089

Emsisoft Anti-Malware
Trojan-Downloader.Win32.Agent
8.14.03.30.12

ESET NOD32
Win32/Kryptik.AAHE (variant)
8.8762

Fortinet FortiGate
W32/Agent.AAHE!tr
3/30/2014

F-Prot
W32/Trojan2.NXBX
v6.4.7.1.166

F-Secure
Trojan.Generic.KDV.611579
11.2014-30-03_1

G Data
Trojan.Generic.KDV.611579
14.3.22

IKARUS anti.virus
Backdoor.Win32.Bifrose
t3scan.2.0.127

K7 AntiVirus
Riskware
13.171.9471

Kaspersky
Trojan-Downloader.Win32.Agent
14.0.0.4092

Malwarebytes
Backdoor.Agent.FLDGen
v2014.03.30.12

McAfee
Generic.dx!8CB23EC0E36E
5600.7175

Microsoft Security Essentials
Backdoor:Win32/Bifrose.IQ
1.163.1557.0

MicroWorld eScan
Trojan.Generic.KDV.611579
15.0.0.267

NANO AntiVirus
Trojan.Win32.Agent2.vsjct
0.26.0.54404

Norman
Obfuscated.H5!genr
11.20140330

nProtect
Trojan/W32.Agent.151417.C
13.09.04.04

Panda Antivirus
Trj/Agent.JHT
14.03.30.12

Quick Heal
Backdoor.Bifrose.IQ4
3.14.12.00

Rising Antivirus
Trojan.Win32.Generic.12C035F9
23.00.65.14328

Sophos
Mal/Behav-043
4.91

SUPERAntiSpyware
Trojan.Agent/Gen-Kryptik
10696

Total Defense
Win32/FakeFLDR_i
37.0.10498

Trend Micro House Call
Mal_OtorunN
7.2.89

Trend Micro
Mal_OtorunN
10.465.30

Vba32 AntiVirus
TrojanDownloader.Agent
3.12.22.3

VIPRE Antivirus
Trojan.Win32.Generic
21164

ViRobot
Trojan.Win32.A.Downloader.1274200
2011.4.7.4223

File size:
147.9 KB (151,417 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
1/3/2012 10:30:02 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
1536:dvIC6+gLE5QLPoSVyRy7QVgfSyrMSglKcN5RkysdxEJPk7hy97Y6UESbMonA+:6C/gLTTyRy7LfS2glhRXJehyBJUEoJA+

Entry address:
0x1CF3

Entry point:
E8, 7B, 27, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 78, AD, 40, 00, 89, 0D, 74, AD, 40, 00, 89, 15, 70, AD, 40, 00, 89, 1D, 6C, AD, 40, 00, 89, 35, 68, AD, 40, 00, 89, 3D, 64, AD, 40, 00, 66, 8C, 15, 90, AD, 40, 00, 66, 8C, 0D, 84, AD, 40, 00, 66, 8C, 1D, 60, AD, 40, 00, 66, 8C, 05, 5C, AD, 40, 00, 66, 8C, 25, 58, AD, 40, 00, 66, 8C, 2D, 54, AD, 40, 00, 9C, 8F, 05, 88, AD, 40, 00, 8B, 45, 00, A3, 7C, AD, 40, 00, 8B, 45, 04, A3, 80, AD, 40, 00, 8D, 45, 08, A3, 8C, AD, 40...
 
[+]

Entropy:
6.6670

Code size:
26.5 KB (27,136 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
StubPath

Command:
"C:\setup\cachemgr.exe" -as


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to windowsxp.lv  (207.46.232.182:80)

TCP (HTTP):
Connects to redirect.www.ibm.com  (129.42.38.1:80)

TCP (HTTP):
Connects to bepclegal.org  (207.46.197.32:80)

Remove cachemgr.exe - Powered by Reason Core Security