cachemgr.exe

The executable cachemgr.exe has been detected as malware by 6 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address redirect.www.ibm.com on port 80 using the HTTP protocol.
MD5:
1a14db18818fa7900a9bef8d894e73bc

SHA-1:
97515af6e6b779170f92ad0f4304e6d47275bbed

SHA-256:
2b2d0b0adfe565a8de935306501c0b979ab46028c257fd7e55688b9137c41544

Scanner detections:
6 / 68

Status:
Malware

Analysis date:
12/26/2024 3:49:08 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:AutoRun-DAJ [Trj]
160830-0

Clam AntiVirus
Win.Worm.Autorun-10000
0.98/22176

Dr.Web
Win32.HLLW.Autoruner1.889
9.0.1.05190

ESET NOD32
Win32/Agent.NJO worm
6.3.12010.0

F-Prot
W32/AutoRun.AU.gen
4.6.5.141

Kaspersky
Worm.Win32.AutoRun
15.0.2.529

File size:
1.2 MB (1,236,992 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\cachemgr.exe

File PE Metadata
Compilation timestamp:
7/23/2011 6:38:10 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
1536:v++fq6M5b9NqTxV67wAInyAeG+90MHJaOsp1gMIEELZ2G6CNgRtOOOOOOOOEQ:v++VMoTxyi9e7O1IXLoSWRq

Entry address:
0x1198C

Entry point:
E8, 83, 27, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 78, AD, 41, 00, 89, 0D, 74, AD, 41, 00, 89, 15, 70, AD, 41, 00, 89, 1D, 6C, AD, 41, 00, 89, 35, 68, AD, 41, 00, 89, 3D, 64, AD, 41, 00, 66, 8C, 15, 90, AD, 41, 00, 66, 8C, 0D, 84, AD, 41, 00, 66, 8C, 1D, 60, AD, 41, 00, 66, 8C, 05, 5C, AD, 41, 00, 66, 8C, 25, 58, AD, 41, 00, 66, 8C, 2D, 54, AD, 41, 00, 9C, 8F, 05, 88, AD, 41, 00, 8B, 45, 00, A3, 7C, AD, 41, 00, 8B, 45, 04, A3, 80, AD, 41, 00, 8D, 45, 08, A3, 8C, AD, 41...
 
[+]

Entropy:
1.0270

Code size:
89.5 KB (91,648 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
StubPath

Command:
"C:\users\{user}\appdata\roaming\cachemgr.exe" -as


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to redirect.www.ibm.com  (129.42.38.1:80)

Remove cachemgr.exe - Powered by Reason Core Security