cachemgr.exe

The executable cachemgr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address windowsxp.li on port 80 using the HTTP protocol.
MD5:
25e4bd6149a9596c1c4762936b3fff06

SHA-1:
b6bae266df17073cacde7c25abe71e66f8a608de

SHA-256:
34d33d3fa3b3b233d1bea43778405897c0a9774e9716752a9e9e321257d75425

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/26/2024 3:55:37 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Installer (M)
16.3.18.13

File size:
1.5 MB (1,554,484 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\cachemgr.exe

File PE Metadata
Compilation timestamp:
9/21/2010 6:58:44 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:LYLTfG6i9JehNAKG6i9JehNAWL7eTZ4zytbLc:LYPOtTe0KGtTe0Wml4zkI

Entry address:
0x1CF3

Entry point:
60, E8, 00, 00, 00, 00, 5B, 81, EB, D0, 48, 00, 10, 83, EC, 74, 8B, EC, 8B, 83, AB, 4B, 00, 10, 89, 45, 00, 8B, 83, B3, 4B, 00, 10, 03, 45, 00, 89, 45, 2C, 8B, 83, B7, 4B, 00, 10, 03, 45, 00, 89, 45, 30, C7, 45, 14, 00, 00, 00, 00, C7, 45, 18, 00, 00, 00, 00, C7, 45, 1C, 00, 00, 00, 00, 8B, 45, 14, FF, 45, 14, 66, 33, C9, 8A, 8C, 03, FF, 4B, 00, 10, 84, C9, 74, 7A, 8B, 45, 1C, 66, 01, 4D, 1C, 03, C3, 05, 13, 4C, 00, 10, 50, 8B, 45, 2C, FF, 10, 85, C0, 0F, 84, 5E, 02, 00, 00, 89, 45, 10, 8B, 45, 1C, 03, C3...
 
[+]

Entropy:
2.2182

Packer / compiler:
ASPack v1.08.04

Code size:
26.5 KB (27,136 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
StubPath

Command:
"C:\ProgramData\cachemgr.exe" -as


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to windowsxp.li  (207.46.232.182:80)

TCP (HTTP):
Connects to windowsnt.gen.in  (207.46.197.32:80)

TCP (HTTP):
Connects to redirect.www.ibm.com  (129.42.38.1:80)

TCP (HTTP):
Connects to www9.cisco.com  (198.133.219.25:80)

Remove cachemgr.exe - Powered by Reason Core Security