cachemgr.exe

The executable cachemgr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address consultoriooffice.net on port 80 using the HTTP protocol.
MD5:
d0f2cf5ad0e5efe6e85ba9a53a09093d

SHA-1:
e7e3d6a737314704050592d32c59b257e43a3e0c

SHA-256:
5b27b8488fa41f62e86ed21fce3ebe0b811e50f887295ce118fb9376cf932c5f

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/15/2024 1:01:30 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Installer (M)
16.4.2.19

File size:
675.5 KB (691,712 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\cachemgr.exe

File PE Metadata
Compilation timestamp:
12/6/2008 8:12:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:W7BJKMcE8BVip7GWcLxL2KN6YoPatd1zHm8+LrEoM:Wb8n47Vc7ZRdJm8Tx

Entry address:
0x12ECC

Entry point:
E8, 72, 27, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 78, BD, 41, 00, 89, 0D, 74, BD, 41, 00, 89, 15, 70, BD, 41, 00, 89, 1D, 6C, BD, 41, 00, 89, 35, 68, BD, 41, 00, 89, 3D, 64, BD, 41, 00, 66, 8C, 15, 90, BD, 41, 00, 66, 8C, 0D, 84, BD, 41, 00, 66, 8C, 1D, 60, BD, 41, 00, 66, 8C, 05, 5C, BD, 41, 00, 66, 8C, 25, 58, BD, 41, 00, 66, 8C, 2D, 54, BD, 41, 00, 9C, 8F, 05, 88, BD, 41, 00, 8B, 45, 00, A3, 7C, BD, 41, 00, 8B, 45, 04, A3, 80, BD, 41, 00, 8D, 45, 08, A3, 8C, BD, 41...
 
[+]

Entropy:
7.7913  (probably packed)

Code size:
95 KB (97,280 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
StubPath

Command:
"C:\ProgramData\cachemgr.exe" -as


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to windowsruby.de  (207.46.232.182:80)

TCP (HTTP):
Connects to consultoriooffice.net  (207.46.197.32:80)

TCP (HTTP):
Connects to redirect.www.ibm.com  (129.42.38.1:80)

Remove cachemgr.exe - Powered by Reason Core Security