Clownfish.exe

Clownfish for Skype

Bogdan Sharkov

The executable Clownfish.exe has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Clownfish’. While running, it connects to the Internet address host-195-191-149-84.superhosting.bg on port 80 using the HTTP protocol.
Publisher:
Bogdan Sharkov

Product:
Clownfish for Skype

Version:
3.56

MD5:
007ebfdf6077e691d8258f28c3cc3567

SHA-1:
87fdff8e064e995dec6c5c7cf3636faba5ed663f

SHA-256:
3c20c8ff83d3f8d0adf1497ea1d3537933ee4630e7c02aff692987f2dceb42a1

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
12/25/2024 6:34:03 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Xpirat
160917-0

Dr.Web
Win32.Expiro.80
9.0.1.05190

F-Prot
New or modified Expiro
4.6.5.141

File size:
1.8 MB (1,902,080 bytes)

Product version:
3.56

Copyright:
Copyright (C) 2011-2014 Bogdan Sharkov

Original file name:
Clownfish.exe

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\Program Files\clownfish\clownfish.exe

File PE Metadata
Compilation timestamp:
7/28/2014 9:58:08 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x87490

Entry point:
60, 55, 89, E5, 81, EC, 08, 01, 00, 00, C7, 45, EC, 06, 00, 00, 00, C7, 45, F4, 04, 00, 00, 00, 83, 65, F8, 00, 8B, 45, EC, 83, E8, 06, 89, 45, F0, C7, 45, B8, F7, 2C, 00, 00, C7, 45, E8, FC, 1F, C1, B4, B8, 41, 02, 00, 00, F7, 65, B8, 89, 45, 90, 89, 45, F8, C7, 45, F0, 4A, 0A, 00, 00, 81, 45, F0, D0, 5E, 00, 00, 81, 45, F0, E6, 4E, 03, 00, 8B, 45, F4, 03, 45, EC, 83, E8, 0A, 89, 45, C4, 81, 45, F8, F9, 29, 00, 00, FF, 4D, E8, C7, 45, E4, 1A, 12, 00, 00, 8B, 45, E4, 29, 45, F8, C7, 45, DC, B0, 86, 65, 00...
 
[+]

Entropy:
7.0262

Code size:
674 KB (690,176 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Clownfish

Command:
"C:\Program Files\clownfish\clownfish.exe"


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to host-195-191-149-84.superhosting.bg  (195.191.149.84:80)

Remove Clownfish.exe - Powered by Reason Core Security