counter-strike.exe

Rofasalota

Sivensys SRL

The executable counter-strike.exe, “Rofasalota Setup ” has been detected as malware by 1 anti-virus scanner. The program is a setup application that uses the Inno Setup installer. The file has been seen being downloaded from www.funcentralnew.com. While running, it connects to the Internet address web1.evovps.com on port 80 using the HTTP protocol.
Publisher:
Sivensys SRL  (signed and verified)

Product:
Rofasalota

Description:
Rofasalota Setup

Version:
2.8.1.7

MD5:
6e30492c4c59b1b4f26a50dcfd6ee6a4

SHA-1:
63cbee33f6650829945d5eefb53b38deffe1fe78

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/17/2024 3:29:32 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.2.17.2

File size:
1.2 MB (1,292,528 bytes)

Product version:
4.3.7

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\Documents and Settings\{user}\My documents\downloads\counter-strike.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
10/20/2016 10:04:57 AM

Valid to:
10/21/2017 10:04:57 AM

Subject:
CN=Sivensys SRL, O=Sivensys SRL, L=IASI, C=RO

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE

Serial number:
0D38E905F0B0BA5733036DFB

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9855

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file counter-strike.exe has been seen being distributed by the following URL.

http://www.funcentralnew.com/GKtZsBY3QSpQ3LcE71BEUHBU_7yIKXzfnMurvn2eeTk5f0KZOmG2Ni7KQAGBAthKSKAQeDCUztr ONuafTxJRulhGrV4jBjp6CrB3FkV1 fIReQm5RLS xfLMTUXlH17VlsRfHRaBQYmcPfdCanjzBTvD6zngYwq_XZUKzxJCQG1OSJ0um3NdM5j0dCbIwKSwUs5LCml3AE7u49RZpihDiRnxZ31U3RliWTfzPf9G7vsT1005oVeI29wiQg0KlmwB6IrfAGy7rYzumVkP7DGVoNTy3VXgOiKtFt6klsx_oqorlEZLbL_ oujkrxpIyA9YmOTIykPCHzoHKvBN93gA292SpgRtGVJt G1wb3nUPN_OaotRxfWPg9XmzkxPoLa6wadVqWPeyNrE7yHegTOsY4kS7hrFh487 rHn1CWdQbXtccXAs4_GzqpO2gFCLiRHriuRejF-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA-e

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to web1.evovps.com  (46.105.105.77:80)

TCP (HTTP SSL):
Connects to generic.external.zlb.scl3.mozilla.com  (63.245.213.12:443)

TCP (HTTP):
Connects to ec2-52-50-196-247.eu-west-1.compute.amazonaws.com  (52.50.196.247:80)

TCP (HTTP):
Connects to server-54-230-95-78.fra2.r.cloudfront.net  (54.230.95.78:80)

TCP (HTTP):
Connects to ec2-54-154-190-87.eu-west-1.compute.amazonaws.com  (54.154.190.87:80)

TCP (HTTP):
Connects to ec2-54-154-109-8.eu-west-1.compute.amazonaws.com  (54.154.109.8:80)

TCP (HTTP):
Connects to ec2-52-214-247-42.eu-west-1.compute.amazonaws.com  (52.214.247.42:80)

TCP (HTTP):
Connects to ec2-52-208-40-227.eu-west-1.compute.amazonaws.com  (52.208.40.227:80)

Remove counter-strike.exe - Powered by Reason Core Security