d3992a7f4aa81f1f72e5672c89dbed75.exe

The executable d3992a7f4aa81f1f72e5672c89dbed75.exe has been detected as malware by 12 anti-virus scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49612 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address server-54-240-186-32.mad50.r.cloudfront.net on port 443.
Version:
2.37.11.2

MD5:
e2499b1481722a4ce4004f9d3cd85d37

SHA-1:
1f8a68ce7e98b9021f0a087d3990b549cd153281

SHA-256:
6c643287454512bad534db80b83c056c5c77ffa29a65e98cfd29f6f8a3d5e7bf

Scanner detections:
12 / 68

Status:
Malware

Analysis date:
12/24/2024 3:13:54 PM UTC  (today)

Scan engine
Detection
Engine version

Arcabit
Trojan.Generic.D2B2A6D
1.0.0.593

Bitdefender
Trojan.GenericKD.2828909
1.0.20.1595

Emsisoft Anti-Malware
Trojan.GenericKD.2828909
8.15.11.15.12

F-Secure
Trojan.GenericKD.2828909
11.2015-15-11_1

G Data
Trojan.GenericKD.2828909
15.11.25

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.1120

McAfee
Artemis!E2499B148172
5600.6581

MicroWorld eScan
Trojan.GenericKD.2828909
16.0.0.957

nProtect
Trojan.GenericKD.2828909
15.11.09.01

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1077

Rising Antivirus
PE:Trojan.FakeIcon!1.64A5[F1]
23.00.65.151011

VIPRE Antivirus
Trojan.Win32.Generic
45112

File size:
309.5 KB (316,928 bytes)

Product version:
2.37.11.2

Original file name:
LDI5KC.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\wnetenhancer\wnetenhancer internet enhancer\d3992a7f4aa81f1f72e5672c89dbed75.exe

File PE Metadata
Compilation timestamp:
10/7/2015 11:19:26 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:APdqImN5jtIMg9qpM8G6DglBfFfUGgkNu2wCddD7Ej5DxpI5Xx:AMImN5+xQpM8HDgLFFgcu2FdD7E7sx

Entry address:
0x4EA6E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.9001

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
307 KB (314,368 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49612/

Local host port:
49612

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to dh-in-f104.1e100.net  (209.85.203.104:443)

TCP (HTTP SSL):
Connects to ec2-52-6-82-78.compute-1.amazonaws.com  (52.6.82.78:443)

TCP (HTTP):
Connects to cd.3e.559e.ip4.static.sl-reverse.com  (158.85.62.205:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-lht6.facebook.com  (157.240.1.35:443)

TCP (HTTP):
Connects to ec2-52-206-2-43.compute-1.amazonaws.com  (52.206.2.43:80)

TCP (HTTP):
Connects to blob.am5prdstr14a.store.core.windows.net  (52.239.140.4:80)

TCP (HTTP):
Connects to 92b91b35.rdns.100tb.com  (146.185.27.53:80)

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to rtr3.l7.search.vip.sg3.yahoo.com  (106.10.162.43:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-lhr3.fbcdn.net  (31.13.90.6:443)

TCP (HTTP SSL):
Connects to v-5-232-d3155-06.webazilla.com  (78.140.166.6:443)

TCP (HTTP):
Connects to server-54-230-51-54.jfk5.r.cloudfront.net  (54.230.51.54:80)

TCP (HTTP):
Connects to server-52-84-25-44.sea32.r.cloudfront.net  (52.84.25.44:80)

TCP (HTTP):
Connects to li491-84.members.linode.com  (50.116.29.84:80)

TCP (HTTP):
Connects to hosting.adhigh.net  (209.58.128.158:80)

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (199.58.87.155:80)

TCP (HTTP):
Connects to ec2-54-243-128-145.compute-1.amazonaws.com  (54.243.128.145:80)

TCP (HTTP):
Connects to ec2-54-243-102-9.compute-1.amazonaws.com  (54.243.102.9:80)

TCP (HTTP):
Connects to ec2-52-73-71-7.compute-1.amazonaws.com  (52.73.71.7:80)

TCP (HTTP SSL):
Connects to ec2-52-213-128-10.eu-west-1.compute.amazonaws.com  (52.213.128.10:443)

Remove d3992a7f4aa81f1f72e5672c89dbed75.exe - Powered by Reason Core Security