home

db407238488627b07a6e8dcc981db98c.exe

The application db407238488627b07a6e8dcc981db98c.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This executable runs as a local area network (LAN) Internet proxy server listening on port 50663 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address rtr3.l7.search.vip.sg3.yahoo.com on port 80 using the HTTP protocol.
Version:
2.40.2.65

MD5:
22d399a910f677128921f73e18cf370c

SHA-1:
8e4724988d8970f79edc4e66b458eb63fc81084f

SHA-256:
a32443668eb197e7c80fcd95d43f9b9ac4a3605fb27c129036be0b920d9b3ea6

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 4:25:30 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Wajam.Meta (M)
16.2.16.16

File size:
486 KB (497,664 bytes)

Product version:
2.40.2.65

Original file name:
68VZE3.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\wanetworkenhancer\wanetworkenhancer internet enhancer\db407238488627b07a6e8dcc981db98c.exe

File PE Metadata
Compilation timestamp:
2/12/2016 12:18:20 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:u2Se3MqCCtOqUr0/0hnMDQSwJFTI0fLybRs:u2Nl0Tl

Entry address:
0x7AC2E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.8067

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
483.5 KB (495,104 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:50663/

Local host port:
50663

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to mc.yandex.ru  (93.158.134.119:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-hkg3.facebook.com  (31.13.95.8:443)

TCP (HTTP):
Connects to server-54-192-210-155.mnl50.r.cloudfront.net  (54.192.210.155:80)

TCP (HTTP):
Connects to ocsp.comodoca.com  (178.255.83.1:80)

TCP (HTTP SSL):
Connects to nl.extension-updates.opera.com.215.145.82.in-addr.arpa  (82.145.215.85:443)

TCP (HTTP):
Connects to haproxy2.ca.servers.visadd.com  (198.27.102.144:80)

TCP (HTTP SSL):
Connects to edge-star-shv-01-sin6.facebook.com  (157.240.7.20:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-hkg3.facebook.com  (31.13.95.36:443)

TCP (HTTP):
Connects to ec2-23-21-139-158.compute-1.amazonaws.com  (23.21.139.158:80)

TCP (HTTP):
Connects to ds-usa-abl-2.itftd.com  (158.69.117.176:80)

TCP (HTTP):
Connects to a23-51-43-27.deploy.static.akamaitechnologies.com  (23.51.43.27:80)

TCP (HTTP):
Connects to cdn-203-77-188-254.hkg.llnw.net  (203.77.188.254:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-sin6.fbcdn.net  (157.240.7.26:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-kut2.fbcdn.net  (157.240.10.23:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-hkg3.fbcdn.net  (31.13.95.12:443)

TCP (HTTP):
Connects to sg2plpkivs-v01.any.prod.sin2.secureserver.net  (182.50.136.237:80)

TCP (HTTP SSL):
Connects to server-52-84-230-71.sfo9.r.cloudfront.net  (52.84.230.71:443)

TCP (HTTP):
Connects to ip-72-167-157-216.ip.secureserver.net  (72.167.157.216:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-sin6.facebook.com  (157.240.7.35:443)

TCP (HTTP):
Connects to ec2-52-54-202-81.compute-1.amazonaws.com  (52.54.202.81:80)

Remove db407238488627b07a6e8dcc981db98c.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.