debug.exe

BlueStacks

BlueStack Systems, Inc.

The application debug.exe, “BlueStacks StartLauncher” has been detected as a potentially unwanted program by 15 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘RavTroy’. While running, it connects to the Internet address unassigned.psychz.net on port 80 using the HTTP protocol.
Publisher:
BlueStack Systems, Inc.

Product:
BlueStacks

Description:
BlueStacks StartLauncher

Version:
0.9.31.4259

MD5:
ee8103311ccce8afe0711bb82114de7f

SHA-1:
0270a3d7db6ded12f9608cc79f4fb7d481c8587d

SHA-256:
7d9d2622361e065e84b42231c74d7e79760db1a364a59cf1b334b3e1d6253efc

Scanner detections:
15 / 68

Status:
Potentially unwanted

Analysis date:
11/2/2024 5:25:53 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Clicker-N [Trj]
2014.9-161209

AVG
Clicker
2017.0.2535

Bkav FE
W32.BorihurtT.Trojan
1.3.0.7400

Clam AntiVirus
Win.Trojan.Agent-476936
0.98/21511

Dr.Web
Tool.Click.7
9.0.1.0344

ESET NOD32
Win32/SiteHelp.A potentially unsafe
10.12997

Fortinet FortiGate
Riskware/SiteHelp
12/9/2016

F-Prot
W32/Admoke.J.gen
v6.4.7.1.166

IKARUS anti.virus
Trojan-Dropper.Agent
t3scan.2.0.6.0

K7 AntiVirus
Trojan
13.213.18680

NANO AntiVirus
Riskware.Win32.Click.cuwdwc
1.0.14.6071

Qihoo 360 Security
HEUR/QVM05.1.Malware.Gen
1.0.0.1120

Total Defense
Win32/Clicker.FZ
37.1.62.1

Vba32 AntiVirus
Trojan.EIC.1717
3.12.26.4

ViRobot
Trojan.Win32.A.Clicker.1198592.B[h]
2014.3.20.0

File size:
1.8 MB (1,908,736 bytes)

Product version:
0.9.31.4259

Copyright:
Copyright 2011 BlueStack Systems, Inc. All Rights Reserved.

Original file name:
HD-StartLauncher.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

File PE Metadata
Compilation timestamp:
6/20/1992 5:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xFE958

Entry point:
55, 8B, EC, 83, C4, F0, 53, B8, A0, E3, 4F, 00, E8, 03, 7D, F0, FF, 8B, 1D, 58, 35, 50, 00, E8, 7C, 80, F0, FF, BA, 10, ED, 4F, 00, E8, 76, AD, F0, FF, 85, C0, 0F, 84, 38, 02, 00, 00, E8, E1, 42, F9, FF, 8B, 03, E8, 16, 93, F8, FF, 8B, 03, BA, 24, ED, 4F, 00, E8, 02, 8F, F8, FF, 8B, 0D, 8C, 32, 50, 00, 8B, 03, 8B, 15, 88, E9, 4C, 00, E8, 0F, 93, F8, FF, 8B, 0D, 0C, 33, 50, 00, 8B, 03, 8B, 15, D8, 9B, 4C, 00, E8, FC, 92, F8, FF, 8B, 0D, 74, 2E, 50, 00, 8B, 03, 8B, 15, 90, 92, 4C, 00, E8, E9, 92, F8, FF, 8B...
 
[+]

Entropy:
6.3709

Developed / compiled with:
Microsoft Visual C++

Code size:
1015.5 KB (1,039,872 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
RavTroy

Command:
"C:\windows\mui\debug\debug.exe" \start


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 201-119-74-198-dedicated.multacom.com  (198.74.119.201:80)

TCP (HTTP):
Connects to server-54-192-159-29.sin3.r.cloudfront.net  (54.192.159.29:80)

TCP (HTTP):
Connects to server-54-192-159-136.sin3.r.cloudfront.net  (54.192.159.136:80)

TCP (HTTP):
Connects to server-54-192-159-78.sin3.r.cloudfront.net  (54.192.159.78:80)

TCP (HTTP):
Connects to 176-113-74-198-dedicated.multacom.com  (198.74.113.176:80)

TCP (HTTP):
Connects to unassigned.psychz.net  (45.34.21.52:80)

Remove debug.exe - Powered by Reason Core Security