Downloader.exe

V9 Downloader

The executable Downloader.exe has been detected as malware by 2 anti-virus scanners. While running, it connects to the Internet address rackfish-vcloud-director01.ad.rackfish.net on port 80 using the HTTP protocol.
Publisher:
V9 Downloader

Product:
V9 Downloader

Version:
3.6.0.0

MD5:
5302295e481a061080947d698a011916

SHA-1:
07361cd974bfa703e533ec46af1a134cd7e0f7d5

SHA-256:
fb6f53dbc75e29f7508507319656d1e4bfb343ea07b3cab70fd02103a1c01173

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
12/25/2024 12:23:38 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP
16.2.16.17

Trend Micro House Call
HV_COBRA_BL13013E.TOMC
7.2.46

File size:
2.2 MB (2,299,392 bytes)

Product version:
3.6.0.0

Copyright:
www.v9.com

Original file name:
Downloader.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\downloader.exe

File PE Metadata
Compilation timestamp:
6/19/2012 1:22:40 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:u0E5ut+XkkY1oIycb+3uXHsL0EiDvHw4aoUfkjF32EyzTu3vkh2DJofiRf:60tbkPIycb+gH80ZDvHw4aoUfkjazTw7

Entry address:
0x1379BB

Entry point:
E8, 78, AD, 00, 00, E9, 89, FE, FF, FF, 3B, 0D, E0, EF, 5B, 00, 75, 02, F3, C3, E9, FF, AD, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, 75, 14, 85, F6, 75, 04, 33, C0, EB, 61, 83, 7D, 08, 00, 75, 13, E8, EA, 3F, 00, 00, 6A, 16, 5E, 89, 30, E8, 69, B0, 00, 00, 8B, C6, EB, 48, 83, 7D, 10, 00, 74, 16, 39, 75, 0C, 72, 11, 56, FF, 75, 10, FF, 75, 08, E8, 7B, 21, 00, 00, 83, C4, 0C, EB, C7, FF, 75, 0C, 6A, 00, FF, 75, 08, E8, 79, 30, 00, 00, 83, C4, 0C, 83, 7D, 10, 00, 74, BB, 39, 75, 0C, 73, 0E, E8, A0, 3F, 00, 00, 6A...
 
[+]

Code size:
1.4 MB (1,469,952 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to rackfish-vcloud-director01.ad.rackfish.net  (194.169.225.100:80)

TCP (HTTP):
Connects to a92-123-225-49.deploy.akamaitechnologies.com  (92.123.225.49:80)

TCP (HTTP):
Connects to a7.c8.24ae.ip4.static.sl-reverse.com  (174.36.200.167:80)

Remove Downloader.exe - Powered by Reason Core Security