Download
Community
knowledgeBase
» downloads.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)
Network (2)
downloads.exe
The executable downloads.exe has been detected as malware by 39 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Tok-Cirrhatus-1398’. The file has been seen being downloaded from doc-0o-a0-docs.googleusercontent.com. While running, it connects to the Internet address unknown.prolexic.com on port 80 using the HTTP protocol.
File name:
downloads.exe
MD5:
e65b9179a1a18ca163baedc2be3f158a
SHA-1:
f9714fb9bf72e71d0f5679c6b573aebe059f450d
SHA-256:
90ca9195fe4ccd981e3a916c0422802c84b66b43bf81e3d9c86cfb4045d7bee7
Analysis
Scanner detections:
39 / 68
Status:
Malware
Analysis date:
12/25/2024 1:14:23 PM UTC
(today)
Scan engine
Detection
Engine version
Lavasoft Ad-Aware
Win32.Worm.Brontok.N
845
Agnitum Outpost
I-Worm.Brontok.JH
7.1.1
AhnLab V3 Security
Win32/Brontok.worm.107008.B
2014.10.10
Avira AntiVirus
Worm/Brontok.Y
7.11.177.102
avast!
Win32:Brontok-CE [Wrm]
2014.9-141013
AVG
Worm/Brontok
2015.0.3323
Baidu Antivirus
Trojan.Win32.Genome
4.0.3.141013
Bitdefender
Win32.Worm.Brontok.N
1.0.20.1430
Bkav FE
W32.BrontokQ
1.3.0.4959
Clam AntiVirus
Worm.Brontok-10
0.98/21411
Comodo Security
Worm.Win32.Brontok.CO
19747
Dr.Web
BackDoor.Generic.3162
9.0.1.05190
Emsisoft Anti-Malware
Win32.Worm.Brontok.N
8.14.10.13.02
ESET NOD32
Win32/Brontok.CO worm
8.0.319.0
F-Prot
W32/Backdoor.IDJ
4.6.5.141
F-Secure
Win32.Worm.Brontok.N
11.2014-13-10_2
G Data
Win32.Worm.Brontok
14.10.24
IKARUS anti.virus
Email-Worm.Win32.Brontok
t3scan.1.7.8.0
K7 AntiVirus
Trojan
13.183.13630
Kaspersky
Trojan.Win32.Genome
14.0.0.3110
Malwarebytes
Trojan.Dropper
v2014.10.13.02
McAfee
W32/Rontokbro.gen@MM
5600.6979
Microsoft Security Essentials
Worm:Win32/Brontok.Y@mm
1.11005
MicroWorld eScan
Win32.Worm.Brontok.N
15.0.0.858
NANO AntiVirus
Trojan.Win32.Alman.btuxjj
0.28.2.62483
Norman
Rontokbro
11.20141013
nProtect
Worm/W32.Brontok.45508
14.10.08.01
Qihoo 360 Security
Trojan.Generic
1.0.0.1015
Quick Heal
W32.Brontok.Q
10.14.14.00
Rising Antivirus
PE:Trojan.Win32.Generic.14341A8A!338958986
23.00.65.141011
Sophos
W32/Brontok-Gen
4.98
SUPERAntiSpyware
Trojan.Agent/Gen-SV
10303
Total Defense
Win32/Robknot.AN
37.0.11217
Trend Micro House Call
WORM_BRONTOK.BA
7.2.286
Trend Micro
WORM_BRONTOK.BA
10.465.13
Vba32 AntiVirus
Email-Worm.Brontok
3.12.26.3
VIPRE Antivirus
Email-Worm.Win32.Brontok.q
33768
ViRobot
I-Worm.Win32.Brontok.45508
2011.4.7.4223
Zillya! Antivirus
Worm.Brontok.Win32.294
2.0.0.1948
File Details
File size:
44.4 KB (45,508 bytes)
File type:
Executable application (Win32 EXE)
Common path:
C:\users\{user}\downloads\downloads.exe
File PE Metadata
OS version:
4.0
OS bitness:
Win32
Subsystem:
Windows GUI
Linker version:
5.12
CTPH (ssdeep):
768:9TE/NpcvMl0XAyhv+ahTVa02QCKqcvkSuqTKPNxEWdv35BMC9:B83cVw0/hTDUK9swTKPNxEWZ5x
Entry address:
0x32FAB
Entry point:
E9, A4, D1, FC, FF, 0C, 80, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 82, 2F, 03, 00, 0C, 80, 02, 00...
[+]
Entropy:
7.3420
Packer / compiler:
RLPack FullEdition V1.1X
Code size:
512 Bytes (512 bytes)
Behaviors
Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name:
Tok-Cirrhatus-1398
Command:
"C:\users\{user}\appdata\local\br3819on.exe"
Downloads
The file downloads.exe has been seen being distributed by the following URL.
https://doc-0o-a0-docs.googleusercontent.com/docs/securesc/h243hqeb6obn61qbk84n1guah41lcr68/b456nvqp213ovlbf4orpbmekhf5u2trd/1474192800000/.../08251656453984250367/0B24tLIF_qnikZW5CWnlGUGIwUEE?e=download
Network Communications
The executing file has been seen to make the following network communications in live environments.
TCP (HTTP):
Connects to
unknown.prolexic.com
 (72.52.4.121:80)
TCP (HTTP SSL):
Connects to
ats.sbs.vip.dc11.lumsb.com
 (8.12.146.61:443)
Remove downloads.exe
- Powered by Reason Core Security
X