emangeloh.exe

The executable emangeloh.exe has been detected as malware by 37 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘T57Z384’. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. While running, it connects to the Internet address control3.numplus.com on port 80 using the HTTP protocol.
MD5:
313eec1fd166ee7547412141165cf112

SHA-1:
e14e3939fb4d992c9d1924ca07ce550052e47cbd

SHA-256:
aa0081bf269e04e51ccfb6f7969fe33a46989a0d612a383fdcd656278040e02d

Scanner detections:
37 / 68

Status:
File is infected by a Virus

Explanation:
The file is infected by a polymorphic file infector virus.

Analysis date:
11/2/2024 5:22:36 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Sality.3
6209648

Agnitum Outpost
Win32.Sality.AP.Gen
7.1.1

AhnLab V3 Security
HEUR/Fakon.mwf
2015.04.02

avast!
Malware-gen
150319-0

AVG
Win32/Sality
2014.0.4311

Baidu Antivirus
Virus.Win32.Sality.$Emu
4.0.3.1541

Bitdefender
Win32.Sality.3
1.0.20.455

Bkav FE
W32.Sality.PE
1.3.0.6379

Clam AntiVirus
Worm.VB-89
0.98/21511

Comodo Security
Virus.Win32.Sality.gen
21613

Dr.Web
Win32.Sector.30
9.0.1.05190

Emsisoft Anti-Malware
Win32.Sality
9.0.0.4799

ESET NOD32
Win32/Sality.NBA virus
7.0.302.0

F-Prot
W32/Sality.gen2
4.6.5.141

F-Secure
Win32.Sality.3
5.13.68

G Data
Win32.Sality
15.4.25

IKARUS anti.virus
Worm.Win32.VB
t3scan.1.8.9.0

K7 AntiVirus
EmailWorm
13.202.15452

Kaspersky
Virus.Win32.Sality
15.0.0.543

Malwarebytes
Worm.AutoRun
v2015.04.01.01

McAfee
Virus.W32/MoonLight.worm
16.8.708.2

Microsoft Security Essentials
Threat.Undefined
1.195.1215.0

MicroWorld eScan
Win32.Sality.3
16.0.0.273

NANO AntiVirus
Virus.Win32.Sality.yusp
0.30.8.659

Norman
Win32.Sality.3
03.12.2014 13:20:04

nProtect
Virus/W32.Sality.D
15.04.01.01

Panda Antivirus
W32/Sality.AA
15.04.01.01

Quick Heal
W32.Sality.U
4.15.14.00

Rising Antivirus
PE:Worm.VB.fa!1074044955
23.00.65.15330

Sophos
W32/Bobandy-D
4.98

Total Defense
Win32/Sality.AA
37.0.11524

Trend Micro House Call
PE_SALITY.RL
7.2.91

Trend Micro
PE_SALITY.RL
10.465.01

Vba32 AntiVirus
Virus.Win32.Sality.bakb
3.12.26.3

VIPRE Antivirus
Threat.4721115
38950

ViRobot
Win32.Sality.Gen.A[h]
2014.3.20.0

Zillya! Antivirus
Worm.VB.Win32.2
2.0.0.2123

File size:
2.1 MB (2,162,688 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\m70273\emangeloh.exe

File PE Metadata
Compilation timestamp:
3/8/2004 2:57:36 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:2OchKmY+7OchKmY+MKmY+MKmY+MKmY+MKmY+MKmY+OOchKmY+oKmY+oKm+:2OUK8OUKxKxKxKxKxKZOUKpKpKN

Entry address:
0x118C

Entry point:
60, 89, F9, F6, C5, CA, F3, F7, C7, 5A, E5, 90, 2B, C6, C4, 33, B2, C0, C7, C2, 80, 41, E0, AC, 0F, AF, C2, F2, C7, C1, 37, 35, 62, 41, 8D, 05, 87, 34, 92, 99, 0F, AF, C3, E8, 8A, 00, 00, 00, 29, FF, 8B, DD, 84, F9, 88, FE, 88, E1, 68, 3A, DF, 00, 00, 89, CD, 58, 8D, 0D, 9E, 8D, 2B, 07, 84, E6, 35, E4, 44, 00, 00, 8D, 05, C5, 08, 17, 6D, F3, 89, DF, 68, AD, 08, 00, 00, 2D, A6, 66, 4C, BC, 4F, C6, C4, B4, 5E, 86, FE, 81, F6, CA, 0D, 00, 00, 4A, FE, C7, 81, F9, 43, 74, 00, 00, 77, 02, 88, FE, 69, CB, DB, C1...
 
[+]

Code size:
72 KB (73,728 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
T57Z384

Command:
C:\windows\sa-76400.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to s11.linuxpl.com  (88.198.8.17:80)

TCP (HTTP):
Connects to s01.snkhole.mal-ware.susp-nded.domain  (166.78.144.80:80)

TCP (HTTP):
Connects to redirect-v225.secureserver.net  (184.168.47.225:80)

TCP (HTTP):
Connects to nat.th.itouchnet.net  (203.107.129.145:80)

TCP (HTTP):
Connects to ec2-54-174-31-254.compute-1.amazonaws.com  (54.174.31.254:80)

TCP (HTTP):
Connects to control3.numplus.com  (203.150.231.210:80)

TCP (HTTP):
Connects to cluster005.ovh.net  (213.186.33.16:80)

TCP (HTTP):
Connects to 216-185-153-106.aus.us.siteprotect.com  (216.185.153.106:80)

TCP (HTTP):
Connects to 147.62.236.23.bc.googleusercontent.com  (23.236.62.147:80)

Remove emangeloh.exe - Powered by Reason Core Security