emule0.60.exe

ROMEO SOUTH SL

The application emule0.60.exe by ROMEO SOUTH SL has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Nullsoft Install System installer. The file has been seen being downloaded from www.emulesite.info. While running, it connects to the Internet address ns348787.ip-94-23-32.eu on port 80 using the HTTP protocol.
Publisher:
ROMEO SOUTH SL  (signed and verified)

MD5:
9e196ca7004067456e5ceacb1f5fbdd1

SHA-1:
98a7a8ff2ce1c4b6cb49baacab0762810f4ef253

SHA-256:
875b8a30458fa7b313caee4f3fa8995bd81b7ac75c17c2c6847b62c7ec614623

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/16/2024 4:33:36 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Vitallia.ROMEOSOUTH.Installer (M)
16.2.6.10

File size:
13.3 MB (13,909,536 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Common path:
C:\users\{user}\downloads\emule0.60.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
5/29/2014 9:47:26 AM

Valid to:
6/19/2015 1:09:57 PM

Subject:
CN=ROMEO SOUTH SL, O=ROMEO SOUTH SL, L=Madrid, S=Madrid, C=ES

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
07BD0BED172350

File PE Metadata
Compilation timestamp:
1/5/2012 1:21:09 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
393216:2vTfH5/G9iKDnUsQ2l85CKIai/M4ZUyC8b47DMjzcDo:sRG9TDnUzolxkqUyDqML

Entry address:
0x4109

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 30, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8B, 3B, 00, 00, A3, 8C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A9, B2, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, AA, B2, 40, 00, C7...
 
[+]

Entropy:
7.9982  (probably packed)

Code size:
34 KB (34,816 bytes)

The file emule0.60.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ns348787.ip-94-23-32.eu  (94.23.32.125:80)

Remove emule0.60.exe - Powered by Reason Core Security