emule0.60.exe

ROMEO SOUTH SL

The application emule0.60.exe by ROMEO SOUTH SL has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address ns373675.ip-94-23-250.eu on port 80 using the HTTP protocol.
Publisher:
ROMEO SOUTH SL  (signed and verified)

MD5:
0eeea6dbfa0722c5146185b7833f97ba

SHA-1:
e9340ee0a8a8305f95ecdb4fedffbbf3690c475c

SHA-256:
449c3cde157d87d937187707d757c704f7c38abfa8b814d5a27b859c578aaa6b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/15/2024 3:27:19 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Vitallia.ROMEOSOUTH (M)
16.2.6.10

File size:
6.9 MB (7,254,888 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\emule0.60\emule0.60.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
5/29/2014 3:47:26 PM

Valid to:
6/19/2015 7:09:57 PM

Subject:
CN=ROMEO SOUTH SL, O=ROMEO SOUTH SL, L=Madrid, S=Madrid, C=ES

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
07BD0BED172350

File PE Metadata
Compilation timestamp:
12/11/2014 12:49:43 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
98304:6VNg0BpM9Y9iXYGKBRAJAebFjS0+yjK7gRTSgX6kXIyNzLaA7cQMnf5T:6fg0BjMXYKAASHAgQMRT

Entry address:
0x384F90

Entry point:
E8, 83, 07, 00, 00, E9, 36, FD, FF, FF, 8B, FF, 55, 8B, EC, FF, 75, 08, E8, B5, F8, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 5D, E9, FB, FA, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 55, 33, FF, 33, ED, 8B, 44, 24, 14, 0B, C0, 7D, 15, 47, 45, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 28, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1...
 
[+]

Code size:
4 MB (4,182,016 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-154-208-40.eu-west-1.compute.amazonaws.com  (54.154.208.40:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-mxp1.fbcdn.net  (31.13.86.4:443)

TCP:
Connects to static-aacc72.silicanetworks.net.ar  (186.0.207.72:56803)

TCP:
Connects to node45.hvosting.ua  (91.200.42.46:1176)

TCP:
Connects to 74-196-39-46.usuarios.innovasur.com  (46.39.196.74:61172)

TCP:
Connects to 191-125-190-139.bam.movistar.cl  (191.125.190.139:15295)

TCP:
Connects to 181-23-128-116.speedy.com.ar  (181.23.128.116:34621)

TCP:
Connects to 101.29.148.190.static.intelnet.net.gt  (190.148.29.101:56535)

TCP:
Connects to pc-56-167-215-201.cm.vtr.net  (201.215.167.56:17115)

TCP:
Connects to cpe-181-47-166-86.telecentro-reversos.com.ar  (181.47.166.86:13646)

TCP:
Connects to cliente-106934.iberbanda.es  (87.111.226.150:10330)

TCP:
Connects to 62.82.136.114.static.user.riosat.com  (62.82.136.114:58763)

TCP:
Connects to 60-240-239-143.static.tpgi.com.au  (60.240.239.143:1621)

TCP:
Connects to 151-182-178-101.red-acceso.airtel.net  (151.182.178.101:20749)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-mad1.fbcdn.net  (31.13.83.4:443)

TCP:
Connects to ppp079167247182.access.hol.gr  (79.167.247.182:48970)

TCP (HTTP):
Connects to ns373675.ip-94-23-250.eu  (94.23.250.171:80)

TCP (HTTP):
Connects to ns348787.ip-94-23-32.eu  (94.23.32.125:80)

TCP:
Connects to IP-64-101-247.HTS.NET.ID  (45.64.101.247:19696)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-mxp1.facebook.com  (31.13.86.36:443)

Remove emule0.60.exe - Powered by Reason Core Security