emule0.exe

ROMEO SOUTH SL

The application emule0.exe by ROMEO SOUTH SL has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. The file has been seen being downloaded from www.capitalcleanupdate.com and multiple other hosts.
Publisher:
ROMEO SOUTH SL  (signed and verified)

MD5:
f913c0bc225c24f60da729f7f73b302f

SHA-1:
d1e7b50e23ad398a72e91da5290838758bef9064

SHA-256:
10ba42a286bab344a319779b087afc403ee7b81bfb3c2a42360eee1f485116ca

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 1:07:42 PM UTC  (today)

Scan engine
Detection
Engine version

Qihoo 360 Security
HEUR/QVM31.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Vitallia.ROMEOSOUTH.Installer (M)
16.2.6.10

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

File size:
24 MB (25,170,312 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Common path:
C:\users\{user}\downloads\emule0.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
6/16/2015 10:41:38 AM

Valid to:
6/19/2016 7:09:57 PM

Subject:
CN=ROMEO SOUTH SL, O=ROMEO SOUTH SL, L=Madrid, S=Madrid, C=ES

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00E9FE7942126D0E38

File PE Metadata
Compilation timestamp:
1/5/2012 7:21:09 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
786432:cI7iqckiAnUkEL4bEer7LXCQolxkqUyDqqS:cIOqiAUkEL4b5r7Lyr+wbS

Entry address:
0x4109

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 30, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8B, 3B, 00, 00, A3, 8C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A9, B2, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, AA, B2, 40, 00, C7...
 
[+]

Code size:
34 KB (34,816 bytes)

The file emule0.exe has been seen being distributed by the following 13 URLs.

http://www.capitalcleanupdate.com/c?x=VBxrI7TS87vR16F0g7ygSusIjitqzSf7elnlRacDn00=&c=o3R5psChPm1xijGuLtngf8YTnt4MZlJKirnFWOw0F8okMzWlh q b3ftNQztpkPuvYwge4Eg2pdYo7HgIqk4pELCnXZz47Imdos1kMAT1pD9IenzNRPMq8EBpPoLmwY jhub/zjS4IDAJWX/LxwTVi8/wswkFCxArDV2LKH9ydM=&downloadAs=eMule0.60v2.exe&fallback_url=http://.../emule0.60v2.exe

http://www.capitalcleanupdate.com/c?x=SMN13JyZTxWVpbURhs/YOyxjaBx5GBA2vubOxHrTd2c=&c=F1n/z9K0X02oSuXFYKsR7UiQyOT9nFr453fNQW/aOYnwkYxR6MtXeJtP8ciPRYLajmPmj6p7yQQQHD5UMdob2nsHvFomKINeOBKXSOVNUHdSbNXTiG1R2VwIzkv8xqXpEmRFneNrCt1C4qmYrRtCJO5/g8v5m3kYZfe0roZl2wQ=&downloadAs=eMule0.60v2.exe&fallback_url=http://.../emule0.60v2.exe

http://www.capitalcleanupdate.com/c?x=fhn0pfdLPnbmPBakdj2E5NvPelynyt Vlsj8vhfEBqM=&c=XXzPYbmjReJWwdMFtIZwD s3p1FSmiz3FleMHlpt5Y1SdRp96MZ6Bd7jmjkDZOWqnDuyrRQrJQk1Ww5cOnCM5rlh8CItIGb ceDEF/7EGuP2fM8ET9NbPHfS5zDUlhjWRCOnvRSI1wdP2UPX3NQwC3LLdqT1o7JanisVmoysJJo=&downloadAs=eMule0.60v2.exe&fallback_url=http://.../emule0.60v2.exe

http://www.capitalcleanupdate.com/c?x=UXSkTwEuyiLQaI/g9G5mJQd5Tct8IsRvl3iVErPLLv4=&c=pEzkrMRQJmllXLWzmnC58FA/N3jQe2jTRqDRBZNhE5TXBeuI2mUJWDCoJyJYgMAyYH/4JAHCGM0uozG TQA7d3yiXmAaxWDAxrv4ECoakuKles4oFewvSntqBlZmgfU2jGeuQ50U6EUYLCYigxhIV30Gmut/ED9r/MKPeVDicBc=&downloadAs=eMule0.60v2.exe&fallback_url=http://.../emule0.60v2.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-214-247-42.eu-west-1.compute.amazonaws.com  (52.214.247.42:80)

TCP (HTTP):
Connects to ec2-52-49-170-39.eu-west-1.compute.amazonaws.com  (52.49.170.39:80)

Remove emule0.exe - Powered by Reason Core Security