ExpressFiles.exe

ExpressFiles Application

http://www.express-files.com/

The application ExpressFiles.exe has been detected as a potentially unwanted program by 41 anti-malware scanners. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. The file has been seen being downloaded from mail20b.webmail.libero.it.
Publisher:
http://www.express-files.com/

Product:
ExpressFiles Application

Version:
2, 0, 0, 38

MD5:
0094df60653a6183ac40b620c3d244e8

SHA-1:
a68f31fdfd6c56ee8ca490374fbf92b9cfa3a40f

SHA-256:
2d8f44b993e35664f43ede5d027829baaaeaa0cceee1b97bf9579ab8c18e0520

Scanner detections:
41 / 68

Status:
Potentially unwanted

Explanation:
The file is infected by a polymorphic file infector virus.

Analysis date:
12/27/2024 7:12:05 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Ramnit.N
872

Agnitum Outpost
Win32.Nimnul.Gen.2
7.1.1

AhnLab V3 Security
Win32/Ramnit.J
2014.06.17

Avira AntiVirus
W32/Ramnit.C
7.11.30.172

avast!
Win32:Expressfiles-C [PUP]
2014.9-140418

AVG
Win32/Zbot.G
2015.0.3350

Baidu Antivirus
Trojan.Win32.ExpressFiles
4.0.3.14418

Bitdefender
Win32.Ramnit.N
1.0.20.1290

Bkav FE
W32.Tmgrtext.PE
1.3.0.4959

Clam AntiVirus
W32.Ramnit-1
0.98/19086

Comodo Security
Virus.Win32.Ramnit.K
18573

Dr.Web
Win32.Rmnet.8
9.0.1.0258

Emsisoft Anti-Malware
Win32.Ramnit.N
8.14.09.15.12

ESET NOD32
Win32/ExpressFiles (variant)
8.9689

Fortinet FortiGate
W32/Ramnit.C
9/15/2014

F-Prot
W32/Ramnit.E
v6.4.6.5.141

F-Secure
Win32.Ramnit.N
11.2014-15-09_2

G Data
Win32.Ramnit
14.9.24

IKARUS anti.virus
Virus.Win32.Nimnul
t3scan.1.6.1.0

K7 AntiVirus
Virus
13.1712422

Kaspersky
Virus.Win32.Nimnul
14.0.0.3247

Malwarebytes
Virus.Ramnit
v2014.09.15.12

McAfee
W32/Ramnit.a
5600.7006

Microsoft Security Essentials
Threat.Undefined
1.175.2440.0

MicroWorld eScan
Win32.Ramnit.N
15.0.0.774

NANO AntiVirus
Virus.Win32.Nimnul.bmnup
0.28.0.60253

Norman
Ramnit.Q
11.20140915

nProtect
Virus/W32.SpyEye
14.06.16.01

Panda Antivirus
W32/Nimnul.A
14.09.15.12

Qihoo 360 Security
Virus.Win32.Ramnit.A
1.0.0.1015

Quick Heal
W32.Ramnit.BA
9.14.14.00

Reason Heuristics
PUP.httpwwwexpressfiles.M
14.4.18.4

Rising Antivirus
PE:Win32.Mgr.b!1594784
23.00.65.14913

Sophos
W32/Ramnit-A
4.98

Total Defense
Win32/Ramnit.C
37.0.11003

Trend Micro House Call
PE_RAMNIT.DEN
7.2.258

Trend Micro
PE_RAMNIT.DEN
10.465.15

Vba32 AntiVirus
Virus.Win32.Nimnul.b
3.12.26.0

VIPRE Antivirus
ExpressFiles Installer
28318

ViRobot
Win32.Nimnul.A
2011.4.7.4223

Zillya! Antivirus
Virus.Nimnul.Win32.2
2.0.0.1828

File size:
961 KB (984,064 bytes)

Product version:
2,0,0,0

Copyright:
Copyright http://www.express-files.com/ (C) 2012

Original file name:
ExpressFiles.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\expressfiles\expressfiles.exe

File PE Metadata
Compilation timestamp:
4/15/2014 12:01:10 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:EeMBDBkoEK7UvaTxEedb5lxT9TxaDqTL6VbzsS2Ln2Nz2bF:EV1kIzTxEedb5lxxFaDqiVbzs0U

Entry address:
0x16881

Entry point:
E8, 70, 91, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1, D9, D1, EA, D1, D8, 0B, DB...
 
[+]

Entropy:
7.2168

Code size:
160 KB (163,840 bytes)

The file ExpressFiles.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-50-17-236-103.compute-1.amazonaws.com  (50.17.236.103:80)

TCP (HTTP):
Connects to server-54-192-203-62.fra50.r.cloudfront.net  (54.192.203.62:80)

TCP (HTTP):
Connects to ec2-54-235-184-192.compute-1.amazonaws.com  (54.235.184.192:80)

TCP (HTTP):
Connects to server-54-230-11-136.lhr3.r.cloudfront.net  (54.230.11.136:80)

TCP (HTTP):
Connects to mail.smile-files.com  (46.23.68.149:80)

TCP (HTTP):
Connects to vip0x016.map2.ssl.hwcdn.net  (209.197.3.22:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.10:80)

TCP (HTTP):
Connects to 133.54.211.130.bc.googleusercontent.com  (130.211.54.133:80)

TCP (HTTP):
Connects to vip0x029.map2.ssl.hwcdn.net  (209.197.3.41:80)

TCP (HTTP):
Connects to server-54-230-11-193.lhr3.r.cloudfront.net  (54.230.11.193:80)

TCP (HTTP):
Connects to server-54-230-0-198.lhr5.r.cloudfront.net  (54.230.0.198:80)

TCP (HTTP):
Connects to server-54-192-203-168.fra50.r.cloudfront.net  (54.192.203.168:80)

TCP (HTTP):
Connects to 88.178.154.104.bc.googleusercontent.com  (104.154.178.88:80)

TCP (HTTP):
Connects to 199.195.196.180.static.midphase.com  (199.195.196.180:80)

TCP (HTTP):
Connects to server-54-230-11-97.lhr3.r.cloudfront.net  (54.230.11.97:80)

TCP (HTTP):
Connects to server-54-230-0-44.lhr5.r.cloudfront.net  (54.230.0.44:80)

TCP (HTTP):
Connects to server-54-192-3-160.lhr5.r.cloudfront.net  (54.192.3.160:80)

TCP (HTTP):
Connects to server-54-192-14-238.ams1.r.cloudfront.net  (54.192.14.238:80)

TCP (HTTP):
Connects to 198.87.155.104.bc.googleusercontent.com  (104.155.87.198:80)

TCP (HTTP):
Connects to server-54-230-5-118.dfw3.r.cloudfront.net  (54.230.5.118:80)

Remove ExpressFiles.exe - Powered by Reason Core Security