f_000264

Carambis Installer

ROSTPAY

The file f_000264 by ROSTPAY has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from rudn3.carambis.com and multiple other hosts. While running, it connects to the Internet address server6.ext.freeteam.org on port 80 using the HTTP protocol.
Publisher:
Carambis (ROSTPAY LTD.)  (signed by ROSTPAY)

Product:
Carambis Installer

Version:
1.0.0.2

MD5:
0a174919d83b8783afc841b257c97c78

SHA-1:
8802c0b941d3230ffbc2aabb816621bbffca8411

SHA-256:
98c3df3615b4b8f68a5b345a0c1159427411db39131f58fbf36eb4c530300af9

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/26/2024 7:20:12 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.MediaFrog.ROSTPAY.Installer (M)
16.4.12.7

File size:
920 KB (942,104 bytes)

Product version:
1.0.0.2

Copyright:
Carambis (ROSTPAY LTD.) All rights reserved. 2014

Original file name:
Carambis Installer

Common path:
C:\users\{user}\appdata\local\yandex\yandexbrowser\user data\default\cache\f_000264

Digital Signature
Signed by:

Authority:
Starfield Technologies, Inc.

Valid from:
12/17/2014 5:05:04 PM

Valid to:
12/16/2016 9:35:09 PM

Subject:
CN=ROSTPAY, O=ROSTPAY, L=Rostov-on-Don, C=RU

Issuer:
CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
27ED6D593F8321

File PE Metadata
Compilation timestamp:
4/11/2016 5:52:15 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:b2CaARACoWClSSjoItq8GKqxH4pygifpsPsYXyabXej:b2+RNolcUtq8PQUyHoCKXW

Entry address:
0x2BD680

Entry point:
60, BE, 00, D0, 5D, 00, 8D, BE, 00, 40, E2, FF, C7, 87, 34, 61, 27, 00, 43, 5A, 68, 9C, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, 0B, B8, 2B, 00, 57, 83, C3, 04, 53, 68, 71, 06, 0E, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9...
 
[+]

Code size:
904 KB (925,696 bytes)

The file f_000264 has been seen being distributed by the following 3 URLs.

http://rudn3.carambis.com/.../InstallerDU-2.4.2.9633_kucha.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to server6.ext.freeteam.org  (46.46.160.233:80)

Remove f_000264 - Powered by Reason Core Security