gpupd572b1f870.exe

WeatherMan

The application gpupd572b1f870.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Interstat’. The file has been seen being downloaded from dl.interstat.eu. While running, it connects to the Internet address static.25.22.243.136.clients.your-server.de on port 80 using the HTTP protocol.
Publisher:
WeatherMan

Product:
WeatherMan

Version:
1.0.3.40

MD5:
7526ce99684d5aa61f5f0a9b0f7f6697

SHA-1:
acfbc5fc7c3936744c51a6a930e28f845d0b66b8

SHA-256:
0a482e3386aeb8c43a59ec75241ef7e3629e1a70a61ea2c0860c4ecb0be07512

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 3:36:54 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Techsnab (M)
16.10.10.10

File size:
4.3 MB (4,552,192 bytes)

Product version:
1.0.3.40

Copyright:
Copyright (C) 2016

Original file name:
WeatherMan.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\gpupd572b1f870.exe

File PE Metadata
Compilation timestamp:
5/5/2016 12:39:08 PM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
98304:PadCI1KM+11mq80h2VCPD9vG1mq80hPR:ydCI1KM7q8rCPTq82R

Entry address:
0x9A677

Entry point:
E8, 35, 3D, 01, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 08, 42, 4F, 00, E8, E3, 88, 00, 00, E8, 47, 55, 00, 00, 0F, B7, F0, 6A, 02, E8, C9, 7B, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 5A, 8A, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.5895

Code size:
832.5 KB (852,480 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Interstat

Command:
C:\users\{user}\appdata\roaming\interstat\interstat.exe


The file gpupd572b1f870.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to static.25.22.243.136.clients.your-server.de  (136.243.22.25:80)

Remove gpupd572b1f870.exe - Powered by Reason Core Security