GuardMailRu.exe

GuardMailRu Module

LLC Mail.Ru

The application GuardMailRu.exe by LLC Mail.Ru has been detected as a potentially unwanted program by 13 anti-malware scanners. While running, it connects to the Internet address vrrp-hoe.p.mail.ru on port 80 using the HTTP protocol.
Publisher:
LLC Mail.Ru  (signed and verified)

Product:
GuardMailRu Module

Version:
1.13.7.122

MD5:
77b68fcf1bfd815d40848a7aaea16a1b

SHA-1:
69af7e6ab023fdb78d4d41bffdc8ab9792f6cd50

SHA-256:
f4b02ffe06bbc32356ef2105d5f3d2d4630f4ba059934c99474e84f0d7a1ef59

Scanner detections:
13 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 2:26:06 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:BrowserTakeover-A [PUP]
2014.9-150721

AVG
MalSign.Generic
2016.0.3041

Baidu Antivirus
Trojan.Win32.RuMail
4.0.3.15721

Bkav FE
W32.HfsAdware
1.3.0.6979

Comodo Security
Application.Win32.RuMail.pwhe
17604

Dr.Web
Adware.Downware.533
9.0.1.0202

McAfee
Artemis!E3169A1E78E0
5600.6697

Panda Antivirus
Generic Suspicious
15.07.21.07

Reason Heuristics
Win32.Generic.MailRu.Meta
15.7.21.19

Rising Antivirus
PE:Trojan.RuMail!1.6574
23.00.65.15719

Sophos
RsMall
4.96

Trend Micro House Call
TROJ_GEN.F47V1102
7.2.202

XVirus List
Win.Detected
2.3.31

File size:
5 MB (5,249,768 bytes)

Product version:
1.13.7.122

Copyright:
Copyright 2010

Original file name:
GuardMailRu.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\mail.ru\guard\guardmailru.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
8/19/2014 4:00:00 AM

Valid to:
8/13/2016 3:59:59 AM

Subject:
CN=LLC Mail.Ru, O=LLC Mail.Ru, L=Moscow, S=Moscow, C=RU

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
3C484F9655CF5CDDA51678E773A55BF3

File PE Metadata
Compilation timestamp:
7/20/2015 4:13:21 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
98304:X48LRt6LnqHJYBNxR3ONcj9KXMjvIFIEFejGiwHs3rpTCiGzWp11K:IYt61bTeNcj9Kip+t+c

Entry address:
0x276EE9

Entry point:
E8, 3A, 39, 01, 00, E9, 7F, FE, FF, FF, E9, B3, 01, 00, 00, FF, 35, AC, D8, 8B, 00, FF, 15, 30, 12, 7C, 00, 85, C0, 74, 02, FF, D0, 6A, 01, 6A, 00, E8, AD, E3, 00, 00, 59, 59, E9, C5, E3, 00, 00, 55, 8B, EC, 83, EC, 10, EB, 0D, FF, 75, 08, E8, C5, 3C, 01, 00, 59, 85, C0, 74, 11, FF, 75, 08, E8, A5, 6C, 00, 00, 59, 85, C0, 74, E6, 8B, E5, 5D, C3, 6A, 01, 8D, 45, FC, C7, 45, FC, C4, 14, 7D, 00, 50, 8D, 4D, F0, E8, 53, 16, 00, 00, 68, A8, 08, 87, 00, 8D, 45, F0, C7, 45, F0, BC, 14, 7D, 00, 50, E8, 8C, 17, 00...
 
[+]

Code size:
3.7 MB (3,931,136 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to vrrp-hoe.p.mail.ru  (217.69.134.55:80)

TCP (HTTP):
Connects to vrrp-kirka.p.mail.ru  (217.69.134.56:80)

Remove GuardMailRu.exe - Powered by Reason Core Security