httpfilter.exe

The application httpfilter.exe has been detected as a potentially unwanted program by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. While running, it connects to the Internet address ip58.155.odnoklassniki.ru on port 443.
MD5:
380f6cbdd1b2fb3eb6246c5d7382cef8

SHA-1:
f5d79784c5f886aa7a420d47c2dc7546c4c4138c

SHA-256:
a5b84cd71346fe00bb9ebd1397b05691c5d3c1b6b9f45e9776f26ff2616aa24a

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 1:51:23 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/TrojanDropper.Addrop.X trojan
6.3.12010.0

Kaspersky
not-a-virus:AdWare.NSIS.MediaMagnet
15.0.2.529

Microsoft Security Essentials
Trojan:Win32/Skeeyah.A!bit
1.233.3284.0

Reason Heuristics
Adware.Dropper.ET (M)
16.9.9.14

File size:
615.9 KB (630,641 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\host service\httpfilter.exe

File PE Metadata
Compilation timestamp:
12/27/2015 6:38:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:X9Qha9PvQNDiecUGZwef3QFBXTP7gvk+FCWoCASYoB3u:X9QKciUGZffABL7F+lojShVu

Entry address:
0x324F

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 57, 33, DB, 68, 01, 80, 00, 00, 89, 5C, 24, 1C, C7, 44, 24, 14, 30, 91, 40, 00, 33, F6, C6, 44, 24, 18, 20, FF, 15, B8, 70, 40, 00, FF, 15, B4, 70, 40, 00, 66, 3D, 06, 00, 74, 11, 53, E8, FC, 2D, 00, 00, 3B, C3, 74, 07, 68, 00, 0C, 00, 00, FF, D0, 68, E0, 91, 40, 00, E8, 7D, 2D, 00, 00, 68, D8, 91, 40, 00, E8, 73, 2D, 00, 00, 68, CC, 91, 40, 00, E8, 69, 2D, 00, 00, 6A, 0D, E8, CC, 2D, 00, 00, 6A, 0B, E8, C5, 2D, 00, 00, A3, 84, 3F, 42, 00, FF, 15, 34, 70, 40, 00, 53, FF...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static.9.138.9.176.clients.your-server.de  (176.9.138.9:80)

TCP (HTTP):
Connects to static.104.253.9.5.clients.your-server.de  (5.9.253.104:80)

TCP (HTTP):
Connects to digital.enconme.com  (200.7.96.93:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-fra3.fbcdn.net  (31.13.93.7:443)

TCP (HTTP SSL):
Connects to api.browser.yandex.ru  (213.180.204.82:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-cdg2.facebook.com  (179.60.192.36:443)

TCP (HTTP SSL):
Connects to yandex.ru  (77.88.55.66:443)

TCP (HTTP SSL):
Connects to bazafailov.ru  (82.146.39.160:443)

TCP (HTTP SSL):
Connects to storage.ape.yandex.net  (213.180.193.55:443)

TCP (HTTP SSL):
Connects to ip5.23.odnoklassniki.ru  (5.61.23.5:443)

TCP (HTTP):
Connects to ec2-52-10-182-4.us-west-2.compute.amazonaws.com  (52.10.182.4:80)

TCP (HTTP SSL):
Connects to e.mail.ru  (217.69.139.215:443)

TCP (HTTP SSL):
Connects to cache.google.com  (178.45.249.205:443)

TCP (HTTP SSL):
Connects to 230.28.211.130.bc.googleusercontent.com  (130.211.28.230:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-cdg2.fbcdn.net  (179.60.192.7:443)

TCP (HTTP SSL):
Connects to xiva-daria.mail.yandex.net  (213.180.204.179:443)

TCP (HTTP SSL):
Connects to www.sft-pre.com  (46.28.209.62:443)

TCP (HTTP SSL):
Connects to ucc-webcon.softonic.com  (46.28.209.9:443)

TCP (HTTP SSL):
Connects to tp00-hk2.everesttech.net  (66.117.25.36:443)

TCP (HTTP):
Connects to static.131.211.4.46.clients.your-server.de  (46.4.211.131:80)

Remove httpfilter.exe - Powered by Reason Core Security