ic-0.66677b7a419b34.exe

Ding Ruan

The application ic-0.66677b7a419b34.exe by Ding Ruan has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address server-52-85-83-7.lax1.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Ding Ruan  (signed and verified)

MD5:
1dfe3d2f200e38dd386b6ba027ba5e38

SHA-1:
0b862fdeb34700ed155c567836c56a0eecc60528

SHA-256:
1fb6442a1f427bcbcdb2b6e51715b29137426c4a9f1b1ce7d4cc2d4969e398ee

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 11:56:56 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ELEX (M)
17.2.13.7

File size:
392.2 KB (401,632 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\ic-0.66677b7a419b34.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/24/2017 7:00:00 AM

Valid to:
4/14/2017 6:59:59 AM

Subject:
CN=Ding Ruan, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
026BAC258E12D9F49DFF90E11ADB2D06

File PE Metadata
Compilation timestamp:
2/9/2017 4:28:00 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x6D84

Entry point:
E8, 57, FE, FF, FF, E9, 1A, 3A, 00, 00, 6A, 0C, 68, D0, F2, 45, 00, E8, A6, 42, 00, 00, 6A, 0E, E8, D1, 29, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 46, 04, 85, C0, 74, 30, 8B, 0D, 90, 1D, 46, 00, BA, 8C, 1D, 46, 00, 89, 4D, E4, 85, C9, 74, 11, 39, 01, 75, 2C, 8B, 41, 04, 89, 42, 04, 51, E8, 92, 22, 00, 00, 59, FF, 76, 04, E8, 89, 22, 00, 00, 59, 83, 66, 04, 00, C7, 45, FC, FE, FF, FF, FF, E8, 0A, 00, 00, 00, E8, 94, 42, 00, 00, C3, 8B, D1, EB, C5, 6A, 0E, E8, F9, E0, FF, FF, 59, C3, 55, 8B, EC, 83, 7D...
 
[+]

Entropy:
7.8371  (probably packed)

Code size:
352.5 KB (360,960 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-52-85-83-222.lax1.r.cloudfront.net  (52.85.83.222:80)

TCP (HTTP):
Connects to server-52-85-83-195.lax1.r.cloudfront.net  (52.85.83.195:80)

TCP (HTTP):
Connects to server-54-230-141-113.sfo5.r.cloudfront.net  (54.230.141.113:80)

TCP (HTTP):
Connects to server-52-85-83-19.lax1.r.cloudfront.net  (52.85.83.19:80)

TCP (HTTP):
Connects to server-54-230-216-34.mrs50.r.cloudfront.net  (54.230.216.34:80)

TCP (HTTP):
Connects to server-54-192-29-198.dub2.r.cloudfront.net  (54.192.29.198:80)

TCP (HTTP):
Connects to server-52-85-83-33.lax1.r.cloudfront.net  (52.85.83.33:80)

TCP (HTTP):
Connects to server-52-85-83-26.lax1.r.cloudfront.net  (52.85.83.26:80)

TCP (HTTP):
Connects to server-52-85-77-86.lax3.r.cloudfront.net  (52.85.77.86:80)

TCP (HTTP):
Connects to server-52-85-77-237.lax3.r.cloudfront.net  (52.85.77.237:80)

TCP (HTTP):
Connects to server-54-230-216-99.mrs50.r.cloudfront.net  (54.230.216.99:80)

TCP (HTTP):
Connects to server-54-230-216-236.mrs50.r.cloudfront.net  (54.230.216.236:80)

TCP (HTTP):
Connects to server-54-230-11-112.lhr3.r.cloudfront.net  (54.230.11.112:80)

TCP (HTTP):
Connects to server-54-192-29-147.dub2.r.cloudfront.net  (54.192.29.147:80)

TCP (HTTP):
Connects to server-52-85-83-7.lax1.r.cloudfront.net  (52.85.83.7:80)

TCP (HTTP):
Connects to server-52-85-83-191.lax1.r.cloudfront.net  (52.85.83.191:80)

TCP (HTTP):
Connects to server-52-85-83-134.lax1.r.cloudfront.net  (52.85.83.134:80)

TCP (HTTP):
Connects to server-52-85-83-110.lax1.r.cloudfront.net  (52.85.83.110:80)

TCP (HTTP):
Connects to server-52-85-77-110.lax3.r.cloudfront.net  (52.85.77.110:80)

TCP (HTTP):
Connects to server-54-230-216-110.mrs50.r.cloudfront.net  (54.230.216.110:80)

Remove ic-0.66677b7a419b34.exe - Powered by Reason Core Security