ic-0.89ed50d6ddd348.exe

Yuanyuan Mei

The application ic-0.89ed50d6ddd348.exe by Yuanyuan Mei has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address server-54-230-216-126.mrs50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Yuanyuan Mei  (signed and verified)

MD5:
5392c6224d7847dd06d951c15b8f18db

SHA-1:
bb16ba2e14a4a3a06c266255820003a2710edc4c

SHA-256:
ffc4e6ba4f4442a0e3c33f9ceafe0657c7ce015fc238a2e1cf543f3edef52cc9

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 10:49:21 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Elex (M)
17.2.17.10

File size:
417.7 KB (427,744 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\ic-0.89ed50d6ddd348.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/19/2017 7:00:00 AM

Valid to:
4/21/2017 6:59:59 AM

Subject:
CN=Yuanyuan Mei, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
4B77E45E6EE2D3592CB495A496A5B5CA

File PE Metadata
Compilation timestamp:
2/13/2017 6:49:21 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x963C

Entry point:
E8, 4C, F9, FF, FF, E9, BB, 1E, 00, 00, 85, C0, 75, 06, 66, 0F, EF, C0, EB, 11, 66, 0F, 6E, C0, 66, 0F, 60, C0, 66, 0F, 61, C0, 66, 0F, 70, C0, 00, 53, 51, 8B, D9, 83, E3, 0F, 85, DB, 75, 78, 8B, DA, 83, E2, 7F, C1, EB, 07, 74, 30, 66, 0F, 7F, 01, 66, 0F, 7F, 41, 10, 66, 0F, 7F, 41, 20, 66, 0F, 7F, 41, 30, 66, 0F, 7F, 41, 40, 66, 0F, 7F, 41, 50, 66, 0F, 7F, 41, 60, 66, 0F, 7F, 41, 70, 8D, 89, 80, 00, 00, 00, 4B, 75, D0, 85, D2, 74, 37, 8B, DA, C1, EB, 04, 74, 0F, EB, 03, 8D, 49, 00, 66, 0F, 7F, 01, 8D, 49...
 
[+]

Entropy:
7.8312  (probably packed)

Code size:
376.5 KB (385,536 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-52-85-83-7.lax1.r.cloudfront.net  (52.85.83.7:80)

TCP (HTTP):
Connects to server-52-85-83-24.lax1.r.cloudfront.net  (52.85.83.24:80)

TCP (HTTP):
Connects to server-54-230-216-242.mrs50.r.cloudfront.net  (54.230.216.242:80)

TCP (HTTP):
Connects to server-52-85-173-231.fra6.r.cloudfront.net  (52.85.173.231:80)

TCP (HTTP):
Connects to server-52-85-173-150.fra6.r.cloudfront.net  (52.85.173.150:80)

TCP (HTTP):
Connects to server-52-85-83-229.lax1.r.cloudfront.net  (52.85.83.229:80)

TCP (HTTP):
Connects to server-52-85-83-168.lax1.r.cloudfront.net  (52.85.83.168:80)

TCP (HTTP):
Connects to server-52-85-83-132.lax1.r.cloudfront.net  (52.85.83.132:80)

TCP (HTTP):
Connects to server-52-85-77-192.lax3.r.cloudfront.net  (52.85.77.192:80)

TCP (HTTP):
Connects to server-52-85-77-120.lax3.r.cloudfront.net  (52.85.77.120:80)

TCP (HTTP):
Connects to server-54-230-216-245.mrs50.r.cloudfront.net  (54.230.216.245:80)

TCP (HTTP):
Connects to server-54-230-216-126.mrs50.r.cloudfront.net  (54.230.216.126:80)

TCP (HTTP):
Connects to server-52-84-16-54.sea32.r.cloudfront.net  (52.84.16.54:80)

TCP (HTTP):
Connects to server-52-84-16-33.sea32.r.cloudfront.net  (52.84.16.33:80)

TCP (HTTP):
Connects to server-52-84-16-210.sea32.r.cloudfront.net  (52.84.16.210:80)

TCP (HTTP):
Connects to server-52-84-16-209.sea32.r.cloudfront.net  (52.84.16.209:80)

TCP (HTTP):
Connects to server-52-84-16-138.sea32.r.cloudfront.net  (52.84.16.138:80)

Remove ic-0.89ed50d6ddd348.exe - Powered by Reason Core Security