home

ic-0.a7730744caa42.exe

Yuanyuan Zhang

The application ic-0.a7730744caa42.exe by Yuanyuan Zhang has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address server-54-192-36-107.jfk1.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Yuanyuan Zhang  (signed and verified)

MD5:
04ec9b4249e19cb7d391f2347936be12

SHA-1:
e0a1b620455a9cd11cf5b16a1e6e4ceac0882d53

SHA-256:
3106b8ae8edf7f8a901fb2598497ea0d1354f32c76e67e294954c55ae11a1b9e

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 10:38:34 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Mutahba (M)
17.2.23.1

File size:
415.6 KB (425,528 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\ic-0.a7730744caa42.exe

Digital Signature
Signed by:
Yuanyuan Zhang

Authority:
thawte, Inc.

Valid from:
1/18/2017 7:00:00 AM

Valid to:
4/21/2017 6:59:59 AM

Subject:
CN=Yuanyuan Zhang, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
04AB8A622B70EF0F2322969A064A4E3E

File PE Metadata
Compilation timestamp:
2/13/2017 10:04:03 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1304

Entry point:
E8, BA, 72, 00, 00, E9, 4E, A7, 00, 00, 55, 8B, EC, 53, 56, 57, 8B, 3D, 2C, 6C, 46, 00, 33, F6, FF, 75, 08, E8, DC, 4D, 00, 00, 8B, D8, 59, 85, DB, 75, 23, 85, FF, 74, 1F, 56, E8, 0D, 69, 00, 00, 8B, 3D, 2C, 6C, 46, 00, 81, C6, E8, 03, 00, 00, 59, 3B, F7, 76, 03, 83, CE, FF, 83, FE, FF, 75, CE, 5F, 5E, 8B, C3, 5B, 5D, C3, 83, 25, 48, A6, 46, 00, 00, C3, 55, 8B, EC, 57, 8B, 7D, 0C, 85, FF, 74, 3B, 8B, 45, 08, 85, C0, 74, 34, 56, 8B, 30, 3B, F7, 74, 28, 57, 89, 38, E8, 85, 20, 00, 00, 59, 85, F6, 74, 1B, 56...
 
[+]

Entropy:
7.8292  (probably packed)

Code size:
376 KB (385,024 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-203-129.fra50.r.cloudfront.net  (54.192.203.129:80)

TCP (HTTP):
Connects to server-52-84-246-161.sfo20.r.cloudfront.net  (52.84.246.161:80)

TCP (HTTP):
Connects to server-54-230-163-174.jax1.r.cloudfront.net  (54.230.163.174:80)

TCP (HTTP):
Connects to server-54-192-203-72.fra50.r.cloudfront.net  (54.192.203.72:80)

TCP (HTTP):
Connects to server-54-192-203-227.fra50.r.cloudfront.net  (54.192.203.227:80)

TCP (HTTP):
Connects to server-52-84-246-189.sfo20.r.cloudfront.net  (52.84.246.189:80)

TCP (HTTP):
Connects to server-52-84-246-149.sfo20.r.cloudfront.net  (52.84.246.149:80)

TCP (HTTP):
Connects to server-54-230-163-53.jax1.r.cloudfront.net  (54.230.163.53:80)

TCP (HTTP):
Connects to server-54-230-163-14.jax1.r.cloudfront.net  (54.230.163.14:80)

TCP (HTTP):
Connects to server-54-192-36-89.jfk1.r.cloudfront.net  (54.192.36.89:80)

TCP (HTTP):
Connects to server-54-192-36-71.jfk1.r.cloudfront.net  (54.192.36.71:80)

TCP (HTTP):
Connects to server-54-192-36-29.jfk1.r.cloudfront.net  (54.192.36.29:80)

TCP (HTTP):
Connects to server-54-192-36-204.jfk1.r.cloudfront.net  (54.192.36.204:80)

TCP (HTTP):
Connects to server-54-192-36-107.jfk1.r.cloudfront.net  (54.192.36.107:80)

Remove ic-0.a7730744caa42.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.