iconm1c.exe

neomedia

The application iconm1c.exe by neomedia has been detected as a potentially unwanted program by 11 anti-malware scanners. This is a trojan Bot that uses IRC to communicate with a comand and control network. The Trojan drops other malicious software and opens a backdoor on the infected computer and will run automatically on each boot. While running, it connects to the Internet address all.agenceall.com on port 32913.
Publisher:
neomedia  (signed and verified)

MD5:
d9f4fad3962d7721e89caccd914b1029

SHA-1:
2de5fba9be4e61fde73af5afb48c60b33dda3c55

SHA-256:
8fee7167126bc7ec5fe5746bd28bb4f338b4aef21f224e270c7183711daba107

Scanner detections:
11 / 68

Status:
Potentially unwanted

Explanation:
Part of a backdoor IRC bot network.

Analysis date:
11/15/2024 11:58:40 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/KeywordFind.B
8.3.3.4

avast!
Win32:Evo-gen [Susp]
2014.9-161011

AVG
Generic
2017.0.2593

Baidu Antivirus
Win32.Trojan.WisdomEyes.151026.9950
4.0.3.161011

Bkav FE
W32.HfsAdware
1.3.0.8383

ESET NOD32
Win32/AdWare.KeywordFind (variant)
10.14248

F-Prot
W32/Themida_Packed
v6.4.7.1.166

K7 AntiVirus
Adware
13.242.21129

Qihoo 360 Security
HEUR/QVM19.1.0000.Malware.Gen
1.0.0.1120

Rising Antivirus
Malware.Heuristic!ET (rdm+)
23.00.65.161009

VIPRE Antivirus
Backdoor.Win32.Ircbot.gen
52896

File size:
1008.7 KB (1,032,928 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\iconmania\iconm1c.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/25/2016 9:00:00 AM

Valid to:
1/25/2017 8:59:59 AM

Subject:
CN=neomedia, OU=IT Team, O=neomedia, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
343766F67EC25EF07DB4A9C47879EAF6

File PE Metadata
Compilation timestamp:
10/9/2016 10:49:07 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:tPY2MVyJ6wTA2JdAp29brCXle9WHOcYTFwPtwLTwX/JnIurmXMZFJAwX8u31J8pX:tPY2MVyJAp0KXjkeX5mXMZHrsu31P8

Entry address:
0x231000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, F0, 0B, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, FA, D1, C4, 0D, 68, E6, 3C, 49, 2B, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.5351

Code size:
418.5 KB (428,544 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to all.agenceall.com  (82.221.131.161:32913)

TCP (HTTP):

Remove iconm1c.exe - Powered by Reason Core Security