instnm.exe

The executable instnm.exe has been detected as malware by 29 anti-virus scanners. While running, it connects to the Internet address 216.49.17.139.res-cmts.hzl2.ptd.net on port 48754.
MD5:
186bd78a429077480f4f25872c1a0a0a

SHA-1:
afc379d4001d370976155eda61a06ddd5fe3c6bf

SHA-256:
c7481c1bfeca7784f9f863aca7a2ca3758ade642d2c07951320cf812e11cfb56

Scanner detections:
29 / 68

Status:
Malware

Analysis date:
11/23/2024 9:36:38 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.12501266
715

Agnitum Outpost
Trojan.Agent
7.1.1

Avira AntiVirus
TR/ATRAPS.Gen4
7.11.205.2

avast!
Win64:Malware-gen
2014.9-150205

AVG
Win32/DH
2016.0.3208

Baidu Antivirus
Trojan.Win64.Asterope
4.0.3.1525

Bitdefender
Trojan.Generic.12501266
1.0.20.250

Comodo Security
UnclassifiedMalware
20767

Emsisoft Anti-Malware
Trojan.Generic.12501266
8.15.02.19.02

ESET NOD32
Win64/Asterope (variant)
9.11037

Fortinet FortiGate
W64/Asterope.A!tr
2/5/2015

F-Secure
Trojan.Generic.12501266
11.2015-19-02_5

G Data
Trojan.Generic.12501266
15.2.24

IKARUS anti.virus
Trojan.Win32.Agent
t3scan.1.8.6.0

K7 AntiVirus
Trojan
13.192.14746

Kaspersky
Trojan.Win32.Agent
14.0.0.2534

McAfee
RDN/Generic.dx!d2o
5600.6849

Microsoft Security Essentials
Trojan:Win64/Ropest.G
1.11302

MicroWorld eScan
Trojan.Generic.12501266
16.0.0.150

NANO AntiVirus
Trojan.Win64.Agent.dmssik
0.30.0.64812

nProtect
Trojan.Generic.12501266
15.01.23.01

Panda Antivirus
Trj/CI.A
15.02.05.07

Qihoo 360 Security
Win32/Trojan.0fe
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
15.2.19.14

Sophos
Troj/Agent-ALDF
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Ropest
10072

Trend Micro House Call
TROJ_GEN.R0C1H01A915
7.2.36

Vba32 AntiVirus
Trojan.Agent.amobo
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic
36788

File size:
140.5 KB (143,872 bytes)

File type:
Executable application (Win64 EXE)

Common path:
C:\users\{user}\appdata\roaming\microsoft\windows\ieupdate\instnm.exe

File PE Metadata
Compilation timestamp:
1/7/2005 8:13:57 PM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:KdUPSo+7abnqBKIktr2DMZ89YKwST1BHU5EY:NSo1E9Ct/lEY

Entry address:
0x6B50

Entry point:
48, 89, 5C, 24, 10, 48, 89, 74, 24, 18, 55, 48, 8D, AC, 24, 50, F8, FF, FF, 48, 81, EC, B0, 08, 00, 00, E8, B5, FF, FF, FF, E8, A4, AA, FF, FF, E8, 13, F7, FF, FF, 84, C0, 0F, 84, F8, 02, 00, 00, 48, 8D, 95, 10, 06, 00, 00, B9, 02, 02, 00, 00, FF, 15, F5, 5A, 01, 00, 85, C0, 0F, 85, DE, 02, 00, 00, 48, 8D, 0D, 66, C8, 01, 00, 33, D2, E8, 1F, 58, 00, 00, 85, C0, 0F, 84, C8, 02, 00, 00, 48, 8D, 35, D8, C5, 01, 00, 41, B8, 04, 01, 00, 00, 33, C9, 48, 8B, D6, FF, 15, 17, 56, 01, 00, 48, 8B, CE, FF, 15, AE, 59...
 
[+]

Entropy:
6.4117

Code size:
108 KB (110,592 bytes)

Ini File Mappings System INI
Name:
SCRNSAVE.EXE


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to float.1064.bm-impbus.prod.ams1.adnexus.net  (37.252.162.125:80)

TCP (HTTP):
Connects to 94.31.29.160.IPYX-077437-ZYO.above.net  (94.31.29.160:80)

TCP (HTTP):
Connects to 64.224.221.162.serverel.net  (162.221.224.64:80)

TCP:
Connects to 216.49.17.139.res-cmts.hzl2.ptd.net  (216.49.17.139:48754)

Remove instnm.exe - Powered by Reason Core Security