» inter_mod_v345.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (3)
Network (1)

inter_mod_v345.exe

UserMon

Global surveys

The application inter_mod_v345.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Interstatnogui’. The file has been seen being downloaded from s3.amazonaws.com and multiple other hosts. While running, it connects to the Internet address static.25.22.243.136.clients.your-server.de on port 80 using the HTTP protocol.

File name:

inter_mod_v345.exe

Publisher:

Global surveys

Product:

UserMon

Description:

Internet usage

Version:

1.0.3.18

MD5:

ef40bd772d5d1cbe411c9bc2b4c2d290

SHA-1:

45e7e4d5a0bb7332f9a19b42a0951e3dc5fbe045

SHA-256:

f1b48d3d2a85adb8d3ef06e2364702a4b1ac041029f5a6c74b682d6a78cc271a

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

11/6/2024 2:06:25 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.GlobalSurveys

16.10.1.0

File size:

3.9 MB (4,110,336 bytes)

Product version:

1.0.3.18

Original file name:

UserMon.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\inter_mod_v345.exe

File PE Metadata

Compilation timestamp:

4/26/2016 12:46:51 PM

OS version:

6.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

98304:Cq7IpfJsqeBuJ1mq80h2VCPD9vG1mq80hV:C4GJsqe4Kq8rCPTq80

Entry address:

0x8492A

Entry point:

E8, BF, 45, 01, 00, E9, 00, 00, 00, 00, 6A, 14, 68, C0, D9, 4F, 00, E8, 60, B0, 00, 00, E8, D6, 7D, 00, 00, 0F, B7, F0, 6A, 02, E8, 52, 45, 01, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 68, A5, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

6.5579

Code size:

863.5 KB (884,224 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Interstatnogui

Command:

C:\users\{user}\appdata\roaming\interstatnogui\interstatnogui.exe

The file inter_mod_v345.exe has been seen being distributed by the following 3 URLs.

https://s3.amazonaws.com/.../is_ngui_v336c73.exe

https://s3.amazonaws.com/.../is_ngui_v336c72.exe

http://dl.interstat.eu/inter_mod_v345.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to static.25.22.243.136.clients.your-server.de (136.243.22.25:80)

Remove inter_mod_v345.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.