irhhtbcujwxm

UserMon

OOO

The file irhhtbcujwxm by OOO has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from s3static.com and multiple other hosts. While running, it connects to the Internet address know-sspiprxy-vip.network.virginmedia.net on port 80 using the HTTP protocol.
Publisher:
Global surveys  (signed by OOO )

Product:
UserMon

Description:
Internet usage

Version:
1.0.3.18

MD5:
6ba78b78d499cc1f35853507887bb784

SHA-1:
2427949dd9c803a22a9abdc9da741d3e5fd93351

SHA-256:
e69a401526481911ffa544c0b7d35ab4877eb0a6ee4113a82847fd0428933a66

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/27/2024 3:40:12 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.12.13.13

File size:
2.6 MB (2,757,568 bytes)

Product version:
1.0.3.18

Copyright:
Copyright (C) 2015

Original file name:
UserMon.exe

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\irhhtbcujwxm

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/7/2016 2:00:00 AM

Valid to:
7/8/2017 1:59:59 AM

Subject:
CN="OOO ""FENIKS""", O="OOO ""FENIKS""", STREET="d. 2/1 str. 1 of. 1, nab.Semenovskaya", L=Moscow, S=Moskovskaya oblast, PostalCode=117393, C=RU

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A07968238CD1FD586B0DC46568CAC37D

File PE Metadata
Compilation timestamp:
12/13/2016 12:26:47 PM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x3FE34

Entry point:
E8, C5, 04, 01, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 88, D5, 48, 00, E8, 96, 45, 00, 00, E8, B1, 26, 00, 00, 0F, B7, F0, 6A, 02, E8, 3D, AF, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 0B, 47, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
477.5 KB (488,960 bytes)

The file irhhtbcujwxm has been seen being distributed by the following 2 URLs.

https://s3static.com/.../inter_silent.exe

https://s3.amazonaws.com/00bandwidthstat/.../inter_silent.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to know-sspiprxy-vip.network.virginmedia.net  (62.252.172.241:80)

Remove irhhtbcujwxm - Powered by Reason Core Security