kb1326749737.exe

Kalman2

Áº»ª

The executable kb1326749737.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Client Server Runtime Process’. While running, it connects to the Internet address vcs-star-s-myc.mail.vip.sg3.yahoo.com on port 25.
Publisher:
Áº»ª

Product:
Kalman2

Description:
Kalman2

Version:
1, 0, 0, 1

MD5:
e5fc8714e6d5295f442cdb19f5de5567

SHA-1:
aa276a772f44b10c53dc918ee480ecd39ed29c38

SHA-256:
af8d7a8cc3608f08df88045609200b20cef469dc4c0fc047e4182648398f52f0

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/5/2024 2:48:46 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Downloader
16.11.7.16

File size:
144 KB (147,456 bytes)

Product version:
1, 0, 0, 1

Copyright:
(C) 2003

Original file name:
Kalman2.EXE

File type:
Executable application (Win32 EXE)

Language:
French (Canada)

Common path:
C:\users\{user}\appdata\local\temp\kb1326749737.exe

File PE Metadata
Compilation timestamp:
11/2/2016 1:18:22 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:/Wb+6o0tWZGmPixrWX1F7zuL1z98s3LX3DS5xIY44sqV74:/bvesixw8Rz98WnOBq

Entry address:
0xCAC6

Entry point:
55, 8B, EC, 6A, FF, 68, 90, EB, 20, 00, 68, 4C, CC, 20, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 58, E3, 20, 00, 59, 83, 0D, 3C, 02, 21, 00, FF, 83, 0D, 40, 02, 21, 00, FF, FF, 15, 54, E3, 20, 00, 8B, 0D, 30, 02, 21, 00, 89, 08, FF, 15, 50, E3, 20, 00, 8B, 0D, 2C, 02, 21, 00, 89, 08, A1, 4C, E3, 20, 00, 8B, 00, A3, 38, 02, 21, 00, E8, 16, 01, 00, 00, 39, 1D, 50, 01, 21, 00, 75, 0C, 68, 48, CC, 20, 00, FF, 15, 48, E3...
 
[+]

Entropy:
6.8393

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
52 KB (53,248 bytes)

2 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Client Server Runtime Process

Command:
C:\Documents and Settings\{user}\Application data\csrss.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Host-process Windows (Rundll32.exe)

Command:
C:\windows\syswow64\csrss.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to WIN-OJMG4CLJV5H  (46.148.17.146:9631)

TCP:
Connects to mail.gadimalilk.com  (49.50.66.58:9631)

TCP:
Connects to 123.103.12.229-BJ-CNC  (123.103.12.229:9631)

TCP (SMTP):
Connects to col0-mc1-f.col0.hotmail.com  (65.55.37.72:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.gq1.yahoo.com  (63.250.193.229:25)

TCP:
Connects to 140-127-232-218.nuk.edu.tw  (140.127.232.218:9631)

TCP (SMTP):
Connects to vcs-star-s-myc.mail.vip.sg3.yahoo.com  (106.10.150.156:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ir2.yahoo.com  (188.125.68.56:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.bf1.yahoo.com  (98.139.221.253:25)

TCP:
Connects to static-186-155-226-238.static.etb.net.co  (186.155.226.238:9997)

TCP:
Connects to host189.89.125-51.dh-c.net.br  (189.89.125.51:9631)

TCP:
Connects to colo.gothamweb.net  (69.67.59.197:9631)

TCP (SMTP):
Connects to wb-in-f108.1e100.net  (66.102.1.108:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ne1.yahoo.com  (98.138.105.22:25)

TCP:
Connects to host189.89.125-50.dh-c.net.br  (189.89.125.50:9997)

TCP:
Connects to EOD  (140.130.192.3:9631)

TCP:
Connects to customer.worldstream.nl  (93.190.137.39:9631)

TCP:
Connects to 77-226-187-203.static.youbroadband.in  (203.187.226.77:9997)

TCP:
Connects to WIN-7QJT82U4LL6  (46.148.18.26:9997)

TCP:
Connects to ppp-202.170.127.22.revip.proen.co.th  (202.170.127.22:9631)

Remove kb1326749737.exe - Powered by Reason Core Security