kmd.exe

Kazaa Installer

Sharman Networks Ltd

The application kmd.exe has been detected as a potentially unwanted program by 4 anti-malware scanners. The file has been seen being downloaded from gsf-cf.softonic.com and multiple other hosts. While running, it connects to the Internet address proxy.herokuapp.com on port 80 using the HTTP protocol.
Publisher:
Sharman Networks Ltd

Product:
Kazaa Installer

Version:
1.0.0.3

MD5:
ec71942212f7ba28ef39d0a534bdcb53

SHA-1:
ed7032c5b1c955e27eea60f9d9244e376b7879b0

SHA-256:
ca7f844f8064b9e1bd3f016de3e6b4f7ceada58e8d82a263636654afcd3e69f5

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 11:36:49 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.Kazaa
4.0.3.151218

ESET NOD32
Win32/Adware.Kazaa (variant)
9.12029

Rising Antivirus
PE:Trojan.Win32.Generic.15A670ED!363229421
23.00.65.151216

Total Defense
Win32/P2P.Kazaa
37.1.62.1

File size:
752 KB (770,048 bytes)

Product version:
1.0.0.3

Copyright:
Copyright 2003-2004 Sharman Networks Ltd.

Trademarks:
Kazaa

Original file name:
Cloudloader.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\kmd.exe

File PE Metadata
Compilation timestamp:
1/16/2006 7:50:54 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.0

CTPH (ssdeep):
12288:SsUtWob/GyOII9Tid9wJDKUrhDs4SaeP4fIuJezvIX:SsYbuxPTiQoU1DFxePhT

Entry address:
0x1EF65

Entry point:
6A, 60, 68, A0, 45, 44, 00, E8, 43, FF, FF, FF, BF, 94, 00, 00, 00, 8B, C7, E8, A3, FA, FF, FF, 89, 65, E8, 8B, F4, 89, 3E, 56, FF, 15, 1C, F3, 43, 00, 8B, 4E, 10, 89, 0D, 38, 35, 45, 00, 8B, 46, 04, A3, 44, 35, 45, 00, 8B, 56, 08, 89, 15, 48, 35, 45, 00, 8B, 76, 0C, 81, E6, FF, 7F, 00, 00, 89, 35, 3C, 35, 45, 00, 83, F9, 02, 74, 0C, 81, CE, 00, 80, 00, 00, 89, 35, 3C, 35, 45, 00, C1, E0, 08, 03, C2, A3, 40, 35, 45, 00, 33, F6, 56, 8B, 3D, 2C, F2, 43, 00, FF, D7, 66, 81, 38, 4D, 5A, 75, 1F, 8B, 48, 3C, 03...
 
[+]

Entropy:
7.0311

Developed / compiled with:
Microsoft Visual C++ v7.0

Code size:
248 KB (253,952 bytes)

The file kmd.exe has been seen being distributed by the following 28 URLs.

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1478210118&Signature=gv6sc6okn-XxqD-tXP~rzedD8GKUCcdfvlSJiOCNN0iTFAYQxZFpFfJZ7zjovNYeBZWcm-pwex7n2V6wHEXE2Soz7903O-LKKM0yT2xcCSIwUQlbOI9mM5o0HgrPedFJJ5sebfXJ9EyVZX4PodpjprqtdHFmQbp0YezCo6lFXU0_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1448415069&Signature=V8NNXgNYOPhxxGNAFgIrDRF2cLozGFVWXrIGRGN7iPcc9xOlfniE5mU6n2F7shvpR1f7XtGpNjyg63IZhpnFPhl9Qi0O~yMF9lfv96Q~eXypVQ2tZGDVEBeryVr~Zt-lkT6EuHCCot4rFd5B2M5o~PyWeusFZAR9b-mLf1Ql8tk_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1477817568&Signature=KZK18vHt9ZNEmPZXelwZvdMrT-mCDFCLpBeJjdZ11S1ChoV~calRY2JPkMMSOKRcPtli1IFkoVePta111zkig6iAVIktFlhexa48wxtXp1PHCDGDW0rLbulqAWlv8rcTFPOjhcmZ5KqzJfvJGRgtPm3uuRtSHytwrd1H4FB6gtE_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1446095296&Signature=eILDsMzyTZLJZd9GMv-yoKZQ96bHIiulIT6KGl0SvJrGRitgfuvd623-cabLzaJrervgqbg-4rroV35xP1B~2CHqgLoQ8hXAawYhS2X90g4-5rLPzuxNfeRCID35XxC2SlbQk4QoX9sQ2vo3dA2g8iERxeSa8X7DoqGr1tXYVpM_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1481662435&Signature=apYI1nlg52J9MTUGJUu~ia~MA7c4lEpe3efwNKCQO1E-XvbGRMYFlMVDXDWBEav5Wj~kbv5IecSmds~crEXO6l8O66S2Zeyzy6EW2eO4X5y3m3RweU8DahCU-4XflwLhWqyELRKnPZnAj7KeJ3QAx5qe9hAUaNVliuCOIx3Ve2c_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1478035062&Signature=XQzaPzTx-rFcbXoSRFX5Fs0tpIy~89s-7IbYvWhRVibRoCJm3oNtvT~RFzgTQTvTT4cRJVaZAPfVIrpaAQ~ksm7P~YNvyfu7OPjZdEJKJVOvUq8nHxRzHKGJUkj13R0TGBopSpL834Cei8s6BoGkmJTrxxGN-thVg4U6xBZ2mRc_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1479521954&Signature=Ey6pV2YVVgUUzxdKffgXypDwqAUwNmJL~YVWnp7re60oPc9qGbx1W3dpRnJ4hl0AnY0tSfZDmHzAyKjWQM4qr1czYxtPEMGlxGPAdDZ3N65jlKFGQJ1C5kANBNnbAo9IQgWVZfBRkalCihvvJ5K97Rc-QizgPg4gAl9mY2sedXk_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1462856296&Signature=Ivm5aPzGFYjHOUB-jUJkApf6vO4H7lqgTb32h5Yel8dQH-6oPYmAxrjdUbpEQuY1xc1Ws8MJlujXi7yqW2I0yf9Dwheai9fKGA5MXqy-jGUYR1RuYdNv2vZTfs4Xbh8-B8qPhvvYCgEsUUDRhTqiFq97jUGz8~d73zWsehLyCn0_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1477048692&Signature=TUfEQEscuqv9niU8ZPSVqk5AGWfFpujpXNkiifOQ0ZhPVgyeZ2fuWc86wKz3onnes6YsCMAxuAsweXAKJ14yQ8vqu0dXVyO5v5K9-0ulJl~7HH~kZK~fbkfb4mdfGMwP-U~1cnxNVYc2trHOSvnsR9V-NgyStPIkCpn2Oklmmp0_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1476004714&Signature=ffe5VNn6BOHy0ecjAmWgU~I~5c4dDiKOknYm-K6m5FY9aiLnJuibXr~z-JgYlFS16kr0UAgkZbqVW~9GyvAkOVptt6GG8DyHJ6Y5T8~iGk-9PDUHKfYvrlc98oxXszFZ1ijHrz-YifJbl~7I18swqH74u47TlNMvt5iDsC9n9bc_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1473606966&Signature=VyAEYis0fvZslLJ5Mjp8S8G3H8l99rK9PML8yl20bE7j8~cd2JFWWIkOQCDNiLdmNg2OmBuTl8h6IRMv2V0mbZcfWFwyW4X~aiNrlUV8a9P4q4i8jGyprlQ2NV72jVMoYwLYaK~8fvf3Z3nm5faiMRtRc9BgbC1UMPLtyr45l64_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

http://gsf-cf.softonic.com/ed7/032/.../file?SD_used=0&channel=WEB&fdh=no&id_file=14190&instance=softonic_es&type=PROGRAM&Expires=1469006923&Signature=XFwFNvuLNbT2oE~pFEtogZxsCYjQFrdNtEDeeSWuxr5uOf3jz8DEpQZ616suQ5R07l-ywvpj7IPFt3ONY-xMeCnagx2Xh~3Ib~Ax9iNKcjo8Hqi7QBKI9IBrbNwzopJu92waxxSJgU0BsHHlG8wdhwTPCvHaHuZniuukhAq~EgU_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=kmd.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to proxy.herokuapp.com  (75.101.163.44:80)

Remove kmd.exe - Powered by Reason Core Security