kml368.exe

Microsoft

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable kml368.exe has been detected as malware by 1 anti-virus scanner. While running, it connects to the Internet address ip228.50-31-5.static.steadfastdns.net on port 80 using the HTTP protocol.
Publisher:
Microsoft Corporation*  (Invalid match)

Product:
Microsoft® Windows® Operating System

Description:
Microsoft

Version:
1.00

MD5:
976c346d75a426448d915ac7bd22c349

SHA-1:
2420b678e51c71fe9d670c179b353dac55655067

SHA-256:
5a9381309deb7dccc98f6c0488e2fa0628e43ea328b464261f7bc440a466e888

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/25/2024 2:13:49 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Threat.Win.Reputation.IMP
16.4.7.5

File size:
96 KB (98,304 bytes)

Product version:
1.00

Copyright:
Copyright © Microsoft Corp

Original file name:
kml368.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Windows\System32\kml368.exe

File PE Metadata
Compilation timestamp:
3/20/2012 4:37:47 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
768:GPt+E/7Y+gap/6/FlLSYxHfoLAHsYWwV/Flu+gap/t:KgEU+HZ6/TLSYWWsjwV/Tu+HZ

Entry address:
0x1968

Entry point:
68, 58, 74, 40, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, BD, 23, 4F, D1, D2, BC, AE, 41, A2, 4C, 65, 7D, 46, F8, 51, D7, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 50, 72, 6F, 6A, 65, 63, 74, 31, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, FF, CC, 31, 00, 06, F2, AB, 8A, 10, 0E, 50, 39, 40, B7, 1F, EE, F9, 22, 61, ED, C5, 74, 74, 3C, 71, EF, B3, 79, 4D, BC, 6A, 04, 7B, 07, 4F, 49, 7F, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00...
 
[+]

Entropy:
5.5535

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
64 KB (65,536 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

TCP (HTTP):
Connects to server-54-230-216-96.mrs50.r.cloudfront.net  (54.230.216.96:80)

TCP (HTTP):
Connects to server-54-230-187-229.cdg51.r.cloudfront.net  (54.230.187.229:80)

TCP (HTTP):
Connects to server-54-230-149-163.sin2.r.cloudfront.net  (54.230.149.163:80)

TCP (HTTP):
Connects to server-54-192-75-182.hkg50.r.cloudfront.net  (54.192.75.182:80)

TCP (HTTP):
Connects to server-54-192-36-46.jfk1.r.cloudfront.net  (54.192.36.46:80)

TCP (HTTP):
Connects to server-54-192-25-106.mxp4.r.cloudfront.net  (54.192.25.106:80)

TCP (HTTP):
Connects to server-54-192-233-87.nrt12.r.cloudfront.net  (54.192.233.87:80)

TCP (HTTP):
Connects to server-54-192-203-98.fra50.r.cloudfront.net  (54.192.203.98:80)

TCP (HTTP):
Connects to server-54-192-203-30.fra50.r.cloudfront.net  (54.192.203.30:80)

TCP (HTTP SSL):
Connects to server-54-192-159-128.sin3.r.cloudfront.net  (54.192.159.128:443)

TCP (HTTP):
Connects to server-54-192-14-250.ams1.r.cloudfront.net  (54.192.14.250:80)

TCP (HTTP):
Connects to server-54-182-203-14.lax52.r.cloudfront.net  (54.182.203.14:80)

TCP (HTTP):
Connects to server-52-85-83-92.lax1.r.cloudfront.net  (52.85.83.92:80)

TCP (HTTP):
Connects to server-52-85-83-247.lax1.r.cloudfront.net  (52.85.83.247:80)

TCP (HTTP):
Connects to server-52-85-221-82.cdg50.r.cloudfront.net  (52.85.221.82:80)

TCP (HTTP):
Connects to server-52-85-221-219.cdg50.r.cloudfront.net  (52.85.221.219:80)

TCP (HTTP):
Connects to server-52-84-126-11.iad16.r.cloudfront.net  (52.84.126.11:80)

TCP (HTTP):

TCP (HTTP SSL):
Connects to unknown.telstraglobal.net  (210.176.156.38:443)

Remove kml368.exe - Powered by Reason Core Security