krymqmqxufnk

DataMon

In solutions doo

The file krymqmqxufnk by In solutions doo has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘NetCtl’. The file has been seen being downloaded from s3.amazonaws.com. While running, it connects to the Internet address know-sspiprxy-vip.network.virginmedia.net on port 80 using the HTTP protocol.
Publisher:
World Computing  (signed by In solutions doo)

Product:
DataMon

Description:
Data usage

Version:
1.0.3.19

MD5:
973f426196675a9d98209692b8006d61

SHA-1:
bf90a55000debd5c5b46fc8596f5e34de3b7076a

SHA-256:
b6ac032cb8026b4633cf88f70d1e2e6d5a1e3dd813c59df6c3101b2af16159a9

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 3:32:13 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Dropper (M)
17.2.10.20

File size:
2.7 MB (2,790,208 bytes)

Product version:
1.0.3.19

Copyright:
Copyright World Computing(C) 2017

Original file name:
DataMon.exe

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\krymqmqxufnk

Digital Signature
Authority:
DigiCert Inc

Valid from:
11/23/2016 12:00:00 AM

Valid to:
11/28/2017 12:00:00 PM

Subject:
CN="""In solutions"" doo", O="""In solutions"" doo", L=Inđija, C=RS

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0FE5BA5D63EF0CB81C25046163E24AF2

File PE Metadata
Compilation timestamp:
2/10/2017 4:29:55 PM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x46204

Entry point:
E8, B5, 04, 01, 00, E9, 00, 00, 00, 00, 6A, 14, 68, A0, 36, 49, 00, E8, 96, 45, 00, 00, E8, B1, 26, 00, 00, 0F, B7, F0, 6A, 02, E8, 45, AF, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 0B, 47, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.5342

Code size:
502.5 KB (514,560 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
NetCtl

Command:
C:\users\{user}\appdata\roaming\netctl\netctl.exe


The file krymqmqxufnk has been seen being distributed by the following URL.

https://s3.amazonaws.com/00bandwidthstat/.../inter_silent.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static.25.22.243.136.clients.your-server.de  (136.243.22.25:80)

TCP (HTTP):
Connects to know-sspiprxy-vip.network.virginmedia.net  (62.252.172.241:80)

Remove krymqmqxufnk - Powered by Reason Core Security