m6iy38962.exe

Yuanyuan Zhang

The application m6iy38962.exe by Yuanyuan Zhang has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from dgkytklfjrqkb.cloudfront.net. While running, it connects to the Internet address server-54-230-141-14.sfo5.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Yuanyuan Zhang  (signed and verified)

MD5:
a7881bce43d7eabdf1f8d0b6d3b46ff3

SHA-1:
8fa901c18a484fa595d6ec4f6433a5613d6e596d

SHA-256:
14bb83611e69a39de1156c3103acac1c6eb3d267259cb1dd3b07807c800ce1b6

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 11:05:43 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Mutahba (M)
17.1.28.1

File size:
405.6 KB (415,288 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\m6iy38962.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/18/2017 7:00:00 AM

Valid to:
4/21/2017 6:59:59 AM

Subject:
CN=Yuanyuan Zhang, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
04AB8A622B70EF0F2322969A064A4E3E

File PE Metadata
Compilation timestamp:
1/18/2017 2:23:52 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x58AB

Entry point:
E8, 6B, 3F, 00, 00, E9, BC, 65, 00, 00, 33, C0, C3, E8, AC, 17, 00, 00, 8B, 40, 7C, 85, C0, 74, 02, FF, D0, E9, 73, BF, FF, FF, 55, 8B, EC, 83, EC, 28, A1, 00, 30, 46, 00, 33, C5, 89, 45, FC, 53, 56, 8B, 75, 0C, 8D, 4D, D8, 57, FF, 75, 10, 8B, 7D, 08, E8, 03, 14, 00, 00, 8D, 45, D8, 33, DB, 50, 53, 53, 53, 53, 56, 8D, 45, E8, 50, 8D, 45, F0, 50, E8, 8F, B7, FF, FF, 89, 45, EC, 8D, 45, F0, 57, 50, E8, 4A, F6, FF, FF, 8B, C8, 83, C4, 28, 8B, 45, EC, A8, 03, 75, 0E, 83, F9, 01, 74, 11, 83, F9, 02, 75, 0F, 6A...
 
[+]

Entropy:
7.8165  (probably packed)

Code size:
361.5 KB (370,176 bytes)

The file m6iy38962.exe has been seen being distributed by the following URL.

http://dgkytklfjrqkb.cloudfront.net/.../yomz.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-141-14.sfo5.r.cloudfront.net  (54.230.141.14:80)

TCP (HTTP):
Connects to server-52-84-246-99.sfo20.r.cloudfront.net  (52.84.246.99:80)

TCP (HTTP):
Connects to server-52-84-246-251.sfo20.r.cloudfront.net  (52.84.246.251:80)

TCP (HTTP):
Connects to server-52-84-246-245.sfo20.r.cloudfront.net  (52.84.246.245:80)

TCP (HTTP):
Connects to server-52-84-246-132.sfo20.r.cloudfront.net  (52.84.246.132:80)

Remove m6iy38962.exe - Powered by Reason Core Security