mbtiupv32.exe

Rainnd Inc

The application mbtiupv32.exe by Rainnd Inc has been detected as a potentially unwanted program by 4 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘MBTIUPv32’. While running, it connects to the Internet address cache.google.com on port 80 using the HTTP protocol.
Publisher:
Rainnd Inc  (signed and verified)

Version:
1, 0, 0, 1

MD5:
9b9086b64a2d7ce1739b87d7ff95e175

SHA-1:
7c5f056c40fbe8749c2c343d2c911fc8202e5698

SHA-256:
7eea56f369d7907c7816c3845330d1d5ecde05145db788bb8f6bd8a56be5c87f

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 2:40:26 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.DownLoader22.53951
9.0.1.05190

ESET NOD32
Win32/Adware.CloverPlus.AB application
6.3.12010.0

F-Prot
W32/Adware.ALHS
4.6.5.141

F-Secure
Variant.Zusy.207705
5.15.154

File size:
119.1 KB (121,952 bytes)

Product version:
1, 0, 0, 1

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\windows mbt icons\mbtiupv32.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
10/20/2016 5:12:38 PM

Valid to:
9/27/2017 11:50:38 PM

Subject:
CN=Rainnd Inc, O=Rainnd Inc, L=New York, S=New York, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
277FB6AB1157A64B

File PE Metadata
Compilation timestamp:
11/24/2016 5:02:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:IzrEYiBm2Oeor217FYs5pjSxjWuC9xUeL4aRMcNl67Da0jKE9:AGmyrxms5pGEuC9xLL4ErCDa0jKa

Entry address:
0x12D0F

Entry point:
55, 8B, EC, 6A, FF, 68, E0, 59, 41, 00, 68, 9C, 2E, 41, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 18, 54, 41, 00, 59, 83, 0D, D0, AA, 41, 00, FF, 83, 0D, D4, AA, 41, 00, FF, FF, 15, 24, 54, 41, 00, 8B, 0D, C4, AA, 41, 00, 89, 08, FF, 15, 28, 54, 41, 00, 8B, 0D, C0, AA, 41, 00, 89, 08, A1, 2C, 54, 41, 00, 8B, 00, A3, CC, AA, 41, 00, E8, 1D, 01, 00, 00, 39, 1D, 40, A9, 41, 00, 75, 0C, 68, 98, 2E, 41, 00, FF, 15, 30, 54...
 
[+]

Entropy:
6.2825

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
80 KB (81,920 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
MBTIUPv32

Command:
C:\users\{user}\appdata\local\windows mbt icons\mbtiupv32.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to th-in-f106.1e100.net  (74.125.203.106:80)

TCP (HTTP):
Connects to tg-in-f147.1e100.net  (74.125.23.147:80)

TCP (HTTP):
Connects to hkg12s11-in-f4.1e100.net  (216.58.200.4:80)

TCP (HTTP):
Connects to hkg12s01-in-f3.1e100.net  (216.58.197.99:80)

TCP (HTTP):
Connects to hkg07s21-in-f4.1e100.net  (216.58.221.228:80)

TCP (HTTP):
Connects to hkg07s02-in-f132.1e100.net  (216.58.221.132:80)

TCP (HTTP):
Connects to cache.google.com  (202.69.185.121:80)

Remove mbtiupv32.exe - Powered by Reason Core Security