home

mwo.exe

BitCometLite

www.BitComet.com

This is a setup program which is used to install the application. The file has been seen being downloaded from mwo.playcomet.com.
Publisher:
www.BitComet.com

Product:
BitCometLite

Version:
1.8

MD5:
6e226703212780bdcbd5e3cdefdee2b7

SHA-1:
0f6666eef57b3c11584bf1c3fbb764fd6ee2ffcb

Scanner detections:
5 / 68

Status:
Inconclusive  (not enough data for an accurate detection)

Analysis date:
12/26/2024 4:36:56 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Packed/PECompact
7.1.1

Bkav FE
HW32.Paked
1.3.0.4959

Comodo Security
Heur.Suspicious
19673

Dr.Web
Adware.Downware.3272
9.0.1.049

Sophos
Mal/Generic-S
4.98

File size:
1.6 MB (1,649,152 bytes)

Product version:
1.13

Copyright:
Copyright(C) 2003-2009 All Rights Reserved.

Original file name:
BitCometLite.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (PRC)

Common path:
C:\Documents and Settings\{user}\My documents\downloads\mwo.exe

File PE Metadata
Compilation timestamp:
7/29/2009 12:14:07 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:x/hSUFG/LHDPMYgIIRAetv0o79/55ZDtjNWvrSEfFYWLGJxcs94ivqQ7zFJ8hds:xJFKHDPgmYvJX+jnxLGJxb2ivqQf6

Entry address:
0x14D84F

Entry point:
B8, D0, 53, 9F, 00, 50, 64, FF, 35, 00, 00, 00, 00, 64, 89, 25, 00, 00, 00, 00, 33, C0, 89, 08, 50, 45, 43, 6F, 6D, 70, 61, 63, 74, 32, 00, 29, E9, 67, E2, 21, 3E, 07, 34, D1, 61, CD, BB, 2C, 79, E6, 40, 59, 9B, E8, BE, 74, B8, 73, CC, BA, 48, 6E, 2A, F4, DB, DB, BE, 50, 59, B8, B8, 54, 61, E6, C1, 2A, 4E, A9, BE, 3F, 89, CC, 99, CB, 31, 3A, FB, AD, A7, 8E, C0, 3D, BB, 1D, 29, E8, 50, 08, 25, CA, FF, F5, BE, 83, 9B, 2E, 7D, E0, 06, 9C, EB, 69, 3D, 81, 17, A0, 1C, 6A, D4, 32, 7E, 65, FA, 67, 0C, 0D, 33, 67...
 
[+]

Entropy:
7.9972

Packer / compiler:
PECompact v2

Code size:
3.3 MB (3,420,160 bytes)

Windows Firewall Allowed Program
Name:
C:\Documents and Settings\jerry\My Documents\Downloads\mwo.exe


The file mwo.exe has been seen being distributed by the following URL.

http://mwo.playcomet.com/.../mwo.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 200.104.196.104.bc.googleusercontent.com  (104.196.104.200:80)

TCP:
Connects to m2735.contabo.host  (213.136.75.235:5435)

TCP (HTTP):
Connects to ec2-54-213-173-26.us-west-2.compute.amazonaws.com  (54.213.173.26:80)

TCP (HTTP):
Connects to 98.99.c0ad.ip4.static.sl-reverse.com  (173.192.153.152:80)

Scan mwo.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.