notification.exe

Qtrax Inc

The application notification.exe by Qtrax Inc has been detected as a potentially unwanted program by 2 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘QtraxNotification’. The file has been seen being downloaded from content.qtrax.com. While running, it connects to the Internet address server-54-230-163-87.jax1.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Qtrax Inc  (signed and verified)

MD5:
74b68b374674f31706db6976b9ef7ca6

SHA-1:
099697c187054f84e2c3a3cc2f30bd1b5134048b

SHA-256:
b90e88e196a8961aefc48a09695c87ad4e0b86d461901b25daf43d6f059545a9

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/23/2024 1:47:38 PM UTC  (today)

Scan engine
Detection
Engine version

Comodo Security
Heur.Suspicious
17316

Reason Heuristics
PUP.Optional.Startup.Qtrax.M
14.3.2.14

File size:
115.8 KB (118,568 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\notification.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
7/31/2012 9:21:42 PM

Valid to:
5/15/2014 12:09:01 AM

Subject:
CN=Qtrax Inc, O=Qtrax Inc, L=New York, S=NY, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B85B70415878A

File PE Metadata
Compilation timestamp:
7/29/2013 3:44:16 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
1536:YjE82YC4ORjTm2botKWyp+O3cn2woZ0iFSXGVKb8NU7T98HuznihdPdsKd2OCt:+E82YsjTcI+OMC0aSXt8Wl8HuMrdHC

Entry address:
0x8358

Entry point:
E8, A1, 66, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 56, 8B, 75, 08, 57, 56, E8, 2E, 68, 00, 00, 59, 83, F8, FF, 74, 50, A1, 20, D3, 41, 00, 83, FE, 01, 75, 09, F6, 80, 84, 00, 00, 00, 01, 75, 0B, 83, FE, 02, 75, 1C, F6, 40, 44, 01, 74, 16, 6A, 02, E8, 03, 68, 00, 00, 6A, 01, 8B, F8, E8, FA, 67, 00, 00, 59, 59, 3B, C7, 74, 1C, 56, E8, EE, 67, 00, 00, 59, 50, FF, 15, 3C, 61, 41, 00, 85, C0, 75, 0A, FF, 15, 14, 61, 41, 00, 8B, F8, EB, 02, 33, FF, 56, E8, 4A, 67, 00, 00, 8B, C6, C1, F8, 05, 8B, 04, 85...
 
[+]

Entropy:
6.5072

Code size:
81.5 KB (83,456 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
QtraxNotification

Command:
C:\users\duchateau\qtrax\player\notification.exe


The file notification.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-52-85-77-46.lax3.r.cloudfront.net  (52.85.77.46:80)

TCP (HTTP):
Connects to server-52-84-126-4.iad16.r.cloudfront.net  (52.84.126.4:80)

TCP (HTTP):
Connects to server-54-192-230-91.waw50.r.cloudfront.net  (54.192.230.91:80)

TCP (HTTP):
Connects to server-54-230-163-141.jax1.r.cloudfront.net  (54.230.163.141:80)

TCP (HTTP):
Connects to server-54-192-230-185.waw50.r.cloudfront.net  (54.192.230.185:80)

TCP (HTTP):
Connects to server-54-230-163-65.jax1.r.cloudfront.net  (54.230.163.65:80)

TCP (HTTP):
Connects to server-54-192-230-6.waw50.r.cloudfront.net  (54.192.230.6:80)

TCP (HTTP):
Connects to server-54-192-230-210.waw50.r.cloudfront.net  (54.192.230.210:80)

TCP (HTTP):
Connects to server-54-192-19-125.iad12.r.cloudfront.net  (54.192.19.125:80)

TCP (HTTP):
Connects to server-54-192-230-213.waw50.r.cloudfront.net  (54.192.230.213:80)

TCP (HTTP):
Connects to server-54-192-203-247.fra50.r.cloudfront.net  (54.192.203.247:80)

TCP (HTTP):
Connects to server-54-239-132-81.sfo9.r.cloudfront.net  (54.239.132.81:80)

TCP (HTTP):
Connects to server-54-230-163-133.jax1.r.cloudfront.net  (54.230.163.133:80)

TCP (HTTP):
Connects to server-54-192-230-85.waw50.r.cloudfront.net  (54.192.230.85:80)

TCP (HTTP):
Connects to server-54-192-230-66.waw50.r.cloudfront.net  (54.192.230.66:80)

TCP (HTTP):
Connects to server-54-230-81-22.mia50.r.cloudfront.net  (54.230.81.22:80)

TCP (HTTP):
Connects to server-54-230-163-250.jax1.r.cloudfront.net  (54.230.163.250:80)

TCP (HTTP):
Connects to server-52-84-126-49.iad16.r.cloudfront.net  (52.84.126.49:80)

TCP (HTTP):
Connects to server-52-84-126-233.iad16.r.cloudfront.net  (52.84.126.233:80)

TCP (HTTP):
Connects to server-52-84-126-202.iad16.r.cloudfront.net  (52.84.126.202:80)

Remove notification.exe - Powered by Reason Core Security