notification.exe

Qtrax Inc

The application notification.exe by Qtrax Inc has been detected as a potentially unwanted program by 2 anti-malware scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘QtraxNotification’. The file has been seen being downloaded from content.qtrax.com. While running, it connects to the Internet address server-52-85-74-196.lhr3.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Qtrax Inc  (signed and verified)

MD5:
522566a0a041d683a810cc6cb4117d57

SHA-1:
aae7bb9837bec2dad05d537e89f00ba5100b0333

SHA-256:
0b6b3ba8661fbeda18cf0ca0e66f2758e60b43a97e2144f2542cb5dfab49dcc2

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/23/2024 11:58:08 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
DLOADER.Trojan
9.0.1.0354

Reason Heuristics
PUP.Optional.Startup.Qtrax.M
14.3.2.15

File size:
113.3 KB (116,008 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\neo sami\qtrax\player\notification.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
7/31/2012 4:51:42 PM

Valid to:
5/14/2014 7:39:01 PM

Subject:
CN=Qtrax Inc, O=Qtrax Inc, L=New York, S=NY, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B85B70415878A

File PE Metadata
Compilation timestamp:
7/29/2013 11:16:13 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
1536:xgJNegB9YXUyo3bR1gc9FcBGn/5Ou8gD4tBhbLNc23Kb6aUeT9pHKrnShdPObHVi:RgB9YX83bR1FKcOu835cb6z+pHKUEb1

Entry address:
0x7E78

Entry point:
E8, A1, 66, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 56, 8B, 75, 08, 57, 56, E8, 2E, 68, 00, 00, 59, 83, F8, FF, 74, 50, A1, 20, C3, 41, 00, 83, FE, 01, 75, 09, F6, 80, 84, 00, 00, 00, 01, 75, 0B, 83, FE, 02, 75, 1C, F6, 40, 44, 01, 74, 16, 6A, 02, E8, 03, 68, 00, 00, 6A, 01, 8B, F8, E8, FA, 67, 00, 00, 59, 59, 3B, C7, 74, 1C, 56, E8, EE, 67, 00, 00, 59, 50, FF, 15, 2C, 61, 41, 00, 85, C0, 75, 0A, FF, 15, 04, 61, 41, 00, 8B, F8, EB, 02, 33, FF, 56, E8, 4A, 67, 00, 00, 8B, C6, C1, F8, 05, 8B, 04, 85...
 
[+]

Code size:
80.5 KB (82,432 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
QtraxNotification

Command:
C:\users\laptop\qtrax\player\notification.exe


The file notification.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-206-111.atl50.r.cloudfront.net  (54.230.206.111:80)

TCP (HTTP):
Connects to server-52-85-133-6.iad53.r.cloudfront.net  (52.85.133.6:80)

TCP (HTTP):
Connects to server-54-230-206-5.atl50.r.cloudfront.net  (54.230.206.5:80)

TCP (HTTP):
Connects to server-52-84-126-78.iad16.r.cloudfront.net  (52.84.126.78:80)

TCP (HTTP):
Connects to server-54-230-206-135.atl50.r.cloudfront.net  (54.230.206.135:80)

TCP (HTTP):
Connects to server-54-230-206-37.atl50.r.cloudfront.net  (54.230.206.37:80)

TCP (HTTP):
Connects to server-54-230-206-217.atl50.r.cloudfront.net  (54.230.206.217:80)

TCP (HTTP):
Connects to server-52-84-33-203.ewr50.r.cloudfront.net  (52.84.33.203:80)

TCP (HTTP):
Connects to server-54-230-163-6.jax1.r.cloudfront.net  (54.230.163.6:80)

TCP (HTTP):
Connects to server-54-230-81-38.mia50.r.cloudfront.net  (54.230.81.38:80)

TCP (HTTP):
Connects to server-54-230-5-31.dfw3.r.cloudfront.net  (54.230.5.31:80)

TCP (HTTP):
Connects to server-52-84-126-49.iad16.r.cloudfront.net  (52.84.126.49:80)

TCP (HTTP):
Connects to server-52-84-126-202.iad16.r.cloudfront.net  (52.84.126.202:80)

TCP (HTTP):
Connects to server-54-192-203-48.fra50.r.cloudfront.net  (54.192.203.48:80)

TCP (HTTP):
Connects to server-54-230-5-109.dfw3.r.cloudfront.net  (54.230.5.109:80)

TCP (HTTP):
Connects to server-54-192-130-220.ams50.r.cloudfront.net  (54.192.130.220:80)

TCP (HTTP):
Connects to server-52-85-133-115.iad53.r.cloudfront.net  (52.85.133.115:80)

TCP (HTTP):
Connects to server-54-192-19-209.iad12.r.cloudfront.net  (54.192.19.209:80)

TCP (HTTP):
Connects to server-52-85-133-183.iad53.r.cloudfront.net  (52.85.133.183:80)

TCP (HTTP):
Connects to server-52-84-126-36.iad16.r.cloudfront.net  (52.84.126.36:80)

Remove notification.exe - Powered by Reason Core Security