ocs_v71b.exe

OCS

The application ocs_v71b.exe has been detected as a potentially unwanted program by 14 anti-malware scanners. This program installs potentially unwanted software on your PC at the same time as the software you are trying to install, without adequate consent. While running, it connects to the Internet address h1893583.stratoserver.net on port 8080.
Publisher:
OCS

Product:
OCS

Version:
1.0.0.0

MD5:
5e1c31b168db60e73ce4c9537f951bf0

SHA-1:
2714db0a06f74a4282cddc307ea1599670422e09

SHA-256:
87b6754169bb92e78d357067330389dde2b8b90a65394cad601d9f5f97804e0d

Scanner detections:
14 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 10:01:07 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.DownloadSponsor.B
855

Baidu Antivirus
Trojan.Win32.DownloadSponsor
4.0.3.14102

Bitdefender
Application.Bundler.DownloadSponsor.B
1.0.20.1375

Comodo Security
UnclassifiedMalware
18803

ESET NOD32
Win32/DownloadSponsor (variant)
8.10002

Fortinet FortiGate
Riskware/DownloadSponsor
10/2/2014

F-Secure
Application.Bundler.DownloadSponsor
11.2014-02-10_5

G Data
Application.Bundler.DownloadSponsor
14.10.24

IKARUS anti.virus
AdWare.DownloadSponsor
t3scan.1.6.1.0

McAfee
RDN/Downloader.a!rt
5600.6989

MicroWorld eScan
Application.Bundler.DownloadSponsor.B
15.0.0.825

Sophos
Generic PUA CH
4.98

Trend Micro House Call
Suspicious_GEN.F47V0626
7.2.275

VIPRE Antivirus
DownloadSponsor
30670

File size:
311 KB (318,464 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Project OCS

Original file name:
OCS.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\ocs_v71b.exe

File PE Metadata
Compilation timestamp:
6/26/2014 10:53:30 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:21k9Qi2kBQ9n3Hto0HbSb00Bn1ZjhFt0LL4KIufP:seBQ9n3Wcbq0MZjnQj

Entry address:
0x4BCBE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
295.5 KB (302,592 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www2.thinklabs-cluster.de  (46.4.173.131:80)

TCP (HTTP):
Connects to www1.thinklabs-cluster.de  (88.198.27.201:80)

TCP (HTTP SSL):
Connects to prxy2.thinklabs-cluster.de  (46.4.173.132:443)

TCP (HTTP):
Connects to openx-farm.l3muc-b.cxo.name  (212.162.62.38:80)

TCP (HTTP):
Connects to h1893583.stratoserver.net  (85.214.110.225:8080)

TCP (HTTP SSL):
Connects to h1827286.stratoserver.net  (85.214.210.27:443)

TCP (HTTP):
Connects to dls.thinklabs-cluster.de  (144.76.75.91:80)

Remove ocs_v71b.exe - Powered by Reason Core Security