Proxomitron.exe

Proxomitron

Groom-A-Zebu (tm)

The application Proxomitron.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address ip-172-31-4-164.ec2.internal on port 30080.
Publisher:
Groom-A-Zebu (tm)

Product:
Proxomitron

Description:
The Proxomitron

Version:
4, 5, 0, 4

MD5:
f2867bee7180cdc839f7636fddc1aa74

SHA-1:
7fc01eba7f5d9fd6cbb8155777df41e3e045001a

SHA-256:
7adc0296d97e24417000c5cac53c8dfb34a5e6ddedceec168ffe45648803285b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/23/2024 7:29:01 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.LoadMoney.GroomAZebutm.Meta
15.6.5.11

File size:
288.5 KB (295,424 bytes)

Product version:
Naoko-4.5 2003-6-1

Copyright:
Copyright © 1999 - 2003 By Scott R. Lemmon

Trademarks:
Proxomitron, The, and the letters A-Z

Original file name:
Proxomitron.exe

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
6/2/2003 9:13:08 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.10

CTPH (ssdeep):
3072:F2+R4Eye/dd2fkXhQsvY9pncMX2KgOBwrV4CEgJVEhQHZNOLo3I8Ggk7tbtedtp2:F2+RNye/dd28X0j9rwrV1ZKF/8Jk7xs

Entry address:
0x25D00

Entry point:
55, 8B, EC, 6A, FF, 68, A8, 65, 42, 00, 68, F0, 5C, 42, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, C4, 98, 53, 56, 57, 89, 65, E8, C7, 45, FC, 00, 00, 00, 00, 6A, 02, FF, 15, F0, 61, 42, 00, 83, C4, 04, C7, 05, 74, C7, 42, 00, FF, FF, FF, FF, C7, 05, 78, C7, 42, 00, FF, FF, FF, FF, FF, 15, 40, 61, 42, 00, 8B, 0D, 04, C6, 42, 00, 89, 08, FF, 15, 38, 61, 42, 00, 8B, 15, 00, C6, 42, 00, 89, 10, A1, 3C, 61, 42, 00, 8B, 08, 89, 0D, 7C, C7, 42, 00, E8, 76, 01, 00, 00, A1, 40, C4, 42, 00, 85...
 
[+]

Entropy:
6.9665

Developed / compiled with:
Microsoft Visual C++

Code size:
148 KB (151,552 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to idp-proxy02.mia.ff.avast.com  (77.234.42.70:80)

TCP (HTTP SSL):
Connects to ec2-35-165-39-15.us-west-2.compute.amazonaws.com  (35.165.39.15:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-lhr3.facebook.com  (31.13.90.36:443)

TCP (HTTP SSL):
Connects to a104-122-104-204.deploy.static.akamaitechnologies.com  (104.122.104.204:443)

TCP (HTTP SSL):
Connects to ec2-54-85-82-243.compute-1.amazonaws.com  (54.85.82.243:443)

TCP (HTTP SSL):
Connects to ec2-54-243-83-16.compute-1.amazonaws.com  (54.243.83.16:443)

TCP (HTTP SSL):

TCP (HTTP SSL):
Connects to ec2-52-5-72-220.compute-1.amazonaws.com  (52.5.72.220:443)

TCP (HTTP SSL):

TCP (HTTP SSL):
Connects to a23-57-242-63.deploy.static.akamaitechnologies.com  (23.57.242.63:443)

TCP (HTTP SSL):
Connects to a23-47-245-184.deploy.static.akamaitechnologies.com  (23.47.245.184:443)

TCP (HTTP SSL):
Connects to i-sn2-cor001.api.p001.1drv.com  (40.77.225.251:443)

TCP (HTTP):
Connects to a122-252.138-194.deploy.akamaitechnologies.com  (122.252.138.194:80)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.sg3.yahoo.com  (106.10.162.43:443)

TCP (HTTP SSL):
Connects to l1.ycs.vip.inc.yahoo.com  (203.84.220.80:443)

TCP:
Connects to ip-172-31-4-164.ec2.internal  (172.31.4.164:30080)

TCP (HTTP):
Connects to ec2-54-69-114-228.us-west-2.compute.amazonaws.com  (54.69.114.228:80)

TCP (HTTP):
Connects to ec2-54-191-37-103.us-west-2.compute.amazonaws.com  (54.191.37.103:80)

TCP (HTTP SSL):
Connects to ec2-52-24-97-192.us-west-2.compute.amazonaws.com  (52.24.97.192:443)

TCP (HTTP SSL):
Connects to ec2-35-160-129-144.us-west-2.compute.amazonaws.com  (35.160.129.144:443)

Remove Proxomitron.exe - Powered by Reason Core Security