ProxyFinder.EXE

Proxy Finder Enterprise Edition Application

The executable ProxyFinder.EXE, “ Proxy Finder MFC Application” has been detected as malware by 6 anti-virus scanners. While running, it connects to the Internet address w3.theta.ag on port 80 using the HTTP protocol.
Product:
Proxy Finder Enterprise Edition Application

Description:
Proxy Finder MFC Application

Version:
2, 5, 0, 1

MD5:
80369d826b3e19816b67057f03944f01

SHA-1:
ea746708c5bcbb4ea9433cd0b7b009491817d148

SHA-256:
c974d2bba6f6bfb328f891757bee1d471c734c2dfccdbc4223bcee00da7cb889

Scanner detections:
6 / 68

Status:
Malware

Explanation:
The software cotains keystroke monitoring/logging capablities which may or may not be installed without the user's knowledge.

Analysis date:
12/23/2024 2:35:03 PM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.Clod47a.Trojan
1.3.0.4959

F-Prot
W32/MalwareF.GUPV
v6.4.7.1.166

IKARUS anti.virus
possible-Threat.Crack.ProxyFinder
t3scan.2.2.29

K7 AntiVirus
Riskware
13.176.11524

Malwarebytes
Spyware.Keylogger
v2014.03.28.04

Norman
Suspicious_Gen2.QPFLW
11.20140328

File size:
240 KB (245,760 bytes)

Product version:
2, 5, 0, 1

Copyright:
Copyright (C) 2007

Original file name:
ProxyFinder.EXE

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\proxy finder\proxyfinder.exe

File PE Metadata
Compilation timestamp:
10/22/2006 7:01:09 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:A/2eNvsKPdFFzdSc7HqVdLNLko2xyPmwQoSBJ:C2eNvse1zEKHadpLgyP6oS

Entry address:
0xAA340

Entry point:
60, BE, 00, 90, 47, 00, 8D, BE, 00, 80, F8, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, BC, 7C, 0A, 00, 57, 83, C3, 04, 53, 68, 31, 13, 03, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Entropy:
7.6953

Code size:
200 KB (204,800 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to w3.theta.ag  (195.26.206.106:80)

TCP (HTTP):
Connects to static-ip-69-64-54-126.inaddr.ip-pool.com  (69.64.54.126:80)

TCP (HTTP):
Connects to samair.ru  (92.48.97.11:80)

TCP (HTTP):
Connects to ec2-54-72-9-51.eu-west-1.compute.amazonaws.com  (54.72.9.51:80)

TCP (HTTP):
Connects to client-108-174-194-30.hostwindsdns.com  (108.174.194.30:80)

TCP (HTTP):
Connects to madison.da-ps.com  (108.61.40.123:80)

TCP (HTTP):
Connects to freewebhostingarea.com  (64.31.54.150:80)

TCP (HTTP):
Connects to foxtrot030.startdedicated.com  (85.25.8.14:80)

TCP (HTTP):
Connects to s2.sechost.ru  (91.226.10.39:80)

TCP (HTTP):
Connects to 144.76.145.166.maximus.free.hosting  (144.76.145.166:80)

TCP (HTTP):
Connects to server2.memebridge.com  (198.102.28.34:80)

TCP (HTTP):
Connects to ip-143-95-106-254.iplocal  (143.95.106.254:80)

TCP (HTTP):
Connects to dmpro-ca-01.fooservers.com  (167.114.156.214:80)

TCP (HTTP):
Connects to 163-172-68-142.rev.poneytelecom.eu  (163.172.68.142:80)

TCP (HTTP):
Connects to 108-61-40-125.constant.com  (108.61.40.125:80)

TCP (HTTP):
Connects to server-54-230-202-237.fra50.r.cloudfront.net  (54.230.202.237:80)

TCP (HTTP):
Connects to ddos.su  (188.165.2.244:80)

TCP (HTTP):
Connects to custip-2080.sedoparking.com  (91.195.241.80:80)

TCP (HTTP):
Connects to 74-50-122-122.static.hvvc.us  (74.50.122.122:80)

TCP (HTTP):
Connects to server-54-192-147-223.sfo4.r.cloudfront.net  (54.192.147.223:80)

Remove ProxyFinder.EXE - Powered by Reason Core Security