» raindrop v2.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

raindrop v2.exe

SmartFTP Client

The executable raindrop v2.exe has been detected as malware by 25 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘rundll32’. While running, it connects to the Internet address unallocated.barefruit.co.uk on port 42099.

File name:

raindrop v2.exe

Publisher:

Tomb Raider: Anniversary (signed by SmartFTP Client)

Product:

Tomb Raider: Anniversary

Version:

1.0.9

MD5:

cf0fee2d19dd266fed41d8855902932d

SHA-1:

5ffc616c9af3a362ea440e2f51f6dce7527899ad

SHA-256:

d54b8f5c8a8af158d9c32fd8dbaa56dadfaac97f7f3cca2207366ad65e6daec0

Scanner detections:

25 / 68

Status:

Malware

Analysis date:

1/13/2025 4:21:51 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Razy.60867

-1

AegisLab AV Signature

Troj.W32.Gen.lXhm

2.1.4+

AhnLab V3 Security

Trojan/Win32.Injector.R154309

3.8.3.16

Avira AntiVirus

TR/Inject.owpanjt

8.3.3.4

Arcabit

Trojan.Razy.DEDC3

1.0.0.795

avast!

MSIL:GenMalicious-DZ [Trj]

2014.9-170205

AVG

MSIL4

2018.0.2477

Baidu Antivirus

MSIL.Trojan.Injector

4.0.3.1725

Bitdefender

Gen:Variant.Razy.60867

1.0.20.180

Dr.Web

BackDoor.Comet.1783

9.0.1.036

Emsisoft Anti-Malware

Gen:Variant.Razy.60867

8.17.02.05.05

ESET NOD32

MSIL/Injector.ESI (variant)

11.14884

Fortinet FortiGate

MSIL/Injector.ESI!tr

2/5/2017

F-Prot

W32/S-5ee74cca

v6.4.7.1.166

F-Secure

Gen:Variant.Razy.60867

11.2017-05-02_1

G Data

Gen:Variant.Razy.60867

17.2.25

IKARUS anti.virus

Trojan.MSIL4

0.1.3.4

Kaspersky

HEUR:Trojan.Win32.Generic

14.0.0.-1121

Malwarebytes

Backdoor.Agent.TMPGen

v2017.02.05.05

Microsoft Security Essentials

Trojan:MSIL/Toauta

1.1.13407.0

MicroWorld eScan

Gen:Variant.Razy.60867

18.0.0.108

NANO AntiVirus

Trojan.Win32.Comet.dfkpgi

1.0.70.15039

Qihoo 360 Security

HEUR/QVM03.0.0000.Malware.Gen

1.0.0.1120

Sophos

Troj/MSILInj-HE

4.98

VIPRE Antivirus

Trojan.MSIL.Toauta.b

55744

File size:

932.4 KB (954,736 bytes)

Product version:

1.0.9

Trademarks:

Crystal Dynamics(R), the Crystal Dynamics(R) logo and the Eidos(R) logo are registered trademarks of the Eidos Group of Companies

Original file name:

raindrop v2.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\raindrop v2.exe

Digital Signature

Signed by:

SmartFTP Client

Authority:

SmartFTP Client

Valid from:

1/2/2014 6:56:32 AM

Valid to:

1/2/2114 6:56:32 AM

Subject:

CN=SmartFTP Client

Issuer:

CN=SmartFTP Client

Serial number:

6C7C1723381A15A44161851A894BF545

File PE Metadata

Compilation timestamp:

2/4/2017 8:38:38 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

Entry address:

0xBD8BE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

7.7628

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

750.5 KB (768,512 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

rundll32

Command:

C:\users\{user}\appdata\roaming\qmsvplry.exe

The executing file has been seen to make the following network communications in live environments.

TCP:

Connects to unallocated.barefruit.co.uk (92.242.132.16:42099)

TCP (HTTP):

Connects to a2-16-4-56.deploy.akamaitechnologies.com (2.16.4.56:80)

Remove raindrop v2.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.