home

rmfon.exe

RMFon

Radio Muzyka Fakty sp. z o.o.

The executable rmfon.exe has been detected as malware by 5 anti-virus scanners. While running, it connects to the Internet address xx-fbcdn-shv-01-ams3.fbcdn.net on port 443.
Publisher:
Radio Muzyka Fakty sp. z o.o.

Product:
RMFon

Version:
1.3.0.0

MD5:
ff1de5ce089e3abf3f3bb8076b9ae394

SHA-1:
c4bfdec686f955ede45f3b6d786c6af48cac1f1d

SHA-256:
ef0a1507ab6da1390ba8fdb6445665017c09c46102ca59bbec860fdae3650738

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
11/23/2024 9:36:21 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.Xema
2014.08.28

avast!
Win32:Dropper-gen [Drp]
2014.9-140927

IKARUS anti.virus
Trojan.SuspectCRC
t3scan.1.7.5.0

McAfee
Artemis!FF1DE5CE089E
5600.6994

Qihoo 360 Security
Win32/Trojan.Dropper.c9f
1.0.0.1015

File size:
284 KB (290,816 bytes)

Product version:
1.3.0.0

Copyright:
Copyright © 2011 Radio Muzyka Fakty sp. z o.o.

Original file name:
rmfon.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\rmfon\rmfon.exe

File PE Metadata
Compilation timestamp:
8/9/2012 1:09:02 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:y1is/GB7VyDQRm/0tKb4p+3cGrOqWx4s5tp+20YeKDCKo3Xq8cukTxdddyW5DH:Gis/GBAWxd5tp+206CKo3XqVuUDH

Entry address:
0x43F72

Entry point:
FF, 25, 80, 3F, 44, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, 3F, 04, 00, 00, 00, 00, 00, 00, 00, 00, 00, 8E, F1, 22, 50, 00, 00, 00, 00, 02, 00, 00, 00, 5C, 00, 00, 00, A4, 3F, 04, 00, A4, 21, 04, 00, 52, 53, 44, 53, 47, 98, 34, 5F, 76, 53, 76, 43, 90, 07, 67, B7, F1, 61, 41, 14, 01, 00, 00, 00, 43, 3A, 5C, 55, 73, 65, 72, 73, 5C, 6D, 61, 72, 65, 6B, 2E, 6A, 61, 6E, 69, 6B, 5C, 44, 65, 73, 6B, 74, 6F, 70, 5C, 52, 4D, 46, 6F, 6E, 5C, 72, 6D, 66, 6F, 6E, 5F, 74, 72, 61, 79, 61, 70, 70, 5C, 66, 75, 6C, 6C, 5C...
 
[+]

Code size:
264 KB (270,336 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to sulley.rmf.pl  (217.74.66.210:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-ams3.fbcdn.net  (31.13.91.6:443)

TCP (HTTP):
Connects to static.interia.pl  (217.74.71.132:80)

TCP (HTTP):
Connects to mike.rmf.pl  (217.74.66.211:80)

TCP (HTTP):
Connects to www.rmfon.pl  (217.74.66.216:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-ams3.facebook.com  (31.13.91.36:443)

TCP (HTTP):
Connects to cv.interia.pl  (217.74.71.140:80)

TCP (HTTP SSL):
Connects to a23-40-242-125.deploy.static.akamaitechnologies.com  (23.40.242.125:443)

TCP (HTTP SSL):
Connects to a23-38-36-83.deploy.static.akamaitechnologies.com  (23.38.36.83:443)

TCP (HTTP):
Connects to www.rmf24.pl  (217.74.71.145:80)

TCP (HTTP):
Connects to vip1.g5.cachefly.net  (205.234.175.175:80)

TCP (HTTP):
Connects to server-54-192-12-30.ams1.r.cloudfront.net  (54.192.12.30:80)

TCP (HTTP SSL):
Connects to s1-eu.adformnet.akadns.net  (37.157.6.252:443)

TCP (HTTP):
Connects to rev-213.189.48.245.atman.pl  (213.189.48.245:80)

TCP (HTTP):
Connects to msnbot-207-46-194-10.search.msn.com  (207.46.194.10:80)

TCP (HTTP SSL):
Connects to mpr1.ngd.vip.ir2.yahoo.com  (217.12.15.83:443)

TCP (HTTP):
Connects to interia.hit.gemius.pl  (217.74.74.29:80)

TCP (HTTP):
Connects to hub.com.pl  (217.74.74.30:80)

TCP (HTTP):
Connects to gruul.rmf.pl  (37.187.248.76:80)

TCP (HTTP):
Connects to ec2-79-125-12-114.eu-west-1.compute.amazonaws.com  (79.125.12.114:80)

Remove rmfon.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.