rxqg2o_c.exe

Zen Bros Media

The file rxqg2o_c.exe by Zen Bros Media has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from intva31.retailuber.info and multiple other hosts.
Publisher:
Zen Bros Media  (signed and verified)

MD5:
92d4e206942aaa16895ba20417617dde

SHA-1:
380b2157175c3c03dda8af6b1556c06da011ece2

SHA-256:
81ad6d51a7c2b5d4fb1513c37e2418c9631191a4d280d594a33a1fd72bd468a6

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/27/2024 9:04:58 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.DownloadAdmin.ZenBrosM (M)
16.6.19.8

File size:
429.3 KB (439,560 bytes)

Common path:
C:\users\{user}\appdata\local\temp\rxqg2o_c.exe.part

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
3/9/2016 5:12:43 AM

Valid to:
3/9/2017 5:12:43 AM

Subject:
CN=Zen Bros Media, O=Zen Bros Media, L=SAN FRANCISCO, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00DA69A0BD854BB554

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
3.0

CTPH (ssdeep):
12288:qzxKdSZiZRNS8hZiMYpQ3qyNwkJAH/YdU8npOBmk8Q:qlKdSYR9hZiMYpQ3qyekJMAdU8ncBmkl

Entry address:
0x4D830

Entry point:
C6, 05, 70, E2, 44, 00, 00, B9, 00, 10, 46, 00, BA, 04, 10, 46, 00, B8, B0, 07, 45, 00, E8, 65, FF, FF, FF, E8, 70, FF, FF, FF, B8, 90, 07, 45, 00, E8, C6, 39, FC, FF, C3, 00, 00, 00, 00, 00, FF, FF, FF, FF, 00, 00, 00, 00, FF, FF, FF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.4615

Code size:
306.1 KB (313,456 bytes)

The file rxqg2o_c.exe has been seen being distributed by the following 5 URLs.

http://intva31.retailuber.info/dl-pure/1203367/.../?bc=1203367&checksum=64448116&ephemeral=1&filename=adobe_flash_player.exe&cb=667607531&hashstring=ZBysvbIt7D22&usefilename=true&executableroutePath=1202485&stub=true

Remove rxqg2o_c.exe - Powered by Reason Core Security