» saber.exe
Overview
Analysis
File Details
Behaviors (1)
Network (25)

saber.exe

Dening Hu

The application saber.exe by Dening Hu has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “winsaber”. While running, it connects to the Internet address server-54-192-25-160.mxp4.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

saber.exe

Publisher:

Dening Hu (signed and verified)

MD5:

6982589c49aa0c4b4fd08455d68a9c8f

SHA-1:

2e2d62e8d1b27dfb255fe578bf2a26dab1708f34

SHA-256:

4168559bd0742ef3ec25ab8f152c290617096aa36bf1b9a8c8b96f24a87ea198

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

11/23/2024 2:46:02 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Elex (M)

16.9.23.10

File size:

437.7 KB (448,216 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\windows\temp\{random}.tmp\tools\saber.exe

Digital Signature

Signed by:

Dening Hu

Authority:

thawte, Inc.

Valid from:

9/21/2016 7:00:00 PM

Valid to:

6/8/2017 6:59:59 PM

Subject:

CN=Dening Hu, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

7986DA5F93A0A631551A2F4F1B1666BF

File PE Metadata

Compilation timestamp:

9/23/2016 4:53:48 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

14.0

CTPH (ssdeep):

12288:h8QR/Xu7cmSKpQg8v46ilYJcO2zaAp/ktoH6YWZ:7Rm7ZSKOgEJcveApO9

Entry address:

0x24089

Entry point:

E8, 3D, 04, 00, 00, E9, 80, FE, FF, FF, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, 1F, 85, FE, FF, C7, 06, 60, D8, 44, 00, 8B, C6, 5E, 5D, C2, 04, 00, 83, 61, 04, 00, 8B, C1, 83, 61, 08, 00, C7, 41, 04, 68, D8, 44, 00, C7, 01, 60, D8, 44, 00, C3, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, EC, 84, FE, FF, C7, 06, 7C, D8, 44, 00, 8B, C6, 5E, 5D, C2, 04, 00, 83, 61, 04, 00, 8B, C1, 83, 61, 08, 00, C7, 41, 04, 84, D8, 44, 00, C7, 01, 7C, D8, 44, 00, C3, 55, 8B, EC, 83, EC, 0C, 8D, 4D, F4, E8, DA, FF, FF, FF, 68, 84... 
[+]

Entropy:

6.5091

Code size:

303.5 KB (310,784 bytes)

Service

Display name:

winsaber

Type:

Win32OwnProcess

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-54-192-25-160.mxp4.r.cloudfront.net (54.192.25.160:80)

TCP (HTTP):

Connects to server-54-192-25-148.mxp4.r.cloudfront.net (54.192.25.148:80)

TCP (HTTP):

Connects to server-54-192-203-54.fra50.r.cloudfront.net (54.192.203.54:80)

TCP (HTTP):

Connects to server-54-192-203-234.fra50.r.cloudfront.net (54.192.203.234:80)

TCP:

Connects to ip-172-30-172-5.ec2.internal (172.30.172.5:3128)

TCP (HTTP):

Connects to server-54-230-141-53.sfo5.r.cloudfront.net (54.230.141.53:80)

TCP (HTTP):

Connects to server-54-230-141-108.sfo5.r.cloudfront.net (54.230.141.108:80)

TCP (HTTP):

Connects to server-54-230-163-182.jax1.r.cloudfront.net (54.230.163.182:80)

TCP (HTTP):

Connects to server-54-230-163-166.jax1.r.cloudfront.net (54.230.163.166:80)

TCP (HTTP):

Connects to server-52-85-83-16.lax1.r.cloudfront.net (52.85.83.16:80)

TCP (HTTP):

Connects to server-52-85-77-157.lax3.r.cloudfront.net (52.85.77.157:80)

TCP (HTTP):

Connects to server-52-84-25-13.sea32.r.cloudfront.net (52.84.25.13:80)

TCP (HTTP):

Connects to server-52-84-246-59.sfo20.r.cloudfront.net (52.84.246.59:80)

TCP (HTTP):

Connects to server-52-84-246-247.sfo20.r.cloudfront.net (52.84.246.247:80)

TCP (HTTP):

Connects to server-52-84-246-146.sfo20.r.cloudfront.net (52.84.246.146:80)

TCP (HTTP):

Connects to server-54-240-186-36.mad50.r.cloudfront.net (54.240.186.36:80)

TCP (HTTP):

Connects to server-54-240-186-134.mad50.r.cloudfront.net (54.240.186.134:80)

TCP (HTTP):

Connects to server-54-240-186-130.mad50.r.cloudfront.net (54.240.186.130:80)

TCP (HTTP):

Connects to server-54-230-216-53.mrs50.r.cloudfront.net (54.230.216.53:80)

TCP (HTTP):

Connects to server-54-230-216-140.mrs50.r.cloudfront.net (54.230.216.140:80)

Remove saber.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.