saber.exe

Dening Hu

The application saber.exe by Dening Hu has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “winsaber”. While running, it connects to the Internet address server-54-192-25-160.mxp4.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Dening Hu  (signed and verified)

MD5:
6982589c49aa0c4b4fd08455d68a9c8f

SHA-1:
2e2d62e8d1b27dfb255fe578bf2a26dab1708f34

SHA-256:
4168559bd0742ef3ec25ab8f152c290617096aa36bf1b9a8c8b96f24a87ea198

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 5:20:51 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Elex (M)
16.9.23.10

File size:
437.7 KB (448,216 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\temp\{random}.tmp\tools\saber.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
9/21/2016 7:00:00 PM

Valid to:
6/8/2017 6:59:59 PM

Subject:
CN=Dening Hu, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
7986DA5F93A0A631551A2F4F1B1666BF

File PE Metadata
Compilation timestamp:
9/23/2016 4:53:48 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:h8QR/Xu7cmSKpQg8v46ilYJcO2zaAp/ktoH6YWZ:7Rm7ZSKOgEJcveApO9

Entry address:
0x24089

Entry point:
E8, 3D, 04, 00, 00, E9, 80, FE, FF, FF, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, 1F, 85, FE, FF, C7, 06, 60, D8, 44, 00, 8B, C6, 5E, 5D, C2, 04, 00, 83, 61, 04, 00, 8B, C1, 83, 61, 08, 00, C7, 41, 04, 68, D8, 44, 00, C7, 01, 60, D8, 44, 00, C3, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, EC, 84, FE, FF, C7, 06, 7C, D8, 44, 00, 8B, C6, 5E, 5D, C2, 04, 00, 83, 61, 04, 00, 8B, C1, 83, 61, 08, 00, C7, 41, 04, 84, D8, 44, 00, C7, 01, 7C, D8, 44, 00, C3, 55, 8B, EC, 83, EC, 0C, 8D, 4D, F4, E8, DA, FF, FF, FF, 68, 84...
 
[+]

Entropy:
6.5091

Code size:
303.5 KB (310,784 bytes)

Service
Display name:
winsaber

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-25-160.mxp4.r.cloudfront.net  (54.192.25.160:80)

TCP (HTTP):
Connects to server-54-192-25-148.mxp4.r.cloudfront.net  (54.192.25.148:80)

TCP (HTTP):
Connects to server-54-192-203-54.fra50.r.cloudfront.net  (54.192.203.54:80)

TCP (HTTP):
Connects to server-54-192-203-234.fra50.r.cloudfront.net  (54.192.203.234:80)

TCP:
Connects to ip-172-30-172-5.ec2.internal  (172.30.172.5:3128)

TCP (HTTP):
Connects to server-54-230-141-53.sfo5.r.cloudfront.net  (54.230.141.53:80)

TCP (HTTP):
Connects to server-54-230-141-108.sfo5.r.cloudfront.net  (54.230.141.108:80)

TCP (HTTP):
Connects to server-54-230-163-182.jax1.r.cloudfront.net  (54.230.163.182:80)

TCP (HTTP):
Connects to server-54-230-163-166.jax1.r.cloudfront.net  (54.230.163.166:80)

TCP (HTTP):
Connects to server-52-85-83-16.lax1.r.cloudfront.net  (52.85.83.16:80)

TCP (HTTP):
Connects to server-52-85-77-157.lax3.r.cloudfront.net  (52.85.77.157:80)

TCP (HTTP):
Connects to server-52-84-25-13.sea32.r.cloudfront.net  (52.84.25.13:80)

TCP (HTTP):
Connects to server-52-84-246-59.sfo20.r.cloudfront.net  (52.84.246.59:80)

TCP (HTTP):
Connects to server-52-84-246-247.sfo20.r.cloudfront.net  (52.84.246.247:80)

TCP (HTTP):
Connects to server-52-84-246-146.sfo20.r.cloudfront.net  (52.84.246.146:80)

TCP (HTTP):
Connects to server-54-240-186-36.mad50.r.cloudfront.net  (54.240.186.36:80)

TCP (HTTP):
Connects to server-54-240-186-134.mad50.r.cloudfront.net  (54.240.186.134:80)

TCP (HTTP):
Connects to server-54-240-186-130.mad50.r.cloudfront.net  (54.240.186.130:80)

TCP (HTTP):
Connects to server-54-230-216-53.mrs50.r.cloudfront.net  (54.230.216.53:80)

TCP (HTTP):
Connects to server-54-230-216-140.mrs50.r.cloudfront.net  (54.230.216.140:80)

Remove saber.exe - Powered by Reason Core Security