sd0uamojw.exe

The application sd0uamojw.exe has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from livestatscounter.com. While running, it connects to the Internet address ch4plpkivs-v01.any.prod.ord1.secureserver.net on port 80 using the HTTP protocol.
MD5:
5c9336efb1faf577655bcd88a444c26b

SHA-1:
3a46124a6a3222a1eb5d3a9212f4c86574a33b30

SHA-256:
f120fd505378e28c64e1057de7aea81f6b346b70d1fd4d0fd23c46e8c9bbd4ba

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/30/2024 10:18:46 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.ClickMeIn.2178
9.0.1.0273

Reason Heuristics
Adware.CMI (M)
16.2.19.17

SUPERAntiSpyware
Trojan.Agent/Gen-Downloader
9670

File size:
162 KB (165,898 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\content.ie5\12mvmbse\sd0uamojw.exe

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:AgXdZt9P6D3XJ8M59gvIUepNoVGQFGnuTG/qKrOqGiD/pMIWgWsO0uMzfn:Ae34f59yepNoVGbui/hFD/pMpgWsdDn

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8549

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file sd0uamojw.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-38-178.jfk1.r.cloudfront.net  (54.230.38.178:80)

TCP (HTTP SSL):
Connects to ec2-54-172-56-45.compute-1.amazonaws.com  (54.172.56.45:443)

TCP (HTTP SSL):
Connects to ec2-52-7-39-118.compute-1.amazonaws.com  (52.7.39.118:443)

TCP (HTTP SSL):
Connects to ec2-52-6-160-173.compute-1.amazonaws.com  (52.6.160.173:443)

TCP (HTTP SSL):
Connects to ec2-52-5-145-21.compute-1.amazonaws.com  (52.5.145.21:443)

TCP (HTTP SSL):
Connects to ec2-52-4-85-129.compute-1.amazonaws.com  (52.4.85.129:443)

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

TCP (HTTP):
Connects to ec2-107-21-122-166.compute-1.amazonaws.com  (107.21.122.166:80)

TCP (HTTP):
Connects to ch4plpkivs-v01.any.prod.ord1.secureserver.net  (50.63.243.228:80)

TCP (HTTP):
Connects to c-0001.c-msedge.net  (191.234.4.50:80)

TCP (HTTP):
Connects to a96-6-113-9.deploy.akamaitechnologies.com  (96.6.113.9:80)

TCP (HTTP):

TCP (HTTP):
Connects to a1plpkivs-v03.any.prod.ash1.secureserver.net  (72.167.239.239:80)

TCP (HTTP):
Connects to a184-51-126-154.deploy.static.akamaitechnologies.com  (184.51.126.154:80)

TCP (HTTP):
Connects to a184-51-126-153.deploy.static.akamaitechnologies.com  (184.51.126.153:80)

Remove sd0uamojw.exe - Powered by Reason Core Security