server.exe

Xin Zhou

The application server.exe by Xin Zhou has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a windows Service named “server Update”. While running, it connects to the Internet address server-54-230-216-248.mrs50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Xin Zhou  (signed and verified)

MD5:
754f350d47638f11327baf1f7f941bc3

SHA-1:
0de3bce0663b324bdc3444b826bf8030b1af2d47

SHA-256:
6ee2bcd8bc316fc733a8b51759dd8daec8936854b78647182f45598c6eb91a68

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/27/2024 1:47:41 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.XinZhou (M)
16.2.8.12

File size:
283.2 KB (289,976 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\window update\server update\server.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
10/23/2015 8:00:00 AM

Valid to:
10/23/2016 7:59:59 AM

Subject:
CN=Xin Zhou, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
659A8A3384285135321373ABABE9503D

File PE Metadata
Compilation timestamp:
12/22/2015 3:48:21 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
6144:TlBsUFAkdXQkXpq5b3/vgjsyrujxmR0LZTtym:THsUFAoXQ0qh3pyrujMRITtym

Entry address:
0x1A644

Entry point:
E8, B8, 53, 00, 00, E9, 7F, FE, FF, FF, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, 70, 40, 44, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, F8, 22, 44, 00, 01, 0F, 82, D6, 58, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74...
 
[+]

Entropy:
6.4996

Code size:
203.5 KB (208,384 bytes)

Service
Display name:
server Update

Service name:
server

Description:
Enables the detection, download, and installation of updates for server and other programs. If this service is disabled, users of this computer will not be able to use server Update or its automatic u

Type:
Win32OwnProcess, InteractiveProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-52-85-83-131.lax1.r.cloudfront.net  (52.85.83.131:80)

TCP (HTTP):
Connects to server-52-85-83-113.lax1.r.cloudfront.net  (52.85.83.113:80)

TCP (HTTP):
Connects to server-52-85-83-19.lax1.r.cloudfront.net  (52.85.83.19:80)

TCP (HTTP):
Connects to server-54-192-203-236.fra50.r.cloudfront.net  (54.192.203.236:80)

TCP (HTTP):
Connects to server-54-192-230-63.waw50.r.cloudfront.net  (54.192.230.63:80)

TCP (HTTP):
Connects to server-54-192-230-29.waw50.r.cloudfront.net  (54.192.230.29:80)

TCP (HTTP):
Connects to server-54-192-230-174.waw50.r.cloudfront.net  (54.192.230.174:80)

TCP (HTTP):
Connects to server-54-230-95-132.fra2.r.cloudfront.net  (54.230.95.132:80)

TCP (HTTP):
Connects to server-54-230-216-248.mrs50.r.cloudfront.net  (54.230.216.248:80)

TCP (HTTP):
Connects to server-54-230-216-107.mrs50.r.cloudfront.net  (54.230.216.107:80)

TCP (HTTP):
Connects to server-54-192-230-252.waw50.r.cloudfront.net  (54.192.230.252:80)

TCP (HTTP):
Connects to server-54-192-230-214.waw50.r.cloudfront.net  (54.192.230.214:80)

TCP (HTTP):
Connects to server-52-85-63-206.lhr50.r.cloudfront.net  (52.85.63.206:80)

TCP (HTTP):
Connects to server-52-85-63-188.lhr50.r.cloudfront.net  (52.85.63.188:80)

Remove server.exe - Powered by Reason Core Security