skymonk_rapid1.exe

Skymonk Solutions Limited

The application skymonk_rapid1.exe by Skymonk Solutions Limited has been detected as adware by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from letitbit.net and multiple other hosts. While running, it connects to the Internet address 80-92-65-214.ip.dclux.com on port 80 using the HTTP protocol.
Publisher:
Skymonk Solutions Limited  (signed and verified)

MD5:
50946c6b68674e3a587bf09a6fa1cc7d

SHA-1:
b14f038b4ef7b26b69565c114e3f54ec636e93cd

SHA-256:
dd9d5f72d071af2ce2ab72a61f92145cab60048ec98716f972d26ca7f3db6005

Scanner detections:
9 / 68

Status:
Adware

Analysis date:
11/5/2024 11:19:24 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Bkav FE
W32.Clod243.Trojan
1.3.0.4959

Dr.Web
Tool.Skymonk.14
9.0.1.079

Emsisoft Anti-Malware
Gen:Variant.Strictor.50777
8.14.03.20.10

ESET NOD32
Win32/Skymonk
8.9506

Kaspersky
not-a-virus:AdWare.Win32.Skyli
14.0.0.4140

McAfee
Artemis!50946C6B6867
5600.7185

Reason Heuristics
PUP.SkymonkSolutionsLimited.O
14.5.19.1

SUPERAntiSpyware
Trojan.Agent/Gen-Rbot
10715

VIPRE Antivirus
Adware.Win32.Skyli
27118

File size:
102 KB (104,440 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\skymonk_rapid1.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/9/2012 2:00:00 AM

Valid to:
4/10/2015 1:59:59 AM

Subject:
CN=Skymonk Solutions Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Skymonk Solutions Limited, L=Tortola, S=Tortola, C=VG

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
632A5F301191DF03C4933D982BAD525F

File PE Metadata
Compilation timestamp:
2/24/2012 8:22:01 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:HtKr1f0hzRjeWsH5bs4SkHZLbS1ydrYr+wnKV:NEG71cbTZZLp6nKV

Entry address:
0x36DA

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 1C, C7, 44, 24, 10, C0, 8A, 40, 00, 89, 5C, 24, 18, C6, 44, 24, 14, 20, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, AC, 80, 40, 00, 53, FF, 15, A4, 82, 40, 00, 6A, 08, A3, 18, 36, 45, 00, E8, FD, 28, 00, 00, 53, 68, 60, 01, 00, 00, A3, 28, 35, 45, 00, 8D, 44, 24, 3C, 50, 53, 68, BF, 8A, 40, 00, FF, 15, 70, 81, 40, 00, 68, B4, 8A, 40, 00, 68, 20, F5, 44, 00, E8, 27, 26, 00, 00, FF, 15, A8, 80, 40, 00, 50, BF, 50, C0, 47, 00, 57, E8, 15, 26...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file skymonk_rapid1.exe has been seen being distributed by the following 10 URLs.

http://letitbit.net/downloader_undefined_0_vid1.exe

http://letitbit.net/downloader_12427593_80_letF.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 80-92-65-214.ip.dclux.com  (80.92.65.214:80)

Remove skymonk_rapid1.exe - Powered by Reason Core Security