skype_7.32.exe

Rofasalota

Sivensys SRL

The executable skype_7.32.exe, “Rofasalota Setup ” has been detected as malware by 1 anti-virus scanner. The program is a setup application that uses the Inno Setup installer. The file has been seen being downloaded from www.funcentralnew.com.
Publisher:
Sivensys SRL  (signed and verified)

Product:
Rofasalota

Description:
Rofasalota Setup

Version:
2.8.1.7

MD5:
611cad40db69234d428a54213f53b2a2

SHA-1:
c5d94449218add8c01c507045908fa2b7dc14dbf

SHA-256:
bc72c89191b69879129b64f229ce8f88d4726ed99646652cb17d11757f859161

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/27/2024 2:15:45 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.2.15.11

File size:
1.2 MB (1,292,528 bytes)

Product version:
4.3.7

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
10/20/2016 10:04:57 AM

Valid to:
10/21/2017 10:04:57 AM

Subject:
CN=Sivensys SRL, O=Sivensys SRL, L=IASI, C=RO

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE

Serial number:
0D38E905F0B0BA5733036DFB

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9855

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file skype_7.32.exe has been seen being distributed by the following URL.

http://www.funcentralnew.com/q7q86wRsG85p1CMiproU1y3gvO4Bd0ccER3EcsxBh8iAn2T0 T4rj6 9Fvu3g3kRX5SEWIyTGiIDghz6wIjw6FKBrp3oNMhAGEoY5m1cu5b1KkiU9kEbx CohMuBhJCX9qLhmdYuD1hwysxmKP3G1Lbi Dy6y_qUiZPeObnv2OxqtG6itWaqVz 1fihV7HLFrPFfol097KUynf8UMUeChtLV6AMr3Q0dVASTtzLzY3oIsdRJVNhRCYdFgVQsWsy2ydN5oxtJJiDuyGzLXMGnXMAugStogf_7aBmQPX4Nl4_YA1yCVLA3r3boZycQvz4iw hpA4agxxwNfWaI2FlgzPRSUYCZPcIEdzqlUB40fkmfVQMRg1CQQErt46vnnPCHXQfpLes26VU5h8c22wefRgw8nxoeT78Fp2tPbDxDS2VQ_fSn_unhjJYRQAeJMJ5 V0SZXq68YM9jkjm88qPc3u77kwfEdA==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA-e

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to generic.external.zlb.scl3.mozilla.com  (63.245.213.12:443)

TCP (HTTP):
Connects to ec2-52-50-196-247.eu-west-1.compute.amazonaws.com  (52.50.196.247:80)

TCP (HTTP SSL):
Connects to s3-1.amazonaws.com  (52.216.192.27:443)

TCP (HTTP):
Connects to ec2-52-214-247-42.eu-west-1.compute.amazonaws.com  (52.214.247.42:80)

TCP (HTTP):
Connects to ec2-176-34-130-130.eu-west-1.compute.amazonaws.com  (176.34.130.130:80)

TCP (HTTP):
Connects to 92b91b35.rdns.100tb.com  (146.185.27.53:80)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (52.216.2.0:80)

TCP (HTTP):
Connects to ec2-54-154-190-87.eu-west-1.compute.amazonaws.com  (54.154.190.87:80)

TCP (HTTP):
Connects to ec2-54-154-109-8.eu-west-1.compute.amazonaws.com  (54.154.109.8:80)

TCP (HTTP):
Connects to ec2-52-49-170-39.eu-west-1.compute.amazonaws.com  (52.49.170.39:80)

TCP (HTTP):
Connects to 50.115.122.45.static.westdc.net  (50.115.122.45:80)

Remove skype_7.32.exe - Powered by Reason Core Security