home

skype_7.33.exe

Rofasalota

Sivensys SRL

The executable skype_7.33.exe, “Rofasalota Setup ” has been detected as malware by 1 anti-virus scanner. The program is a setup application that uses the Inno Setup installer. The file has been seen being downloaded from www.funcentralnew.com and multiple other hosts.
Publisher:
Sivensys SRL  (signed and verified)

Product:
Rofasalota

Description:
Rofasalota Setup

Version:
2.8.1.7

MD5:
0fa55646bfe80351814e1a3a79ece336

SHA-1:
11e6b48fbbe222b2b9d8cf1af8ffda937a68c891

SHA-256:
3de8c59e8fb380bad39dccaaea1f9d80304e8bee950122100e20bb997276d0c9

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/16/2024 8:27:37 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.2.21.13

File size:
1.2 MB (1,292,528 bytes)

Product version:
4.3.7

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\skype_7.33.exe

Digital Signature
Signed by:
Sivensys SRL

Authority:
GlobalSign nv-sa

Valid from:
10/20/2016 11:04:57 AM

Valid to:
10/21/2017 11:04:57 AM

Subject:
CN=Sivensys SRL, O=Sivensys SRL, L=IASI, C=RO

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE

Serial number:
0D38E905F0B0BA5733036DFB

File PE Metadata
Compilation timestamp:
6/20/1992 1:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file skype_7.33.exe has been seen being distributed by the following 2 URLs.

http://www.funcentralnew.com/0w3yG2RLNjiYFgGoLh7tER7MemmIrkZJNjQATNPWcn7LN_tBWIHHA7ncLXLpNyeZFgDl9EnddvaLUJYCwX5FOUVur_K9vZs88b9Tiu_W8ZSQylu5 S_gOcY1hBXHH_5C4YP06bF1g6t7EQRluPq8oILSvkU0D6tl7f3N4Onx8BQ14xL5_KY4OVI9TqcxbATyaBGeWbDuL85xpzTZmk6IvSoadk7E0HQc5lvGFvtzouILQd8xXqm6lWDOrkGQhF8BDMpLdtI4mJmmaPd9Ws1udnOUIjjMqOudamn_QP2k1PG9RAX9reJg1POXIIx4PJAe2B1aF5wsEPfRsG1NfheoJ7ALukgIRJ56p9Gq2y1vULnXZjC5MRt59hwoO_ASRNVAbvEZnu5WJwn70Iw wA4KlImoG_EgzxgFsbgfksULE3sb2IzzfRypckkYIm8jDTXeZgnU1DLf-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA-e

http://www.funcentralnew.com/wgnlO_MQq21gBhf5NwKz4vfdUofm ee4INfapS9tYrkCCCPJhUX2im086nXT6w_RXc13Zi5Vj_wEDJBhKfX054d_vyarLKS4ahYP3wxjs5veJaT5a8AWzU2v1HPlwnIOoyVmJIkoM39UauB3t1 N2Nww _CHRe8bKrvHNzpTJ 92Hx4_Cg9egZLQYfnNwCq60pnlORC8RvlStobf83ejh4ZPmwkglDdB1_MT5Tk7vcyBnLQKatcIFnFUwSSUHrIC5Kw2U2SL7mNzE6GjzOz4ZGAq66PLDFaILP9d0FJ9TFkyJ1TgzUmB j oeCtb mg75E4suNVjReo4MnQ5wGpaw56kIoHthKftC10Kg0qLns9xm1VXFJvpU66C7MdoY7Gx0JZXtwPy VOTflIjGj3rlx8kUwFSN2APyS21R39ag3lLmwFb28 X_PuOAYKhRU jgHLdNShU-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA-e

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-30-226-196.eu-west-1.compute.amazonaws.com  (52.30.226.196:80)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (52.216.226.104:80)

TCP (HTTP SSL):
Connects to generic.external.zlb.scl3.mozilla.com  (63.245.213.12:443)

TCP (HTTP):
Connects to ec2-54-154-109-8.eu-west-1.compute.amazonaws.com  (54.154.109.8:80)

TCP (HTTP):
Connects to ec2-176-34-130-130.eu-west-1.compute.amazonaws.com  (176.34.130.130:80)

TCP (HTTP):
Connects to ec2-54-154-229-88.eu-west-1.compute.amazonaws.com  (54.154.229.88:80)

Remove skype_7.33.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.