supertela5_5_3_pt_br.exe

RBMF Technologies LLC

The application supertela5_5_3_pt_br.exe by RBMF Technologies has been detected as a potentially unwanted program by 5 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from www.clearheartgift.com and multiple other hosts. While running, it connects to the Internet address unallocated.barefruit.co.uk on port 443.
Publisher:
RBMF Technologies LLC  (signed and verified)

MD5:
6bd8aea826e48e12491db24b68df676c

SHA-1:
3f0abfe253ee573a04cb718ba42028c94458caec

SHA-256:
9c7cf159b16c503ec341d077a76934e7c5be1d3eae5b1f06c1d04c3bdd82eeb5

Scanner detections:
5 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 8:44:37 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Downloader.Agent (variant)
8.9580

F-Prot
W32/A-961be342
v6.4.7.1.166

IKARUS anti.virus
AdWare.Todos
t3scan.2.2.29

Reason Heuristics
PUP.RBMFTechnologies.U
14.3.29.19

Rising Antivirus
PE:Malware.Todos!6.33
23.00.65.14327

File size:
2.4 MB (2,490,264 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\supertela5_5_3_pt_br.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
3/25/2013 3:24:32 PM

Valid to:
3/25/2014 3:10:21 PM

Subject:
CN=RBMF Technologies LLC, O=RBMF Technologies LLC, L=Lewes, S=DE, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B7E112F67BE16

File PE Metadata
Compilation timestamp:
5/17/2013 12:40:35 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:/OZbDGUHvraNfSfpSjJti4hVPM57YMvhqr9CRe9FEt:/OFDGoveNqfpgM5A9CMFEt

Entry address:
0x536980

Entry point:
60, BE, 00, B0, 6E, 00, 8D, BE, 00, 60, D1, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
2.3 MB (2,408,448 bytes)

The file supertela5_5_3_pt_br.exe has been seen being distributed by the following 11 URLs.

http://www.clearheartgift.com/DO_eAN3_Xc9_6wCzY _sZ_DdMYFFBbq1I ANfoxc4nWYy0DHsTWvK1lgIr8zz57WCXULdJlNDx46iGUuq2xzrJtSzTWgsx1t6AhD4NR4feIcQMjn7I1bX5HP2RROEnbR_n7WvePB uUW1IS4JjUGu8O_nynoVo70rGmUw0fxWVFzfTufCzKnGah7aevGm4FUks01Rg5r-G1EAAGRwXmtru5nlBgg24MAlsSzQAe3csq_ vvclyC8yrOtWzyINH3Xc4d3MBdL8jXrdcpJvxoR3Ho8l5W_qowMbq_lAI MUy3IUwfI8

http://www.packagequickheart.com/YpEr3pk_7 iAlH86kn9GtJ1prqN_SPB9yQzTrqhjNXJLAoGLrIJFVRgnaRfK1NDggxquCWrnFq0L xw6YFIvJxwo3TWCVSqY9T5rnY2fp5UfJVBG1Q9OEg12QnjjvAyeYvTUJHOSK2ldLHwWOPuK16dOP9GilGXHJhP4Oa2wJVakzb A12s7JjCXy1pM2ZBFKxwphXTX-G1EAAGRwXmtrO4D0BDeAsAEHLollgQ5o55Z9dde1LUF kX5Z1moSaXio4w6vesqR qvV85J_H fH2XbcJPvfi Ubcve4FtQyTnEYj2EMgwE=

http://www.centralnowfarm.com/Ka4NzahLdGjNbC1ocg8dqlrJozYEWBC0OvAyf0V7sbtE96IqS1V8RWAXSJFfSXSuvIR12ksvO7HGX9julzUQHY1anhHzC52asno54Fl6Kp8gQEL_3r616PGQVeRjudb8iBQzOKr A8eaopAMeM4MWztasy9A 6ruliJBw0OqBil3N5TxkBBilVI4IHsKV7sRKfGW_5Nt-G1EAAGRwXmtru12FCBg24MAlsSzQAe3csq_ vvclyC8yrOtWzyKNAHXc4d3MBdL8jXrdsmMdmN3bW3VlEe4UPrZ8ad BRsYpliFxguRw

http://www.packagequickheart.com/c779mbRds6ql7ZvqcqMj3RBVYFV9cyAFBVQ0llJYYSBsCO0k7pYN8G6gMaJXGSbJxOWfqC2ow73Yr56a1OPVJ1eRBcdV2oeKeV5Zc2huyYEPuozhTpKerrN PXWm7Ok6hnj99c14KTvPbLiGv6CF6bcupHPzF6f0sg dXJChDqem55Ad0N8XrdY2lCm0gE22kn5wRgvU-G1EAAGRgnq2t2clo1gEbcOCSWBbogHZu2df4vucS5Bea9v1oV5FaCDvu4NutFdT9O_l5RVQjmzxySDcoP8z86GqJT3EAdCJKMAjLsDiGAQ==

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to unallocated.barefruit.co.uk  (92.242.140.20:443)

Remove supertela5_5_3_pt_br.exe - Powered by Reason Core Security