support.exe

BDE MSM Configuration Utility

`

The executable support.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘832c7’. While running, it connects to the Internet address 5-61-24-196.nrp.co on port 80 using the HTTP protocol.
Publisher:
`

Product:
BDE MSM Configuration Utility

Description:
File folder

Version:
1.00

MD5:
60526283d6355858157a73ed4a5eea5e

SHA-1:
42677da08237b751f7410ebfb740e727e985b0c7

SHA-256:
d24f830cd5adfe8be25f94d453662735785eafe8b11eeffe936ed37f6ee7fd17

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/25/2024 1:27:04 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Threat.Generic
16.11.21.6

File size:
644 KB (659,456 bytes)

Product version:
1.00

Original file name:
BDEMMCFG

File type:
Executable application (Win32 EXE)

Language:
English (United States)

File PE Metadata
Compilation timestamp:
11/19/2016 2:29:11 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:Ojiwhcuz5YL+3Nfu8z2Kd64pvutVhjfWIcViEtkxhuhuIpRL5uO1FeYOlZvGgiKX:wiwhTEhjAiESuXuqFeYOlUgbX

Entry address:
0x3584

Entry point:
68, FC, 39, 40, 00, E8, F0, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, E7, 47, 45, 18, 0E, 98, 51, 47, A1, 5C, 2E, 3F, 17, E6, 45, F8, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 50, 72, 6F, 6A, 65, 63, 74, 31, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, FF, CC, 31, 00, 13, DE, 2D, 84, 51, 81, 13, 57, 44, B0, 00, 64, 0A, A9, FA, 08, E7, 13, 33, CE, 61, AF, AE, 60, 45, A6, 95, 80, 2F, A3, A9, B8, 23, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00...
 
[+]

Entropy:
4.2840

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
192 KB (196,608 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
832c7

Command:
8a67c.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 5-61-24-196.nrp.co  (5.61.24.196:80)

TCP (HTTP):
Connects to hosted-by.hostdl.com.asiatech.ir  (79.127.127.13:80)

TCP (HTTP):
Connects to static.95.116.46.78.clients.your-server.de  (78.46.116.95:80)

TCP (HTTP):
Connects to ns3060566.ip-193-70-12.eu  (193.70.12.158:80)

TCP (HTTP):
Connects to ns3046195.ip-51-255-93.eu  (51.255.93.139:80)

TCP (HTTP):
Connects to static.117.154.251.148.clients.your-server.de  (148.251.154.117:80)

TCP (HTTP):
Connects to static.9.178.201.138.clients.your-server.de  (138.201.178.9:80)

TCP (HTTP):
Connects to WIN-0MDCIM7U0H4  (185.129.168.129:80)

TCP (HTTP):
Connects to static.210.153.243.136.clients.your-server.de  (136.243.153.210:80)

TCP (HTTP):
Connects to srv.benita.ir  (130.185.74.30:80)

TCP (HTTP):
Connects to sls-af12p19.sea2.superbservers.com  (66.148.112.155:80)

TCP (HTTP):
Connects to ec2-54-164-75-60.compute-1.amazonaws.com  (54.164.75.60:80)

TCP (HTTP SSL):
Connects to a104-108-55-86.deploy.static.akamaitechnologies.com  (104.108.55.86:443)

TCP (HTTP):
Connects to 94-182-147-127.shatel.ir  (94.182.147.127:80)

TCP (HTTP):
Connects to static.248.127.63.178.clients.your-server.de  (178.63.127.248:80)

TCP (HTTP):
Connects to static.120.103.4.46.clients.your-server.de  (46.4.103.120:80)

TCP (HTTP):
Connects to server-54-192-203-166.fra50.r.cloudfront.net  (54.192.203.166:80)

TCP (HTTP):

TCP (HTTP):
Connects to 94-182-97-50.shatel.ir  (94.182.97.50:80)

TCP (HTTP):
Connects to 199-255-210-165.anchorfree.com  (199.255.210.165:80)

Remove support.exe - Powered by Reason Core Security