temp4114236966.exe

The application temp4114236966.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘NetworkUpdater’. While running, it connects to the Internet address 86-63-78-17.sta.asta-net.com.pl on port 80 using the HTTP protocol.
MD5:
57f92da953ba6df9bd8782a6e7c69abc

SHA-1:
8bdd857b88893b5df79d08984b8da4eb0cdcedd7

SHA-256:
c4f5fc5647d8af73013ddefcfa155d3649b757112533d6b182f43d794b14fe0b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 6:31:37 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Updater.Startup
17.3.2.20

File size:
1 MB (1,097,873 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\temp4114236966.exe

File PE Metadata
Compilation timestamp:
10/15/2016 4:17:25 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x852F

Entry point:
55, 8B, EC, 6A, FF, 68, 88, A5, 20, 00, 68, BC, 86, 20, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, E0, 94, 20, 00, 59, 83, 0D, 50, D0, 20, 00, FF, 83, 0D, 54, D0, 20, 00, FF, FF, 15, 94, 94, 20, 00, 8B, 0D, 44, D0, 20, 00, 89, 08, FF, 15, E8, 94, 20, 00, 8B, 0D, 40, D0, 20, 00, 89, 08, A1, E4, 94, 20, 00, 8B, 00, A3, 4C, D0, 20, 00, E8, 1D, 01, 00, 00, 39, 1D, 30, CF, 20, 00, 75, 0C, 68, B8, 86, 20, 90, FF, 15, D4, 94...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
96 KB (98,304 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
NetworkUpdater

Command:
C:\users\{user}\appdata\local\temp\temp3524703768.exe


The executing file has been seen to make the following network communications in live environments.

TCP (SMTP):
Connects to mx1.hotmail.com  (104.44.194.236:25)

TCP (SMTP):
Connects to ybbmta001.mail.vip.bbt.yahoo.co.jp  (182.22.12.120:25)

TCP (SMTP):
Connects to xa3.serverdomain.org  (89.107.186.5:25)

TCP (SMTP):
Connects to www169.your-server.de  (213.133.104.169:25)

TCP (SMTP):
Connects to viruswall.egfra.de  (213.23.145.125:25)

TCP (SMTP):
Connects to static-212-117-93-142.netcologne.de  (212.117.93.142:25)

TCP (HTTP):
Connects to static-21.38.96.14-tataidc.co.in  (14.96.38.21:80)

TCP (SMTP):
Connects to smtpcl06.niedersachsen.com  (193.30.60.153:25)

TCP (SMTP):
Connects to smtpb1.bt.com  (62.7.242.142:25)

TCP (SMTP):
Connects to smtp491.redcondor.net  (208.80.204.91:25)

TCP (SMTP):
Connects to server524.appriver.com  (174.143.82.84:25)

TCP (SMTP):
Connects to schragcanit.im-serverschrank.de  (83.223.64.118:25)

TCP (SMTP):
Connects to retail-smtp-in-eu-1.amazon.co.uk  (87.238.87.43:25)

TCP (SMTP):
Connects to relay63.s-web.de  (195.140.123.86:25)

TCP (SMTP):
Connects to relay284.s-web.de  (195.140.44.186:25)

TCP (SMTP):
Connects to relay283.s-web.de  (195.140.44.185:25)

TCP (SMTP):
Connects to relay.verizon.net  (206.46.232.11:25)

TCP (SMTP):
Connects to mxtls.expurgate.net  (194.145.224.124:25)

TCP (SMTP):
Connects to mxs.mail.ru  (94.100.180.150:25)

TCP (SMTP):
Connects to mx-ha02.web.de  (212.227.17.8:25)

Remove temp4114236966.exe - Powered by Reason Core Security