tindertop.exe

TinderTop

The executable tindertop.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘TinderTop’. While running, it connects to the Internet address cache.google.com on port 80 using the HTTP protocol.
Publisher:
TinderTop  (signed and verified)

MD5:
00b1f77f3cc97ecad10c674be859d831

SHA-1:
cafb1ccad5ab8633f8c7a2d568f0c89ee02fea2b

SHA-256:
f6120da631979c78b3f1e2e74fd821ebcd7697ff88a8f05ceebee2c9f22d33ea

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/26/2024 3:21:01 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.8.2.14

File size:
49 MB (51,349,736 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\tindertop\tindertop.exe

Digital Signature
Signed by:

Authority:
TinderTop

Valid from:
10/17/2015 10:50:58 AM

Valid to:
10/14/2025 10:50:58 AM

Subject:
CN=TinderTop, O=TinderTop, S=Some-State, C=AU

Issuer:
CN=TinderTop, O=TinderTop, S=Some-State, C=AU

Serial number:
00EFDC498B7AF73041

File PE Metadata
Compilation timestamp:
2/20/2016 3:43:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:muK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQkSjKvP:/wC64r1c6ZgnUSrLpbUAdBUQq6/BLIP3

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
7.0071

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
TinderTop

Command:
C:\users\{user}\appdata\roaming\tindertop\tindertop.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 34.f4.c1ad.ip4.static.sl-reverse.com  (173.193.244.52:80)

TCP (HTTP):
Connects to gha.g.ebay.com  (66.211.184.152:80)

TCP (HTTP SSL):
Connects to d0.91.6132.ip4.static.sl-reverse.com  (50.97.145.208:443)

TCP (HTTP SSL):
Connects to cache.google.com  (187.86.12.185:443)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to a104-89-12-167.deploy.static.akamaitechnologies.com  (104.89.12.167:80)

TCP (HTTP):
Connects to a104-89-12-139.deploy.static.akamaitechnologies.com  (104.89.12.139:80)

TCP (HTTP SSL):
Connects to a104-80-47-89.deploy.static.akamaitechnologies.com  (104.80.47.89:443)

TCP (HTTP):
Connects to 179.185.161.19.static.adsl.gvt.net.br  (179.185.161.19:80)

TCP (HTTP SSL):
Connects to m-prd-umpxl-shared-mr1-blue-a.evip.aol.com  (152.163.50.3:443)

TCP (HTTP SSL):
Connects to a104-89-12-219.deploy.static.akamaitechnologies.com  (104.89.12.219:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.bf1.yahoo.com  (63.250.200.63:443)

TCP (HTTP SSL):
Connects to pprd1-rtr2.manhattan.vip.bf1.yahoo.com  (72.30.203.224:443)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to a23-14-213-165.deploy.static.akamaitechnologies.com  (23.14.213.165:80)

TCP (HTTP):

TCP (HTTP SSL):
Connects to a104-80-44-133.deploy.static.akamaitechnologies.com  (104.80.44.133:443)

TCP (HTTP):
Connects to a.tribalfusion.com  (204.11.109.65:80)

Remove tindertop.exe - Powered by Reason Core Security