tmpd58c.tmp.exe

The executable tmpd58c.tmp.exe has been detected as malware by 5 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘e0a33854dd168ca0cb52535ea8f0538a’. While running, it connects to the Internet address crs.ultradns.net on port 2213.
MD5:
2026f87554e5c94c6130d1eea9795e88

SHA-1:
0d2fa0acd3ae4647b31acefdb5ec4903e06eccc6

SHA-256:
c6e9faa6459d5e34fcd23c44e6dea57a21f069a9675a98b6b42401a73d070c65

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
11/23/2024 5:55:22 PM UTC  (today)

Scan engine
Detection
Engine version

Clam AntiVirus
Win.Trojan.B-468
0.98/22548

Dr.Web
Trojan.DownLoader19.37002
9.0.1.05190

ESET NOD32
MSIL/Bladabindi.BC trojan
6.3.12010.0

F-Secure
Generic.MSIL.Bladabindi.80DEAAC2
5.15.154

Microsoft Security Essentials
Backdoor:MSIL/Bladabindi.B
1.231.2065.0

File size:
23.5 KB (24,064 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\tmpd58c.tmp.exe

File PE Metadata
Compilation timestamp:
11/17/2016 12:06:34 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
384:bsqCm6yocx/Yp7jemiO0nd08/VQ6bgNQC5h7tmRvR6JZlbw8hqIusZzZrl:ASoQA6mlcrRpcnuS

Entry address:
0x749E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.5293

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
21.5 KB (22,016 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
e0a33854dd168ca0cb52535ea8f0538a

Command:
"C:\users\{user}\appdata\local\temp\taskhost.exe"..


The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to crs.ultradns.net  (204.74.99.100:2213)

Remove tmpd58c.tmp.exe - Powered by Reason Core Security