topsadon1u.exe

neomedia

The application topsadon1u.exe by neomedia has been detected as a potentially unwanted program by 3 anti-malware scanners. This is a setup program which is used to install the application. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘topsadon1u’. The file has been seen being downloaded from down1.topsadon1.com.
Publisher:
neomedia  (signed and verified)

MD5:
26a281d0b81fd5be407d7df930f5a2c8

SHA-1:
0fbd6b0370f9da2735f9d0dfc902b0e920c48836

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/15/2024 11:46:01 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/AdWare.KeywordFind.D application
6.3.12010.0

F-Prot
W32/Themida_Packed
4.6.5.141

Reason Heuristics
Adware.Neomedia (M)
16.11.2.23

File size:
873.7 KB (894,696 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Local settings\temporary internet files\content.ie5\{random}\topsadon1u.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/25/2016 9:00:00 AM

Valid to:
1/25/2017 8:59:59 AM

Subject:
CN=neomedia, OU=IT Team, O=neomedia, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
343766F67EC25EF07DB4A9C47879EAF6

File PE Metadata
Compilation timestamp:
10/7/2016 1:09:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:FCyvzN0clwWz5E8OcnSbVnZf/+xAgKBsvs:FlOclvv7Sl9JgMsU

Entry address:
0x1EB000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, 20, 0A, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 80, 6C, 6C, 1C, 68, 71, C1, 79, 42, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9161  (probably packed)

Code size:
403 KB (412,672 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
topsadon1u

Command:
"C:\Documents and Settings\{user}\Application data\topsadon\topsadon1u.exe"


The file topsadon1u.exe has been seen being distributed by the following URL.

http://down1.topsadon1.com/.../topsadon1u.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

TCP (HTTP):

Remove topsadon1u.exe - Powered by Reason Core Security