topsadon1u.exe

neomedia

The application topsadon1u.exe by neomedia has been detected as a potentially unwanted program by 5 anti-malware scanners. This is a setup program which is used to install the application. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘topsadon1u’. This is a trojan Bot that uses IRC to communicate with a comand and control network. The Trojan drops other malicious software and opens a backdoor on the infected computer and will run automatically on each boot.
Publisher:
neomedia  (signed and verified)

MD5:
bac896ee1de6d8394f19495b8f7c0048

SHA-1:
0fe0a2559614010d24802e1e03b7488aef04be32

SHA-256:
5c66cc66f1cf8c64eb006f22f1d71e3a78ff057d95eab33c3427bdb723621251

Scanner detections:
5 / 68

Status:
Potentially unwanted

Explanation:
Part of a backdoor IRC bot network.

Analysis date:
12/24/2024 5:19:12 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Crypt.TPM.Gen
8.3.2.4

ESET NOD32
Win32/AdWare.KeywordFind (variant)
10.12931

F-Prot
W32/Themida_Packed
v6.4.7.1.166

Qihoo 360 Security
HEUR/QVM19.1.Malware.Gen
1.0.0.1077

VIPRE Antivirus
Backdoor.Win32.Ircbot.gen
46780

File size:
875.7 KB (896,752 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\topsadon\topsadon1u.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/25/2016 9:00:00 AM

Valid to:
1/25/2017 8:59:59 AM

Subject:
CN=neomedia, OU=IT Team, O=neomedia, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
343766F67EC25EF07DB4A9C47879EAF6

File PE Metadata
Compilation timestamp:
1/26/2016 5:21:15 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:Tkllf2kqQGvIC0vuTCA7gRaz3/7SenJH0aVn1wnP:QbfiHQSTCA0y3/PH0gn+P

Entry address:
0x1ED000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, 30, 0A, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, AA, 75, C0, 41, 68, A2, 19, 69, 4A, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9139  (probably packed)

Code size:
403.5 KB (413,184 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
topsadon1u

Command:
"C:\users\{user}\appdata\roaming\topsadon\topsadon1u.exe"


The file topsadon1u.exe has been seen being distributed by the following 2 URLs.

Remove topsadon1u.exe - Powered by Reason Core Security