» topsadon1u.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (2)

topsadon1u.exe

neomedia

The application topsadon1u.exe by neomedia has been detected as a potentially unwanted program by 5 anti-malware scanners. This is a setup program which is used to install the application. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘topsadon1u’. This is a trojan Bot that uses IRC to communicate with a comand and control network. The Trojan drops other malicious software and opens a backdoor on the infected computer and will run automatically on each boot.

File name:

topsadon1u.exe

Publisher:

neomedia (signed and verified)

MD5:

bac896ee1de6d8394f19495b8f7c0048

SHA-1:

0fe0a2559614010d24802e1e03b7488aef04be32

SHA-256:

5c66cc66f1cf8c64eb006f22f1d71e3a78ff057d95eab33c3427bdb723621251

Scanner detections:

5 / 68

Status:

Potentially unwanted

Explanation:

Part of a backdoor IRC bot network.

Analysis date:

11/15/2024 11:47:46 AM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

TR/Crypt.TPM.Gen

8.3.2.4

ESET NOD32

Win32/AdWare.KeywordFind (variant)

10.12931

F-Prot

W32/Themida_Packed

v6.4.7.1.166

Qihoo 360 Security

HEUR/QVM19.1.Malware.Gen

1.0.0.1077

VIPRE Antivirus

Backdoor.Win32.Ircbot.gen

46780

File size:

875.7 KB (896,752 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\topsadon\topsadon1u.exe

Digital Signature

Signed by:

neomedia

Authority:

thawte, Inc.

Valid from:

1/25/2016 9:00:00 AM

Valid to:

1/25/2017 8:59:59 AM

Subject:

CN=neomedia, OU=IT Team, O=neomedia, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

343766F67EC25EF07DB4A9C47879EAF6

File PE Metadata

Compilation timestamp:

1/26/2016 5:21:15 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:Tkllf2kqQGvIC0vuTCA7gRaz3/7SenJH0aVn1wnP:QbfiHQSTCA0y3/PH0gn+P

Entry address:

0x1ED000

Entry point:

83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, 30, 0A, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, AA, 75, C0, 41, 68, A2, 19, 69, 4A, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

7.9139 (probably packed)

Code size:

403.5 KB (413,184 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

topsadon1u

Command:

"C:\users\{user}\appdata\roaming\topsadon\topsadon1u.exe"

The file topsadon1u.exe has been seen being distributed by the following 2 URLs.

http://down1.topsadon1.com/.../topsadon1u.exe

http://down.topsadon1.com/.../topsadon1u.exe

Remove topsadon1u.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.