trinity.mp4_6184428_20_shab.exe

Skymonk Solutions Limited

The application trinity.mp4_6184428_20_shab.exe by Skymonk Solutions Limited has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from 78.140.137.156 and multiple other hosts. While running, it connects to the Internet address 80-92-65-214.ip.dclux.com on port 80 using the HTTP protocol.
Publisher:
Skymonk Solutions Limited  (signed and verified)

MD5:
21bdd1f2e3c05f9182fa61e18ca936a9

SHA-1:
939ce3a4d96fc2cf12b2a25e64d5691aa3cf2cac

SHA-256:
d25ff337f13ae8b0d8e7fb7802639627d3e9465e8e12ba70e02133313ca32fef

Scanner detections:
7 / 68

Status:
Adware

Analysis date:
11/5/2024 10:59:19 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Tool.Skymonk.14
9.0.1.0116

ESET NOD32
Win32/Skymonk
8.9726

Fortinet FortiGate
Riskware/Agent
4/26/2014

K7 AntiVirus
Unwanted-Program
13.176.11896

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.3955

Reason Heuristics
PUP.SkymonkSolutionsLimited.AA
14.5.19.1

Trend Micro House Call
TROJ_GEN.F47V0425
7.2.116

File size:
135 KB (138,264 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\trinity.mp4_6184428_20_shab.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/9/2012 3:00:00 AM

Valid to:
4/10/2015 2:59:59 AM

Subject:
CN=Skymonk Solutions Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Skymonk Solutions Limited, L=Tortola, S=Tortola, C=VG

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
632A5F301191DF03C4933D982BAD525F

File PE Metadata
Compilation timestamp:
2/24/2012 9:22:01 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:gtKr1f0hzRjeWsHybWSRiU4Lbs++CcTU8qt+yDJKIsuwlnN:eEG71TbWAipLo++C6qt/KfFnN

Entry address:
0x36DA

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 1C, C7, 44, 24, 10, C0, 8A, 40, 00, 89, 5C, 24, 18, C6, 44, 24, 14, 20, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, AC, 80, 40, 00, 53, FF, 15, A4, 82, 40, 00, 6A, 08, A3, 18, 36, 45, 00, E8, FD, 28, 00, 00, 53, 68, 60, 01, 00, 00, A3, 28, 35, 45, 00, 8D, 44, 24, 3C, 50, 53, 68, BF, 8A, 40, 00, FF, 15, 70, 81, 40, 00, 68, B4, 8A, 40, 00, 68, 20, F5, 44, 00, E8, 27, 26, 00, 00, FF, 15, A8, 80, 40, 00, 50, BF, 50, C0, 47, 00, 57, E8, 15, 26...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file trinity.mp4_6184428_20_shab.exe has been seen being distributed by the following 7 URLs.

http://78.140.137.156/file_M.T.Original.mkv_16465303_13_letI.exe

http://78.140.137.156/file_Coffee-burgers-labels.rar_13910833_65_letI.exe

http://78.140.137.156/file_O3-ALL.rar_13750875_65_let1.exe

http://78.140.137.156/file_3XP.WARREN.HDR.by-cn.rar_15082675_04_p9ef.exe

http://78.140.137.156/getDeadhunt-v1.01-RUS-setup-www.small-games.info-.exe_2867628_78_letF.exe

http://78.140.137.156/file_softarchive.net.Fire-Gold-Logo.rar_16034965_88_p9ef.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 80-92-65-214.ip.dclux.com  (80.92.65.214:80)

Remove trinity.mp4_6184428_20_shab.exe - Powered by Reason Core Security