trippa.exe

yssoft

The application trippa.exe, “LuckyTool Application” by yssoft has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from down.luckytool.net. While running, it connects to the Internet address 16.234.212.118.adsl-pool.jx.chinaunicom.com on port 443.
Publisher:
luckytool  (signed by yssoft)

Product:
luckytool

Description:
LuckyTool Application

Version:
1.0.0.1

MD5:
408d473ed5180a53acaeb6c814a36313

SHA-1:
399f6579a6da415bfbebf3a2ec37b90c6de80b93

SHA-256:
12ef5a6d4817226337da770045503b87e43311e8e675c2261b043835fc5256e8

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/28/2024 3:30:36 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.yssoft (M)
16.4.22.0

File size:
3.6 MB (3,823,288 bytes)

Product version:
1.0.0.1

Copyright:
Copyright (C) 2014 luckytool

Original file name:
luckytool

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\tripp\trippa.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
3/24/2016 9:00:00 AM

Valid to:
5/24/2018 8:59:59 AM

Subject:
CN=yssoft, O=yssoft, L=Chilgok-gun, S=Gyeongsangbuk-do, C=KR

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
4FFD8833DCF52D25418DA64CD58D741A

File PE Metadata
Compilation timestamp:
4/21/2015 4:38:42 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
98304:BSR45ZyhKmt8zB97mN0H8A528B5d7CFLOAkGkzdnEVomFHKnP7:c2U16y828B5d7CFLOyomFHKnP7

Entry address:
0x1442C8

Entry point:
E8, 0B, CD, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 60, AE, 5B, 00, E8, C2, 19, 00, 00, E8, 93, 66, 00, 00, 0F, B7, F0, 6A, 02, E8, 9E, CC, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, BC, 9D, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.6363

Code size:
1.4 MB (1,494,016 bytes)

The file trippa.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to 11.60.204.221.adsl-pool.sx.cn  (221.204.60.11:443)

TCP (HTTP SSL):
Connects to 16.234.212.118.adsl-pool.jx.chinaunicom.com  (118.212.234.16:443)

TCP (HTTP SSL):
Connects to 103.234.212.118.adsl-pool.jx.chinaunicom.com  (118.212.234.103:443)

Remove trippa.exe - Powered by Reason Core Security