u.exe

Ultrareach Internet Corp.

The application u.exe by Ultrareach Internet has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This executable runs as a local area network (LAN) Internet proxy server listening on port 9666 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address server-54-230-136-185.lax1.r.cloudfront.net on port 443.
Publisher:
Ultrareach Internet Corp.  (signed and verified)

MD5:
5591d98067961e3a35a336578315515b

SHA-1:
f4b5f984f827d2e3aec75d1d365a34d27779d29b

SHA-256:
d8a2c933e2eaa455da60ac57f54b6915d2b229ea03ecafbe3ffc7139baef1964

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/25/2024 7:31:43 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.UltrareachInternetCorp.B
14.6.28.5

File size:
2.6 MB (2,718,944 bytes)

File type:
Executable application (Win32 EXE)

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
12/6/2012 1:03:59 AM

Valid to:
1/11/2016 7:04:39 PM

Subject:
CN=Ultrareach Internet Corp., O=Ultrareach Internet Corp., L=Cheyenne, S=WY, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121C51978F0ED636CA3C5B5C4D33D022C10

File PE Metadata
Compilation timestamp:
6/24/2014 11:27:50 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
3.0

CTPH (ssdeep):
49152:TlvQxR2zSaRKuwXzbQU88DubFm2YAhHYkJGSPfC:pvjz3OnQj4AhHYkoZ

Entry address:
0x85F000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 89, C3, 40, 2D, 00, 00, 0C, 00, 2D, B7, F7, 0A, 10, 05, AC, F7, 0A, 10, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 44, D3, 94, 01, 68, 8F, 32, B2, 3D, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 89, E5, 50, 53, 51, 56, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, 85, C9, 74, 0A, 31, 06, 01, 1E, 83, C6, 04, 49, EB, F2, 5E, 59, 5B, 58, C9, C2, 10, 00, F6, 9E, 11, D8, D8, 4C, CC, 1A, 6C, CB, 74, F7, 16, B6...
 
[+]

Entropy:
7.9846  (probably packed)

Code size:
4.5 MB (4,669,952 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:9666/

Local host port:
9666

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-230-138-9.lax1.r.cloudfront.net  (54.230.138.9:443)

TCP (HTTP SSL):
Connects to server-52-84-246-58.sfo20.r.cloudfront.net  (52.84.246.58:443)

TCP (HTTP SSL):
Connects to server-54-230-140-29.sfo5.r.cloudfront.net  (54.230.140.29:443)

TCP (HTTP SSL):
Connects to server-54-230-138-238.lax1.r.cloudfront.net  (54.230.138.238:443)

TCP (HTTP SSL):
Connects to server-52-84-246-222.sfo20.r.cloudfront.net  (52.84.246.222:443)

TCP (HTTP SSL):
Connects to server-52-84-246-201.sfo20.r.cloudfront.net  (52.84.246.201:443)

TCP (HTTP SSL):
Connects to server-52-84-102-74.del51.r.cloudfront.net  (52.84.102.74:443)

TCP (HTTP SSL):
Connects to s3-1.amazonaws.com  (54.231.81.244:443)

TCP (HTTP SSL):
Connects to server-54-230-51-203.jfk5.r.cloudfront.net  (54.230.51.203:443)

TCP (HTTP SSL):
Connects to server-54-230-51-136.jfk5.r.cloudfront.net  (54.230.51.136:443)

TCP (HTTP SSL):
Connects to server-54-230-143-147.sfo5.r.cloudfront.net  (54.230.143.147:443)

TCP (HTTP SSL):
Connects to server-54-230-143-124.sfo5.r.cloudfront.net  (54.230.143.124:443)

TCP (HTTP SSL):
Connects to server-54-230-141-249.sfo5.r.cloudfront.net  (54.230.141.249:443)

TCP (HTTP SSL):
Connects to server-54-230-141-244.sfo5.r.cloudfront.net  (54.230.141.244:443)

TCP (HTTP SSL):
Connects to server-54-230-141-204.sfo5.r.cloudfront.net  (54.230.141.204:443)

TCP (HTTP SSL):
Connects to server-54-230-141-151.sfo5.r.cloudfront.net  (54.230.141.151:443)

TCP (HTTP SSL):
Connects to server-54-230-141-146.sfo5.r.cloudfront.net  (54.230.141.146:443)

TCP (HTTP SSL):
Connects to server-54-230-141-116.sfo5.r.cloudfront.net  (54.230.141.116:443)

TCP (HTTP SSL):
Connects to server-54-230-141-114.sfo5.r.cloudfront.net  (54.230.141.114:443)

TCP (HTTP SSL):
Connects to server-54-230-141-111.sfo5.r.cloudfront.net  (54.230.141.111:443)

Remove u.exe - Powered by Reason Core Security