u1502.exe

Ultrareach Internet Corp.

The application u1502.exe by Ultrareach Internet has been detected as a potentially unwanted program by 4 anti-malware scanners. This is a setup program which is used to install the application. This executable runs as a local area network (LAN) Internet proxy server listening on port 9666 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. The file has been seen being downloaded from wujieupdate.s3.amazonaws.com and multiple other hosts. While running, it connects to the Internet address 251.0.178.186.static.pichincha.andinanet.net on port 443.
Publisher:
Ultrareach Internet Corp.  (signed and verified)

MD5:
5df5990318894933cf68678f1e028f80

SHA-1:
d496a0bcc0e482d1d96efd9b4bba0ea21260ea95

SHA-256:
3b0b55014d4e000f4666a454075c155cb268dd8e25a8cc89fee9f1d8e4d58f13

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 1:09:43 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Hacktool.Win32.UltraReach
4.0.3.15912

ESET NOD32
Win32/UltraReach potentially unsafe (variant)
9.12241

Fortinet FortiGate
Riskware/UltraReach
9/12/2015

Reason Heuristics
Win32.Generic.UltrareachInternetCorp.Meta
15.9.12.5

File size:
2 MB (2,090,720 bytes)

File type:
Executable application (Win32 EXE)

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
12/6/2012 5:33:59 AM

Valid to:
1/11/2016 11:34:39 PM

Subject:
CN=Ultrareach Internet Corp., O=Ultrareach Internet Corp., L=Cheyenne, S=WY, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121C51978F0ED636CA3C5B5C4D33D022C10

File PE Metadata
Compilation timestamp:
9/12/2015 8:44:28 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:B8/ZCB1J34B8wg/RleGfV6GnXXHhiOezyKV0:B8BSn4Q/LtV6GX4OG0

Entry address:
0x493000

Entry point:
56, 50, 53, E8, 01, 00, 00, 00, CC, 58, 89, C3, 40, 2D, 00, D0, 0F, 00, 2D, 00, 82, 0C, 10, 05, F7, 81, 0C, 10, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 47, E3, A5, 64, 68, A1, 0C, 9F, 17, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 89, E5, 50, 53, 51, 56, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, 85, C9, 74, 0A, 31, 06, 01, 1E, 83, C6, 04, 49, EB, F2, 5E, 59, 5B, 58, C9, C2, 10, 00, 7B, 56, 95, D4, 18, 97, 6B, 67, 1A, 45, 12, 3A, 87, AC, 17, 5A...
 
[+]

Entropy:
7.9408  (probably packed)

Code size:
920 KB (942,080 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:9666/

Local host port:
9666

Default credentials:
No


The file u1502.exe has been seen being distributed by the following 5 URLs.

https://wujieupdate.s3.amazonaws.com/.../u.exe

https://mail.google.com/mail/u/.../?ui=2&ik=a9d8f46423&view=att&th=15111cfbedbfc664&attid=0.1&disp=safe&realattid=f_ih2cuohi0&zw

temp:U1502.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to s3-1.amazonaws.com  (52.216.227.59:443)

TCP (HTTP SSL):
Connects to server-54-192-190-17.maa3.r.cloudfront.net  (54.192.190.17:443)

TCP (HTTP SSL):
Connects to server-54-192-216-155.mrs50.r.cloudfront.net  (54.192.216.155:443)

TCP (HTTP SSL):
Connects to server-54-240-168-78.sin3.r.cloudfront.net  (54.240.168.78:443)

TCP (HTTP SSL):
Connects to server-54-230-134-11.syd1.r.cloudfront.net  (54.230.134.11:443)

TCP (HTTP SSL):
Connects to server-54-230-206-60.atl50.r.cloudfront.net  (54.230.206.60:443)

TCP (HTTP SSL):
Connects to server-54-230-206-226.atl50.r.cloudfront.net  (54.230.206.226:443)

TCP (HTTP SSL):
Connects to server-54-192-19-234.iad12.r.cloudfront.net  (54.192.19.234:443)

TCP (HTTP SSL):
Connects to server-52-85-221-225.cdg50.r.cloudfront.net  (52.85.221.225:443)

TCP:
Connects to domain.not.configured  (216.41.52.73:16357)

TCP:
Connects to 66-34-120-17.static.dal01.corespace.com  (66.34.120.17:60377)

TCP (HTTP SSL):
Connects to 64-182-188-14.static.dal01.corespace.com  (64.182.188.14:443)

TCP:
Connects to www.level3.com.c.footprint.net  (166.90.186.123:10548)

TCP:
Connects to tty3.setgrowth.com  (66.34.22.122:20176)

TCP (HTTP SSL):
Connects to server-54-240-186-140.mad50.r.cloudfront.net  (54.240.186.140:443)

TCP (HTTP SSL):
Connects to server-54-240-184-9.ams50.r.cloudfront.net  (54.240.184.9:443)

TCP (HTTP SSL):
Connects to server-54-239-132-97.sfo9.r.cloudfront.net  (54.239.132.97:443)

TCP (HTTP SSL):
Connects to server-54-230-81-254.mia50.r.cloudfront.net  (54.230.81.254:443)

TCP (HTTP SSL):
Connects to server-54-230-81-165.mia50.r.cloudfront.net  (54.230.81.165:443)

TCP (HTTP SSL):
Connects to server-54-230-59-254.gru1.r.cloudfront.net  (54.230.59.254:443)

Remove u1502.exe - Powered by Reason Core Security