u1504.exe

Ultrareach Internet Corp.

The application u1504.exe by Ultrareach Internet has been detected as a potentially unwanted program by 2 anti-malware scanners. This is a setup program which is used to install the application. This executable runs as a local area network (LAN) Internet proxy server listening on port 9666 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. The file has been seen being downloaded from download025.fshare.vn and multiple other hosts. While running, it connects to the Internet address server-54-230-163-42.jax1.r.cloudfront.net on port 443.
Publisher:
Ultrareach Internet Corp.  (signed and verified)

MD5:
08cd5b2aa0a51caf9be8306ed5f912d6

SHA-1:
422c97228c56f57b8391f8a19f49f1b9f653b264

SHA-256:
f4d6bbff05b3956a6394aa051059cf421355e4076e53a2b87a41481fe24709ff

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 6:30:38 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/UltraReach potentially unsafe application
8.0.319.0

Reason Heuristics
Win32.Generic
16.5.19.5

File size:
2.1 MB (2,217,784 bytes)

File type:
Executable application (Win32 EXE)

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
10/14/2015 8:26:22 PM

Valid to:
1/14/2019 7:26:22 PM

Subject:
CN=Ultrareach Internet Corp., O=Ultrareach Internet Corp., L=Cheyenne, S=Wyoming, C=US

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112100B48FCB5938306938B171E279305E27

File PE Metadata
Compilation timestamp:
12/20/2015 6:12:21 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:/uI1w/3UCHuZRIii2bEjDp8KKlN78BtdZPT5aRlpKduZuo:V183a7IiiqEjDKtlaL5aOuZr

Entry address:
0x4F5000

Entry point:
56, 50, 53, E8, 01, 00, 00, 00, CC, 58, 89, C3, 40, 2D, 00, A0, 11, 00, 2D, 00, 82, 0C, 10, 05, F7, 81, 0C, 10, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, BF, 3F, 7A, 6A, 68, 4D, 54, 41, 2C, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 89, E5, 50, 53, 51, 56, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, 85, C9, 74, 0A, 31, 06, 01, 1E, 83, C6, 04, 49, EB, F2, 5E, 59, 5B, 58, C9, C2, 10, 00, 3B, 4F, C0, 3F, 3A, C5, 3A, 04, 51, 33, B7, B8, 58, AD, 19, A0...
 
[+]

Entropy:
7.9437  (probably packed)

Code size:
924 KB (946,176 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:9666/

Local host port:
9666

Default credentials:
No


The file u1504.exe has been seen being distributed by the following 13 URLs.

http://download025.fshare.vn/dl/.../ultrasurf_1504.exe

http://ultrasurf.us/.../u.exe

http://mail.pku.edu.cn/coremail/XT3/.../readdata.jsp?ssid=kZG2YVwtKak7lCVilME4yQYVIDbf8UmveZwdvQVqh 0=&mid=3:1tbiAwAPD1Py7TUQ8AABsb&mboxa=&mode=download&part=3

http://f30.x8top.net/2107tmp/cf/soft/2016/1/ba/.../ultrasurf_1504.exe

http://f51.x8top.net/2107tmp/cf/soft/2016/1/ba/.../ultrasurf_1504.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-52-85-173-160.fra6.r.cloudfront.net  (52.85.173.160:443)

TCP (HTTP SSL):
Connects to server-54-230-163-42.jax1.r.cloudfront.net  (54.230.163.42:443)

TCP (HTTP SSL):
Connects to server-54-192-36-163.jfk1.r.cloudfront.net  (54.192.36.163:443)

TCP (HTTP SSL):
Connects to server-54-192-36-121.jfk1.r.cloudfront.net  (54.192.36.121:443)

TCP (HTTP SSL):
Connects to server-52-85-133-117.iad53.r.cloudfront.net  (52.85.133.117:443)

TCP (HTTP SSL):
Connects to server-54-230-216-19.mrs50.r.cloudfront.net  (54.230.216.19:443)

TCP (HTTP SSL):
Connects to server-54-230-163-112.jax1.r.cloudfront.net  (54.230.163.112:443)

TCP (HTTP SSL):
Connects to server-54-192-25-70.mxp4.r.cloudfront.net  (54.192.25.70:443)

TCP (HTTP SSL):
Connects to server-54-192-14-119.ams1.r.cloudfront.net  (54.192.14.119:443)

TCP (HTTP SSL):
Connects to server-52-85-74-66.lhr3.r.cloudfront.net  (52.85.74.66:443)

TCP (HTTP SSL):
Connects to server-52-85-133-89.iad53.r.cloudfront.net  (52.85.133.89:443)

TCP (HTTP SSL):
Connects to server-52-84-25-64.sea32.r.cloudfront.net  (52.84.25.64:443)

TCP (HTTP SSL):
Connects to any-in-2678.1e100.net  (216.239.38.120:443)

TCP (HTTP SSL):
Connects to 69-13-163-35.static.dal01.corespace.com  (69.13.163.35:443)

TCP:
Connects to 66-34-183-128.static.dal01.corespace.com  (66.34.183.128:25837)

TCP:
Connects to 66-34-150-156.static.dal01.corespace.com  (66.34.150.156:14320)

TCP (HTTP SSL):
Connects to 66-221-204-242.static.dal01.corespace.com  (66.221.204.242:443)

TCP (HTTP SSL):
Connects to 64-182-254-31.static.dal01.corespace.com  (64.182.254.31:443)

TCP (HTTP SSL):
Connects to 237.0.178.186.static.pichincha.andinanet.net  (186.178.0.237:443)

TCP (HTTP SSL):
Connects to 18-206-182-64.cust.dal01.corespace.com  (64.182.206.18:443)

Remove u1504.exe - Powered by Reason Core Security