u1601.exe

Ultrareach Internet Corp.

The application u1601.exe by Ultrareach Internet has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. This executable runs as a local area network (LAN) Internet proxy server listening on port 9666 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. The file has been seen being downloaded from s3-ap-southeast-1.amazonaws.com.
Publisher:
Ultrareach Internet Corp.  (signed and verified)

MD5:
33a0d53c4d22b84d399ae7d4ae2a866c

SHA-1:
fbb522a95028e37c931ad48981fdf821c4755d32

SHA-256:
8d2978f685e42d578f03b465532da1f3dd8602efe21e94905ad80a8f41d23f34

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 5:17:27 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Win32.Generic
16.7.2.3

File size:
2.5 MB (2,597,688 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\u1601.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
10/15/2015 12:26:22 AM

Valid to:
1/15/2019 12:26:22 AM

Subject:
CN=Ultrareach Internet Corp., O=Ultrareach Internet Corp., L=Cheyenne, S=Wyoming, C=US

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112100B48FCB5938306938B171E279305E27

File PE Metadata
Compilation timestamp:
7/1/2016 2:54:30 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:iY6vfRJpi0WSr9tTEtB0HFxVXHS0RM/LwA0hRwk+HplOy+IHJ9E5/oFVvv8f5tZf:/2JJsSJit2HhXHSz/LHK7+/Oyg5/oFVW

Entry address:
0x3B5120

Entry point:
60, BE, 00, F0, 53, 00, 8D, BE, 00, 20, EC, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.8386

Packer / compiler:
UPX 2.90LZMA

Code size:
2.5 MB (2,584,576 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:9666/

Local host port:
9666

Default credentials:
No


The file u1601.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-230-187-227.cdg51.r.cloudfront.net  (54.230.187.227:443)

TCP (HTTP SSL):
Connects to any-in-2678.1e100.net  (216.239.38.120:443)

Remove u1601.exe - Powered by Reason Core Security