update.exe

PangYa Updater

The executable update.exe, “Ntreev Soft Co., Ltd.” has been detected as malware by 4 anti-virus scanners. While running, it connects to the Internet address mx-ll-110.164.128-82.static.3bb.co.th on port 80 using the HTTP protocol.
Product:
PangYa Updater

Description:
Ntreev Soft Co., Ltd.

Version:
2.00

MD5:
dec161bfd5b0807847491626f045c294

SHA-1:
b64f094325569f5ee20fe001b0fff64e5665bae5

SHA-256:
37e1928c951556514108bd3b0bd1dfb6f5fd0a3f385b05eed78ee36d19cc5efc

Scanner detections:
4 / 68

Status:
Malware

Analysis date:
11/23/2024 9:06:21 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
W32/Sality.AG
7.11.30.172

Dr.Web
Trojan.DownLoader13.2018
9.0.1.05190

McAfee
Artemis!DEC161BFD5B0
5600.6734

Trend Micro House Call
Suspicious_GEN.F47V0508
7.2.166

File size:
3.5 MB (3,700,224 bytes)

Product version:
2.00

Copyright:
Copyright ⓒ 2006 Ntreev Soft Co., Ltd.

Original file name:
PangYa Update.exe

File type:
Executable application (Win32 EXE)

Language:
Korean (Korea)

Common path:
C:\Program Files\ntreevsoft\pangya_th\update.exe

File PE Metadata
Compilation timestamp:
12/4/2014 4:25:52 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
98304:yadkiS5yD91KuEMztA0mRnugiNAs3Mjt5mUHO02Kf+UOkCv:o5yDG09XamUWKf+UnC

Entry address:
0x12A79B

Entry point:
E8, 15, 16, 01, 00, E9, 89, FE, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 4C, 67, 5A, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 4C, 67, 5A, 00, 33, C5, 50, 89, 65, F0, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B...
 
[+]

Entropy:
5.6192

Code size:
1.3 MB (1,381,376 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mx-ll-110.164.128-83.static.3bb.co.th  (110.164.128.83:80)

TCP (HTTP):
Connects to mx-ll-110.164.128-82.static.3bb.co.th  (110.164.128.82:80)

TCP (HTTP):
Connects to server-52-85-77-170.lax3.r.cloudfront.net  (52.85.77.170:80)

TCP (HTTP SSL):
Connects to s19772378.onlinehome-server.info  (87.106.18.237:443)

Remove update.exe - Powered by Reason Core Security