home

vaub36e.tmp.exe

SushiLeads

The application vaub36e.tmp.exe has been detected as a potentially unwanted program by 7 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from secured.westsecurecdn.us and multiple other hosts. While running, it connects to the Internet address 97.57.364a.static.theplanet.com on port 80 using the HTTP protocol.
Publisher:
SushiLeads

Product:
sushileads

Version:
2.5.0.0

MD5:
cf7c277d64786ac7e6dafa886d2276c7

SHA-1:
381ae73b2b6fc2a1e8740cf7c4884a9109b10f90

SHA-256:
50d078b4a540825fd8f3d04bbd61467848be5ed39c455e208c816140c4bac68c

Scanner detections:
7 / 68

Status:
Potentially unwanted

Analysis date:
1/11/2025 10:04:42 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/Pasta.2010417
8.3.1.6

avast!
Win32:Dropper-gen [Drp]
2014.9-150724

AVG
Generic6
2016.0.3039

Dr.Web
Trojan.DownLoader14.1603
9.0.1.0179

Malwarebytes
PUP.Optional.SushiLeads.A
v2015.06.28.06

McAfee
Artemis!CDF5F7A3C28C
5600.6695

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1015

File size:
1.9 MB (2,010,417 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\vaub36e.tmp.exe

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:T5GXd7hE5u/UZYPmzXXBGHENp7onTb4xkt:TUXdwuMCPeXRGHApCb4i

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9891

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file vaub36e.tmp.exe has been seen being distributed by the following 4 URLs.

http://secured.westsecurecdn.us/.../IR_P_SL_US_2.5.0.0_08615.exe

http://x.safe431demo.com/.../IM_P_SL_CA_2.5.0.0_19215.exe

http://x.safe431demo.com/.../IM_P_SL_US_2.5.0.0_150615.exe

http://cdn.chironexfleckerisilver.com/downloads/offers/.../AR_P_SL_US_2.5.0.0_31315.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 97.57.364a.static.theplanet.com  (74.54.87.151:80)

Remove vaub36e.tmp.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.