windows-mdia-player-12-for-7.rar_5780858_22_letf.exe

Skymonk Solutions Limited

The application windows-mdia-player-12-for-7.rar_5780858_22_letf.exe by Skymonk Solutions Limited has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from letitbit.net and multiple other hosts. While running, it connects to the Internet address 80-92-65-214.ip.dclux.com on port 80 using the HTTP protocol.
Publisher:
Skymonk Solutions Limited  (signed and verified)

MD5:
dfae100cd05fc1e567715c8cf8f50b49

SHA-1:
11972a9b81aa5b9ec0f970eb1ff8ddc84749a6c2

SHA-256:
04e403ed03bcf43497aa0f4da2e932ae98a196ee6f4642c6f56193f2e8600384

Scanner detections:
6 / 68

Status:
Adware

Analysis date:
11/5/2024 11:10:51 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Bkav FE
W32.Clode63.Trojan
1.3.0.4959

Dr.Web
Tool.Skymonk.3
9.0.1.0138

Kaspersky
not-a-virus:AdWare.Win32.Skyli
14.0.0.3848

Quick Heal
(Suspicious) - DNAScan
5.14.14.00

Reason Heuristics
PUP.SkymonkSolutionsLimited.p
14.5.19.1

Vba32 AntiVirus
AdWare.Skyli.a
3.12.26.0

File size:
358.7 KB (367,320 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\windows-mdia-player-12-for-7.rar_5780858_22_letf.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/9/2012 4:00:00 AM

Valid to:
4/10/2015 3:59:59 AM

Subject:
CN=Skymonk Solutions Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Skymonk Solutions Limited, L=Tortola, S=Tortola, C=VG

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
632A5F301191DF03C4933D982BAD525F

File PE Metadata
Compilation timestamp:
12/6/2009 2:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:je34jgSchH4WG6nCCYK85cspQTHQwquAoSHCWb33OOsqVw1rbZEU6qUT:xkxHG6nxp8AquAo23OO1kF5UT

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file windows-mdia-player-12-for-7.rar_5780858_22_letf.exe has been seen being distributed by the following 10 URLs.

http://letitbit.net/downloader_11461363_83_letF.exe

http://letitbit.net/downloader_12051468_26_letF.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 80-92-65-214.ip.dclux.com  (80.92.65.214:80)