winrar-521.exe

The executable winrar-521.exe has been detected as malware by 8 anti-virus scanners. This is a setup program which is used to install the application. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. The file has been seen being downloaded from f20.softwaretop.net.
MD5:
1fc89f7c2a3dc50b04f134a0d41de28c

SHA-1:
fafa438b2350b455e06339792c19ed89891e440f

SHA-256:
134a5975755b4bc1a3d961e1ec322c0fdb7f317779724dc5154fadace18ce91f

Scanner detections:
8 / 68

Status:
File is infected by a Virus

Explanation:
The file is infected by a polymorphic file infector virus.

Analysis date:
11/23/2024 9:49:03 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Kukacka
160503-1

AVG
Win32/Sality
2015.0.4591

ESET NOD32
Win32/Sality.NBA virus
7.0.302.0

F-Prot
W32/Sality.gen2
4.6.5.141

McAfee
Virus.W32/Sality.gen.z
18.0.204.0

Microsoft Security Essentials
Threat.Undefined
1.223.2255.0

Norman
Win32.Sality.3
22.05.2016 07:18:28

VIPRE Antivirus
Threat.4721115
50170

File size:
1.7 MB (1,829,672 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\winrar-521.exe

File PE Metadata
Compilation timestamp:
2/15/2015 3:00:42 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:5TDYlHpTgCiI2qgX2nZTG5/YavJMHd73hYSeX/:5TkHNiEgMZTSthM97xNW/

Entry address:
0x1D20B

Entry point:
60, C1, ED, 53, 09, F9, D1, F9, 50, C1, D5, D0, 1D, E4, 7E, E3, 4A, F6, C6, AD, 15, 79, 45, FD, 92, F2, 0F, BA, F9, 65, C6, C0, 7B, 0F, A4, F7, 54, 05, C9, 1C, 14, C9, 0F, B6, C5, BD, 06, 90, 00, 00, F2, C6, C4, AB, 84, EB, 81, ED, E5, 0E, 00, 00, 0F, AC, F0, C8, BA, 00, 00, 00, 00, EB, 03, 0F, AF, CD, 03, D5, 0F, C1, FB, 0F, AF, C8, 0A, E5, 81, C2, AD, 00, 00, 00, 0F, AF, ED, 0F, B3, F3, 0F, C1, D6, 8D, 3D, E9, 77, 98, 01, 81, EE, 92, 07, 00, 00, FF, C2, F2, C7, C2, 5C, F1, 03, DB, 69, F0, D7, A6, DE, 4E...
 
[+]

Code size:
160.5 KB (164,352 bytes)

The file winrar-521.exe has been seen being distributed by the following URL.

Remove winrar-521.exe - Powered by Reason Core Security