winsaber.exe

Dening Hu

The application winsaber.exe by Dening Hu has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “winsaber”. While running, it connects to the Internet address server-54-230-141-131.sfo5.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Dening Hu  (signed and verified)

MD5:
f5cfd80856d16a335aa47cfc283100f3

SHA-1:
e2ee50bc45e3d080ee2654758b37b478e8053255

SHA-256:
6fa5136b0ed2b4367a23f61aefb2ccd900921b019f7d34ef0dff229da196e0fd

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/5/2024 9:56:42 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Elex (M)
16.8.1.9

File size:
351.3 KB (359,704 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\winsaber\winsaber.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
7/28/2016 8:00:00 AM

Valid to:
6/9/2017 7:59:59 AM

Subject:
CN=Dening Hu, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
1B5D997D61943E8FF1BDF34C65EE5719

File PE Metadata
Compilation timestamp:
7/29/2016 10:39:29 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:vFLGovms278CSu3i36qRKu4BDg7Q3kfd+D7h95el0EGPcSuDWZnZlgqjCg:C7+bbKuCk1+fr5el0VPcSuDWXl8g

Entry address:
0x21894

Entry point:
E8, 65, BD, 00, 00, E9, 7F, FE, FF, FF, E8, 9E, 3D, 00, 00, 85, C0, 75, 06, B8, 34, 46, 45, 00, C3, 83, C0, 0C, C3, 55, 8B, EC, 56, E8, E4, FF, FF, FF, 8B, 4D, 08, 51, 89, 08, E8, 20, 00, 00, 00, 59, 8B, F0, E8, 05, 00, 00, 00, 89, 30, 5E, 5D, C3, E8, 6A, 3D, 00, 00, 85, C0, 75, 06, B8, 30, 46, 45, 00, C3, 83, C0, 08, C3, 55, 8B, EC, 8B, 4D, 08, 33, C0, 3B, 0C, C5, C8, 44, 45, 00, 74, 27, 40, 83, F8, 2D, 72, F1, 8D, 41, ED, 83, F8, 11, 77, 05, 6A, 0D, 58, 5D, C3, 8D, 81, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8...
 
[+]

Entropy:
6.4126

Code size:
264 KB (270,336 bytes)

Service
Display name:
winsaber

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-36-50.jfk1.r.cloudfront.net  (54.192.36.50:80)

TCP (HTTP):
Connects to server-54-192-36-29.jfk1.r.cloudfront.net  (54.192.36.29:80)

TCP (HTTP):
Connects to server-54-192-36-169.jfk1.r.cloudfront.net  (54.192.36.169:80)

TCP (HTTP):
Connects to server-54-192-36-154.jfk1.r.cloudfront.net  (54.192.36.154:80)

TCP (HTTP):
Connects to server-54-192-36-227.jfk1.r.cloudfront.net  (54.192.36.227:80)

TCP (HTTP):
Connects to server-54-192-36-137.jfk1.r.cloudfront.net  (54.192.36.137:80)

TCP (HTTP):
Connects to server-54-230-81-54.mia50.r.cloudfront.net  (54.230.81.54:80)

TCP (HTTP):
Connects to server-54-230-187-43.cdg51.r.cloudfront.net  (54.230.187.43:80)

TCP (HTTP):
Connects to server-54-192-36-99.jfk1.r.cloudfront.net  (54.192.36.99:80)

TCP (HTTP):
Connects to server-54-192-36-76.jfk1.r.cloudfront.net  (54.192.36.76:80)

TCP (HTTP):
Connects to server-54-192-36-245.jfk1.r.cloudfront.net  (54.192.36.245:80)

TCP (HTTP):
Connects to server-54-192-36-231.jfk1.r.cloudfront.net  (54.192.36.231:80)

TCP (HTTP):
Connects to server-54-192-36-123.jfk1.r.cloudfront.net  (54.192.36.123:80)

TCP (HTTP):
Connects to server-52-85-221-15.cdg50.r.cloudfront.net  (52.85.221.15:80)

TCP (HTTP):
Connects to server-52-84-230-66.sfo9.r.cloudfront.net  (52.84.230.66:80)

TCP (HTTP):
Connects to server-52-84-230-60.sfo9.r.cloudfront.net  (52.84.230.60:80)

TCP (HTTP):
Connects to server-54-239-132-176.sfo9.r.cloudfront.net  (54.239.132.176:80)

TCP (HTTP):
Connects to server-54-230-216-168.mrs50.r.cloudfront.net  (54.230.216.168:80)

TCP (HTTP):
Connects to server-54-230-163-45.jax1.r.cloudfront.net  (54.230.163.45:80)

TCP (HTTP):
Connects to server-54-230-163-35.jax1.r.cloudfront.net  (54.230.163.35:80)

Remove winsaber.exe - Powered by Reason Core Security