home

wintoflash_lite-1.4.0000.exe

Herucigas

Sivensys SRL

The executable wintoflash_lite-1.4.0000.exe, “Herucigas Setup ” has been detected as malware by 1 anti-virus scanner. The program is a setup application that uses the Inno Setup installer. The file has been seen being downloaded from www.funcentralnew.com.
Publisher:
Sivensys SRL  (signed and verified)

Product:
Herucigas

Description:
Herucigas Setup

MD5:
2336c1a3a88a6223fa347925fef87cf7

SHA-1:
007d155ff24aeeba64c50c62d823d3a7e6d3677e

SHA-256:
fd54c2cd9c6637f772ed3359c401cb1da77207ac43b3eabdb640617650d272a4

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/25/2024 8:40:55 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.2.6.17

File size:
1.3 MB (1,403,776 bytes)

Product version:
3.1

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\wintoflash_lite-1.4.0000.exe

Digital Signature
Signed by:
Sivensys SRL

Authority:
GlobalSign nv-sa

Valid from:
10/20/2016 1:04:57 AM

Valid to:
10/21/2017 1:04:57 AM

Subject:
CN=Sivensys SRL, O=Sivensys SRL, L=IASI, C=RO

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE

Serial number:
0D38E905F0B0BA5733036DFB

File PE Metadata
Compilation timestamp:
6/19/1992 3:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xAA98

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 2E, 86, FF, FF, E8, 35, 98, FF, FF, E8, 9C, 9B, FF, FF, E8, B7, 9F, FF, FF, E8, 56, BF, FF, FF, E8, ED, E8, FF, FF, E8, 54, EA, FF, FF, 33, C0, 55, 68, 69, B1, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 32, B1, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, D0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, C2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, 24, 93, FF, FF, 8D, 55, F0, 33, C0, E8, 66, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9869

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
40.5 KB (41,472 bytes)

The file wintoflash_lite-1.4.0000.exe has been seen being distributed by the following URL.

http://www.funcentralnew.com/of59sUutJWVw0rcerpCQ7o29A9vWQLS1RxGlHkrmajOI0J7gI MYCWeLPNpGxRQ3JQHCtvQUUzVy3yR7KPxqDVaes4uPFjUnXgM5ZhLpX4wEIt2h8omCBhGkRr65iRiuIgjJ7RILkNSUNPVJq0srDwUwIcEC3AYd0lnlG9MkwtHdwCCRKycHpb6vlav_TOB3AU5g7J4FyHgKC5xlvUwn0Dl2lZMunsHcvaYnmMOq3RUOdoEmTmFnodWLY1vJngcgTOFV8wn8vrNEipAtVIV_v7U1 bjRh4BL3v4e0s2fkcO4jlU_4ukP78CTWlzHcV0f2O4C3OAW6JFVr6QAG7lSzPmklJROQ1XABQKrV7jP2spqZ7VUj0hrws77P CM762jQIPSrQ2wXgyTYmarS1iooJsZs79CcMCRphVhcQ0O9cXyyDem9XUMGBsTpaacCRqAkNPj8Lzz5qmsuID8U28CkuxBwINXkOfilzpVIOz7t0DJ5teRDTA MbutPXfJlL0Fn2UDQrvR9am8QTxGk9JnbWZWp0snMqg8IdtJhGos28uNtR14Caw=-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA-e

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-50-196-247.eu-west-1.compute.amazonaws.com  (52.50.196.247:80)

TCP (HTTP):
Connects to ec2-54-154-190-87.eu-west-1.compute.amazonaws.com  (54.154.190.87:80)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (52.216.16.224:80)

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (199.58.87.151:80)

TCP (HTTP):
Connects to ec2-54-191-59-48.us-west-2.compute.amazonaws.com  (54.191.59.48:80)

TCP (HTTP):
Connects to ec2-54-186-117-168.us-west-2.compute.amazonaws.com  (54.186.117.168:80)

TCP (HTTP):
Connects to ec2-52-214-247-42.eu-west-1.compute.amazonaws.com  (52.214.247.42:80)

TCP (HTTP):
Connects to ec2-176-34-130-130.eu-west-1.compute.amazonaws.com  (176.34.130.130:80)

TCP (HTTP):
Connects to server-54-230-187-156.cdg51.r.cloudfront.net  (54.230.187.156:80)

TCP (HTTP):
Connects to ec2-54-154-109-8.eu-west-1.compute.amazonaws.com  (54.154.109.8:80)

TCP (HTTP):
Connects to ec2-52-49-170-39.eu-west-1.compute.amazonaws.com  (52.49.170.39:80)

TCP (HTTP):
Connects to a84-53-132-33.deploy.akamaitechnologies.com  (84.53.132.33:80)

TCP (HTTP):
Connects to 92b91b35.rdns.100tb.com  (146.185.27.53:80)

Remove wintoflash_lite-1.4.0000.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.