wrar420_64_ptcorp.exe

The executable wrar420_64_ptcorp.exe has been detected as malware by 8 anti-virus scanners. This is a setup program which is used to install the application. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. The file has been seen being downloaded from dl-web.meocloud.pt.
MD5:
39472ed95bc56d30ddcc3d31e60ada92

SHA-1:
e67b75277674f8e3156b575ecdc503a9eef9956f

SHA-256:
3ac163be6fbc2953c131ae8b68943062d29f5be48f18a5a08c02983dd8ab53a1

Scanner detections:
8 / 68

Status:
File is infected by a Virus

Explanation:
The file is infected by a polymorphic file infector virus.

Analysis date:
12/26/2024 6:38:42 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:SaliCode
160326-0

AVG
Win32/Sality
2015.0.4355

Emsisoft Anti-Malware
Win32.Sality
11.5.0.6191

ESET NOD32
Win32/Sality.NBA virus
8.0.319.0

F-Prot
W32/Sality.gen2
4.6.5.141

F-Secure
Win32.Sality.3
5.15.96

McAfee
Virus.W32/Sality.gen.z
18.0.204.0

Microsoft Security Essentials
Threat.Undefined
1.217.1014.0

File size:
2.4 MB (2,474,189 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\wrar420_64_ptcorp.exe

File PE Metadata
Compilation timestamp:
2/17/2012 2:55:21 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:U6Y1gtEzxm5vKNv/eit+8oPnY+genOiy7V+rZj41bs2C:UR1gtcyhit+N9miC+rZc1Qz

Entry address:
0xB583

Entry point:
87, C7, 68, C8, BA, DF, 00, 0F, AF, D1, 0F, BF, F8, 8B, F1, F6, C7, 3F, 8D, 15, A2, 92, 27, 0F, FE, CA, 8D, 2D, 03, E8, 3A, 2C, FF, CE, 3D, 30, 5C, 00, 00, 3D, 25, EC, 00, 00, 71, 0A, 8D, 2D, C7, 35, 84, EA, 84, C4, 84, E2, 0F, BF, DE, 87, F3, C7, C3, BB, 32, 23, BD, 02, D4, 25, 01, 93, EA, 52, 8D, 0D, 78, 04, 91, 9C, 32, FB, E8, 3F, 00, 00, 00, 30, CF, 0F, B7, D6, 0F, AF, DA, 85, D7, 89, F3, F6, C6, 50, 0F, BF, E8, F2, 87, ED, FE, C0, B8, 97, A9, 7D, E8, BA, E3, C6, 00, 00, BE, 5D, 52, A8, 09, F6, C2, 0F...
 
[+]

Code size:
71.5 KB (73,216 bytes)

The file wrar420_64_ptcorp.exe has been seen being distributed by the following URL.

Remove wrar420_64_ptcorp.exe - Powered by Reason Core Security