xblive.exe

Microsoft Windows Operating System

Huang Liyun

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application xblive.exe, “Microsoft XBox Live” by Huang Liyun has been detected as a potentially unwanted program by 4 anti-malware scanners. It runs as a windows Service named “Xbox Live Network Manager Service”.
Publisher:
Microsoft Corporation  (signed by Huang Liyun)

Product:
Microsoft Windows Operating System

Description:
Microsoft XBox Live

Version:
6.3.9600.17284 (aaa.140822-1915)

MD5:
8d31988605966d5a730938be8b33dded

SHA-1:
98e46ecc15a5ba180b061696fa6c2cbf2eb3cb09

SHA-256:
45178b52ea0abcfc5e1477055b9f4900291aea8cf36fa6adf64cb2f835bd2416

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 2:51:05 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Mutabaha.2670
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Razy.35110
11.5.0.6191

Microsoft Security Essentials
Trojan:Win32/Dynamer!ac
1.235.2629.0

Reason Heuristics
Trojan.Dropper (M)
16.11.11.1

File size:
4.8 MB (4,992,952 bytes)

Product version:
xbox 4.0

Copyright:
Microsoft Corporation. All rights reserved.

Original file name:
xbox.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\xbox\xblive.exe

Digital Signature
Signed by:

Authority:
WoSign CA Limited

Valid from:
5/10/2016 9:52:17 AM

Valid to:
5/10/2017 9:52:17 AM

Subject:
CN=Huang Liyun, L=Tangshan, S=Hebei, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
1A1C8242C0D3B3F640B48C854D2D3273

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
3.0

CTPH (ssdeep):
49152:Ty2i9DYhF4/+NOyvTxgh5Ty0QTBK3PHghmMSdkCGHlVUPllGLL+M4SX/v:G2i9H/MONHTy0QTBK3PHgUaHf1

Entry address:
0x50AD0

Entry point:
83, EC, 0C, 8B, 44, 24, 0C, 8D, 5C, 24, 10, 89, 44, 24, 04, 89, 5C, 24, 08, C7, 04, 24, FF, FF, FF, FF, E9, 01, 00, 00, 00, 00, E9, 4B, D2, FF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 8B, 5C, 24, 04, 64, C7, 05, 34, 00, 00, 00, 00, 00, 00, 00, 89, E5, 8B, 4B, 04, 89, C8, C1, E0, 02, 29, C4, 89, E7, 8B, 73, 08, FC, F3, A5, FF, 13, 89, EC, 8B, 5C, 24, 04, 89, 43, 0C, 89, 53, 10, 64, 8B, 05, 34, 00, 00, 00, 89, 43, 14, C3, 00, 00, 00, 00, 83, EC, 18, C7, 04, 24, F4, FF, FF, FF, 89, E5, FF, 15, 50, A0...
 
[+]

Code size:
4.7 MB (4,883,968 bytes)

Service
Display name:
Xbox Live Network Manager Service

Service name:
XBox

Type:
Win32OwnProcess, InteractiveProcess


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-52-67-25-90.sa-east-1.compute.amazonaws.com  (52.67.25.90:80)

Remove xblive.exe - Powered by Reason Core Security