» 08a7wszsz.exe
Overview
Analysis
File Details
Downloads (1)
Network (12)

08a7wszsz.exe

Ding Ruan

The application 08a7wszsz.exe by Ding Ruan has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from dgkytklfjrqkb.cloudfront.net. While running, it connects to the Internet address server-54-230-216-116.mrs50.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

08a7wszsz.exe

Publisher:

Ding Ruan (signed and verified)

MD5:

506e46c10ec56996e21711896bf6e05e

SHA-1:

d1e64f65293bd0c07c64ba110f5d7f92c8619ed5

SHA-256:

ef74bea51bbda03bca0705f3bcee142068cc26261a800b5f9b0486da4ad0235f

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

5/17/2024 3:34:50 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.ELEX (M)

17.1.25.13

File size:

409.9 KB (419,752 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\08a7wszsz.exe

Digital Signature

Signed by:

Ding Ruan

Authority:

thawte, Inc.

Valid from:

1/17/2017 5:30:00 AM

Valid to:

4/14/2017 5:29:59 AM

Subject:

CN=Ding Ruan, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

703FDC6C80FE51EE4915A03C4CA4B752

File PE Metadata

Compilation timestamp:

1/18/2017 1:28:32 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

Entry address:

0x2E04

Entry point:

E8, 61, 7A, 00, 00, E9, 19, 94, 00, 00, 6A, 08, 68, F8, 2A, 46, 00, E8, 86, 95, 00, 00, 8B, 45, 08, 85, C0, 74, 72, 81, 38, 63, 73, 6D, E0, 75, 6A, 83, 78, 10, 03, 75, 64, 81, 78, 14, 20, 05, 93, 19, 74, 12, 81, 78, 14, 21, 05, 93, 19, 74, 09, 81, 78, 14, 22, 05, 93, 19, 75, 49, 8B, 48, 1C, 85, C9, 74, 42, 8B, 51, 04, 85, D2, 74, 27, 83, 65, FC, 00, 52, FF, 70, 18, E8, C7, 2B, 00, 00, C7, 45, FC, FE, FF, FF, FF, EB, 25, 33, C0, 38, 45, 0C, 0F, 95, C0, C3, 8B, 65, E8, E8, 06, F4, FF, FF, F6, 01, 10, 74, 0F... 
[+]

Entropy:

7.8114 (probably packed)

Code size:

364.5 KB (373,248 bytes)

The file 08a7wszsz.exe has been seen being distributed by the following URL.

http://dgkytklfjrqkb.cloudfront.net/.../yomz.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-54-230-81-85.mia50.r.cloudfront.net (54.230.81.85:80)

TCP (HTTP):

Connects to server-54-230-81-71.mia50.r.cloudfront.net (54.230.81.71:80)

TCP (HTTP):

Connects to server-54-230-81-23.mia50.r.cloudfront.net (54.230.81.23:80)

TCP (HTTP):

Connects to server-54-230-81-202.mia50.r.cloudfront.net (54.230.81.202:80)

TCP (HTTP):

Connects to server-54-230-81-187.mia50.r.cloudfront.net (54.230.81.187:80)

TCP (HTTP):

Connects to server-54-230-216-85.mrs50.r.cloudfront.net (54.230.216.85:80)

TCP (HTTP):

Connects to server-54-230-216-116.mrs50.r.cloudfront.net (54.230.216.116:80)

TCP (HTTP):

Connects to server-52-84-246-99.sfo20.r.cloudfront.net (52.84.246.99:80)

TCP (HTTP):

Connects to server-52-84-246-98.sfo20.r.cloudfront.net (52.84.246.98:80)

TCP (HTTP):

Connects to server-52-84-246-81.sfo20.r.cloudfront.net (52.84.246.81:80)

TCP (HTTP):

Connects to server-52-84-246-57.sfo20.r.cloudfront.net (52.84.246.57:80)

TCP (HTTP):

Connects to server-52-84-246-251.sfo20.r.cloudfront.net (52.84.246.251:80)

Remove 08a7wszsz.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.