0aa424af_stp.exe

BitTorrent Ultra Accelerator

Hipgnosis Vision

The application 0aa424af_stp.exe by Hipgnosis Vision has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from lb.cdn.m6web.fr. While running, it connects to the Internet address f2.fd.adb8.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
TrafficSpeeders LLC  (signed by Hipgnosis Vision)

Product:
BitTorrent Ultra Accelerator

Version:
6.0.0.0

MD5:
d1428706bc7751871afc4575fc30991b

SHA-1:
1526a8213babee14eaeb9da78ba774560ce5bd13

SHA-256:
a3890dc1ae63f221470399cae3399a4854e72e086675ec2c8e65fb841aa7fc1b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/22/2017 10:54:40 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.HipgnosisVision.Installer (M)
16.3.1.15

File size:
708.5 KB (725,512 bytes)

Copyright:
� TrafficSpeeders LLC

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\0aa424af_stp.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
2/16/2015 8:00:00 AM

Valid to:
4/17/2016 7:59:59 AM

Subject:
CN=Hipgnosis Vision, O=Hipgnosis Vision, L=Craiova, S=Dolj, C=RO

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
74CB8A9F6210A537EAE293153461ED0C

File PE Metadata
Compilation timestamp:
2/25/2012 3:19:59 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:oEbWyb+tFzRqFzViCT/e43BqegiiFtZcUCqNllV0Whzp6UvMfwFsqTZiaW96Q:o6WHWOZlCqNzVlhHMfwFDiawv

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file 0aa424af_stp.exe has been seen being distributed by the following URL.

http://lb.cdn.m6web.fr/d/c/a/1f2889924eaee29835edd9815f90fc61/57fe9940/soft/.../bittorrent-ultra-accelerator_6-0-0-0_en_121224.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to f2.fd.adb8.ip4.static.sl-reverse.com  (184.173.253.242:80)

Remove 0aa424af_stp.exe - Powered by Reason Core Security