» 1731.exe
Overview
Analysis
File Details
Behaviors (1)
Network (8)

1731.exe

The executable 1731.exe has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Updates’. While running, it connects to the Internet address apache2-yak.zarniwoop.dreamhost.com on port 80 using the HTTP protocol.

File name:

1731.exe

MD5:

7ee93e05750e8a6f0463f2e6c6bf7d39

SHA-1:

3fa705c91ce229d5efee2db48f1a075cddcc3a5f

SHA-256:

ef3fc9c2dc16e5a9dbd76aad6e692813c8ab9a08c5647b117039073e7398838d

Scanner detections:

3 / 68

Status:

Malware

Analysis date:

4/25/2024 11:16:10 AM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Sality

160917-0

F-Secure

Trojan.Scar.AG

5.15.154

Microsoft Security Essentials

Trojan:Win32/Tookibe.B!bit

1.229.436.0

File size:

2.9 MB (3,092,480 bytes)

File type:

Executable application (Win32 EXE)

File PE Metadata

Compilation timestamp:

6/20/2002 3:43:52 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

49152:T7sRH2ruMuk3RZMLcfWHxAWFkejkxNgdicg3rr/Zrrrrrrrrrrrrrrrrp3n1n18Y:TeC0k3REcf0jkxNsiHt9

Entry address:

0x2EC35D

Entry point:

83, 3C, 24, FE, 77, FE, 83, C1, 00, 8D, 64, 24, CC, 60, 83, EC, DC, E8, DA, FE, FF, FF, 4B, 86, F1, 66, 4B, F7, D1, 90, 75, F9, 31, E7, 90, 48, FF, 73, 3C, 59, 81, E9, FD, FF, FF, 7F, 73, E6, 86, F4, 90, 90, 8D, 07, 87, FF, 81, D9, E6, 13, 00, 00, 71, D6, 90, 47, 4E, F8, 90, 40, FF, B4, 19, E4, 13, 00, 80, 83, C4, 04, 66, 81, 44, 24, FC, B0, BA, 75, BD, 41, 48, B5, E2, 80, E1, 02, 68, DE, 0F, 84, FC, E8, A6, FE, FF, FF, 89, 74, 24, 44, E8, BA, FD, FF, FF, 89, 44, 24, 34, E9, AC, FE, FF, FF, 96, A5, 42, 58... 
[+]

Entropy:

7.6780

Code size:

36 KB (36,864 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Updates

Command:

C:\updates.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to win04-host-kb.turkticaret.net (31.186.8.104:80)

TCP (HTTP):

Connects to server250.net217.intbildns.org (185.126.217.250:80)

TCP (HTTP):

Connects to server123.managedns.org (103.14.97.123:80)

TCP (HTTP):

Connects to neptune.corpservers.net (63.247.87.162:80)

TCP (HTTP):

Connects to mail2.ic.cz (88.86.100.180:80)

TCP (HTTP):

Connects to ec2-52-28-249-128.eu-central-1.compute.amazonaws.com (52.28.249.128:80)

TCP (HTTP):

Connects to apache2-yak.zarniwoop.dreamhost.com (173.236.154.78:80)

TCP (HTTP):

Connects to 209-99-40-222.fwd.datafoundry.com (209.99.40.222:80)

Remove 1731.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.