home

2efc0fa24a9513847cfac6d94441f0fa.exe

The application 2efc0fa24a9513847cfac6d94441f0fa.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This executable runs as a local area network (LAN) Internet proxy server listening on port 52368 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address static.vnpt.vn on port 80 using the HTTP protocol.
Version:
2.40.10.2

MD5:
5016bcf2b850757dbe68a358ec1a29b8

SHA-1:
379cfe09655dbd4f191f707468ee599d864be3da

SHA-256:
898f08413e67901a4b1a0314d71bc5cd524eaaf9b7656c382ff488b87c5b53ed

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
4/25/2024 8:09:19 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Wajam.Meta (M)
16.1.12.20

File size:
486.5 KB (498,176 bytes)

Product version:
2.40.10.2

Original file name:
VDYYKG.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\wanetworkenhancer\wanetworkenhancer internet enhancer\2efc0fa24a9513847cfac6d94441f0fa.exe

File PE Metadata
Compilation timestamp:
1/6/2016 11:47:20 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:Bbu+THpLOZxUpiuedmH2etWtxEfSWH/sxNybRs:A+jF8qpqEqhT

Entry address:
0x7AE7E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.8058

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
484 KB (495,616 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:52368/

Local host port:
52368

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to static.vnpt.vn  (113.171.236.152:443)

TCP (HTTP):
Connects to 45-117-76-150.bizmac.vn  (45.117.76.150:80)

TCP (HTTP):
Connects to ve987.venus.myloc.de  (89.163.210.111:80)

TCP (HTTP):
Connects to coccoc.com  (123.30.175.29:80)

TCP (HTTP):
Connects to cd.3e.559e.ip4.static.sl-reverse.com  (158.85.62.205:80)

TCP (HTTP):
Connects to c4.3e.559e.ip4.static.sl-reverse.com  (158.85.62.196:80)

TCP (HTTP):
Connects to rtr3.l7.search.vip.sg3.yahoo.com  (106.10.162.43:80)

TCP (HTTP):
Connects to a184-86-250-49.deploy.static.akamaitechnologies.com  (184.86.250.49:80)

TCP (HTTP):
Connects to server-52-85-83-97.lax1.r.cloudfront.net  (52.85.83.97:80)

TCP (HTTP):
Connects to server-52-85-83-67.lax1.r.cloudfront.net  (52.85.83.67:80)

TCP (HTTP SSL):
Connects to server-52-85-83-26.lax1.r.cloudfront.net  (52.85.83.26:443)

TCP (HTTP):
Connects to server-52-85-83-135.lax1.r.cloudfront.net  (52.85.83.135:80)

TCP (HTTP):
Connects to server-52-85-83-124.lax1.r.cloudfront.net  (52.85.83.124:80)

TCP (HTTP):
Connects to server-52-85-151-83.hkg51.r.cloudfront.net  (52.85.151.83:80)

TCP (HTTP):
Connects to server-52-85-151-243.hkg51.r.cloudfront.net  (52.85.151.243:80)

TCP (HTTP):
Connects to server-52-84-25-160.sea32.r.cloudfront.net  (52.84.25.160:80)

TCP (HTTP):
Connects to ec2-54-86-83-98.compute-1.amazonaws.com  (54.86.83.98:80)

TCP (HTTP):
Connects to ec2-52-3-215-241.compute-1.amazonaws.com  (52.3.215.241:80)

TCP (HTTP):
Connects to ec2-52-2-41-22.compute-1.amazonaws.com  (52.2.41.22:80)

TCP (HTTP):
Connects to ec2-52-21-158-163.compute-1.amazonaws.com  (52.21.158.163:80)

Remove 2efc0fa24a9513847cfac6d94441f0fa.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.