» 382_tlwg.exe
Overview
Analysis
File Details
Downloads (21)

382_tlwg.exe

Zen Bros Media

The file 382_tlwg.exe by Zen Bros Media has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from intva31.menutelegraph.info and multiple other hosts.

File name:

382_tlwg.exe

Publisher:

Zen Bros Media (signed and verified)

MD5:

27ca58bb514cc6b0fd81dfbbe8686684

SHA-1:

45ec5d482f641e6a655f5dfbf418948b9586426b

SHA-256:

529a226b5b101d5f8cff393580920cb36f3d9cb012f5b3436341c3c48e7672ff

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

5/15/2024 12:54:37 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.DownloadAdmin.ZenBrosM

16.5.26.14

File size:

471.3 KB (482,576 bytes)

Common path:

C:\users\{user}\appdata\local\temp\382_tlwg.exe.part

Digital Signature

Signed by:

Zen Bros Media

Authority:

GoDaddy.com, Inc.

Valid from:

3/9/2016 3:12:43 AM

Valid to:

3/9/2017 3:12:43 AM

Subject:

CN=Zen Bros Media, O=Zen Bros Media, L=SAN FRANCISCO, S=California, C=US

Issuer:

CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

00DA69A0BD854BB554

File PE Metadata

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

3.0

CTPH (ssdeep):

12288:3ThKd6hIaNYLNcYM4+Q3sMnMbI7cRFUJ/DNF99GIRYe:3VKd62AYJcYM4+Q3sMMbIIRFUJ/DNF97

Entry address:

0x4C6E0

Entry point:

C6, 05, 70, D2, 44, 00, 00, B9, 00, 00, 46, 00, BA, 04, 00, 46, 00, B8, B0, F6, 44, 00, E8, 65, FF, FF, FF, E8, 70, FF, FF, FF, B8, 90, F6, 44, 00, E8, 16, 4B, FC, FF, C3, 00, 00, 00, 00, 00, FF, FF, FF, FF, 00, 00, 00, 00, FF, FF, FF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.7059

Code size:

301.8 KB (309,024 bytes)

The file 382_tlwg.exe has been seen being distributed by the following 21 URLs.

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=45017076&ephemeral=1&filename=adobe_flash_player.exe&cb=1391700107&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.upgradetelegram.info/dl-pure/1202331/.../?bc=1202331&checksum=49967345&ephemeral=1&filename=adobe_flash_player.exe&cb=1949560945&hashstring=dlkjdcnkjsdkaasd&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=45045416&ephemeral=1&filename=adobe_flash_player.exe&cb=1159070345&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=45007455&ephemeral=1&filename=adobe_flash_player.exe&cb=-974763521&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.nettransmitter.info/dl-pure/1202331/.../?bc=1202331&checksum=51569464&ephemeral=1&filename=adobe_flash_player.exe&cb=2049919591&hashstring=sdfasdfasdfa838sdf&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=44971932&ephemeral=1&filename=adobe_flash_player.exe&cb=1243991860&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.upgradetelegram.info/dl-pure/1202331/.../?bc=1202331&checksum=49920644&ephemeral=1&filename=adobe_flash_player.exe&cb=933672953&hashstring=dlkjdcnkjsdkaasd&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=44991675&ephemeral=1&filename=adobe_flash_player.exe&cb=-1098540952&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=45030780&ephemeral=1&filename=adobe_flash_player.exe&cb=-1897977158&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=44936769&ephemeral=1&filename=adobe_flash_player.exe&cb=-1842405665&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=45023599&ephemeral=1&filename=adobe_flash_player.exe&cb=-1750287483&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=45020403&ephemeral=1&filename=adobe_flash_player.exe&cb=-277659302&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=45009389&ephemeral=1&filename=adobe_flash_player.exe&cb=-176013585&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=44939411&ephemeral=1&filename=adobe_flash_player.exe&cb=1556042197&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.memoryintercom.info/dl-pure/1202331/.../?bc=1202331&checksum=45093870&ephemeral=1&filename=adobe_flash_player.exe&cb=-313336118&hashstring=lakjsdasdkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=44933080&ephemeral=1&filename=adobe_flash_player.exe&cb=1962048945&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=44974145&ephemeral=1&filename=adobe_flash_player.exe&cb=744985272&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=44943286&ephemeral=1&filename=adobe_flash_player.exe&cb=-943521959&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=44997080&ephemeral=1&filename=adobe_flash_player.exe&cb=712285263&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=44966789&ephemeral=1&filename=adobe_flash_player.exe&cb=-148410325&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

http://intva31.menutelegraph.info/dl-pure/1202331/.../?bc=1202331&checksum=45009273&ephemeral=1&filename=adobe_flash_player.exe&cb=-46659443&hashstring=lakjnasjdfkajscn&usefilename=true&executableroutePath=1203021&stub=true

Remove 382_tlwg.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.