» acroedit.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

acroedit.exe

Edown_mfc Application

TRADE-VAN

The executable acroedit.exe, “Edown_mfc MFC Application” has been detected as malware by 32 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘acroedit.exe’. While running, it connects to the Internet address 58x158x177x102.ap58.ftth.ucom.ne.jp on port 80 using the HTTP protocol.

File name:

acroedit.exe

Publisher:

TRADE-VAN (signed and verified)

Product:

Edown_mfc Application

Description:

Edown_mfc MFC Application

Version:

1, 0, 0, 1

MD5:

c4c4f046d0d4be0cddbf91b79adbefb1

SHA-1:

d5c7325797341ab0e8b9a0b9f289002e7590f05a

SHA-256:

f584e9d40f4e9ce1cf745fc7413b26805e84462d323161aabe057873fa76f0cf

Scanner detections:

32 / 68

Status:

Malware

Analysis date:

4/26/2024 11:06:41 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Worm.Generic.441584

365

AhnLab V3 Security

Worm/Win32.Luder

16.02.04

Avira AntiVirus

TR/Nemain.A

7.11.148.58

avast!

Win32:Agent-AMKQ [Trj]

2014.9-160204

AVG

Agent4

2017.0.2843

Baidu Antivirus

Worm.Win32.Luder

4.0.3.1624

Bitdefender

Worm.Generic.441584

1.0.20.175

Bkav FE

W32.NatrocalAE.Trojan

1.3.0.4959

Comodo Security

TrojWare.Win32.Dialer.AFXP

18237

Dr.Web

Trojan.DownLoader9.19648

9.0.1.035

Emsisoft Anti-Malware

Worm.Generic.441584

8.16.02.04.04

ESET NOD32

Win32/Agent.UYJ (variant)

10.9771

Fortinet FortiGate

W32/Luder.BRWF!worm

2/4/2016

F-Secure

Worm.Generic.441584

11.2016-04-02_5

G Data

Worm.Generic.441584

16.2.24

IKARUS anti.virus

Worm.Win32.Luder

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.177.12013

Kaspersky

Trojan.Win32.Karba

14.0.0.712

McAfee

RDN/Generic.dx!clf

5600.6499

Microsoft Security Essentials

Trojan:Win32/Nemain.A

1.10502

MicroWorld eScan

Worm.Generic.441584

17.0.0.105

NANO AntiVirus

Trojan.Win32.Luder.buhrqp

0.28.0.59608

Norman

Troj_Generic.MDMRR

11.20160204

nProtect

Worm.Generic.441584

14.05.07.01

Panda Antivirus

Generic Malware

16.02.04.04

Qihoo 360 Security

Win32/Worm.fef

1.0.0.1015

Sophos

Mal/Generic-S

4.98

Total Defense

Win32/Luder.BQ

37.0.10924

Trend Micro House Call

TROJ_GEN.R00UC0PG213

7.2.35

Trend Micro

TROJ_GEN.R00UC0PG213

10.465.04

Vba32 AntiVirus

Worm.Luder

3.12.26.0

VIPRE Antivirus

Trojan.Win32.Generic

28984

File size:

222.8 KB (228,120 bytes)

Product version:

1, 0, 0, 1

Original file name:

Edown_mfc.EXE

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\adobe\acrobat\10.0\acroedit.exe

Digital Signature

Signed by:

TRADE-VAN

Authority:

TAIWAN-CA.COM Inc.

Valid from:

7/2/2010 3:34:05 PM

Valid to:

7/18/2011 12:59:59 AM

Subject:

CN=www.esupplychain.com.tw, OU=TRADE-VAN, O=TRADE-VAN, L=Taipei, S=Taipei, C=TW

Issuer:

CN=TaiCA Secure CA, OU=SSL Certification Service Provider, O=TAIWAN-CA.COM Inc., C=TW

Serial number:

65C80810

File PE Metadata

Compilation timestamp:

6/10/2013 1:00:16 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

3072:CAMyueYOd9XbYI0XCWWJDpaKwrukjaWBHctnTHDCXgPgsJlUBZCtCtYM:tMBIXbRBDpZwS9BgLBZzt

Entry address:

0xCA88

Entry point:

55, 8B, EC, 6A, FF, 68, 20, 99, 42, 00, 68, 74, C6, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, 04, 72, 42, 00, 33, D2, 8A, D4, 89, 15, 74, 5C, 43, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 70, 5C, 43, 00, C1, E1, 08, 03, CA, 89, 0D, 6C, 5C, 43, 00, C1, E8, 10, A3, 68, 5C, 43, 00, 6A, 01, E8, F3, 1C, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, C3, 00, 00, 00, 59, E8, 64, 31, 00, 00, 85, C0, 75, 08, 6A, 10, E8, B2, 00, 00, 00, 59, 33, F6, 89, 75... 
[+]

Entropy:

6.1878

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

152 KB (155,648 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

acroedit.exe

Command:

C:\users\{user}\appdata\roaming\adobe\acrobat\10.0\acroedit.exe \300

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to 58x158x177x102.ap58.ftth.ucom.ne.jp (58.158.177.102:80)

Remove acroedit.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.