apptrailers.exe

TrailerWatch

The executable apptrailers.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘AppTrailers’. While running, it connects to the Internet address 207.snat-111-91-127.hns.net.in on port 443.
Publisher:
TrailerWatch  (signed and verified)

MD5:
f9edaa1281cc00abf4ed4002f2e3e56d

SHA-1:
b38845adaf60f82296e0cdea287cd8002f95c336

SHA-256:
e6c0fc73ad4d4f34e64bdef85f5e275d126abf65ceed2e00e02e9331aa31ce4e

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
2/1/2017 5:54:36 PM UTC  (nine months ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.2.1.12

File size:
45.6 MB (47,837,200 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\apptrailers\apptrailers.exe

Digital Signature
Signed by:

Authority:
TrailerWatch

Valid from:
2/5/2016 2:03:06 PM

Valid to:
2/2/2026 2:03:06 PM

Subject:
CN=TrailerWatch, OU=TrailerWatch, O=TrailerWatch, S=Some-State, C=US

Issuer:
CN=TrailerWatch, OU=TrailerWatch, O=TrailerWatch, S=Some-State, C=US

Serial number:
00A0FBD74B3D188329

File PE Metadata
Compilation timestamp:
1/15/2017 12:03:31 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C99451

Entry point:
E8, 9A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, B8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, B8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, B8, EC, 02, 02, 74, 21, 6A, 17, E8, C9, 2D, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8719

Code size:
34.9 MB (36,635,648 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
AppTrailers

Command:
C:\users\{user}\appdata\roaming\apptrailers\apptrailers.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 162-180.amazon.com  (207.171.162.180:80)

TCP (HTTP):
Connects to 206-121.amazon.com  (72.21.206.121:80)

TCP (HTTP SSL):
Connects to server-54-239-132-190.sfo9.r.cloudfront.net  (54.239.132.190:443)

TCP (HTTP SSL):
Connects to server-54-192-232-134.nrt12.r.cloudfront.net  (54.192.232.134:443)

TCP (HTTP):
Connects to server-54-192-149-169.sin2.r.cloudfront.net  (54.192.149.169:80)

TCP (HTTP):
Connects to server-54-192-147-71.sfo4.r.cloudfront.net  (54.192.147.71:80)

TCP (HTTP):
Connects to s3-1.amazonaws.com  (72.21.207.136:80)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.bf1.yahoo.com  (63.250.200.63:443)

TCP (HTTP SSL):
Connects to r2.ycpi.vip.bf1.yahoo.net  (98.139.199.205:443)

TCP (HTTP SSL):
Connects to ox-173-241-240-143.xa.dc.openx.org  (173.241.240.143:443)

TCP (HTTP SSL):
Connects to one.progmxs.pxlsrv.net  (8.12.226.44:443)

TCP (HTTP SSL):
Connects to EFFILIATIONLB.CLICHY.ECRITEL.NET  (213.182.38.143:443)

TCP (HTTP SSL):
Connects to ec2-54-228-209-199.eu-west-1.compute.amazonaws.com  (54.228.209.199:443)

TCP (HTTP):
Connects to ec2-54-221-206-77.compute-1.amazonaws.com  (54.221.206.77:80)

TCP (HTTP SSL):
Connects to ec2-52-72-62-214.compute-1.amazonaws.com  (52.72.62.214:443)

TCP (HTTP SSL):
Connects to ec2-52-49-254-226.eu-west-1.compute.amazonaws.com  (52.49.254.226:443)

TCP (HTTP SSL):
Connects to a92-122-181-82.deploy.akamaitechnologies.com  (92.122.181.82:443)

TCP (HTTP SSL):
Connects to a92-122-180-168.deploy.akamaitechnologies.com  (92.122.180.168:443)

TCP (HTTP):
Connects to a88-221-113-178.deploy.akamaitechnologies.com  (88.221.113.178:80)

TCP (HTTP):

Remove apptrailers.exe - Powered by Reason Core Security