home

bhma4nsmf.exe

Xin Zhou

The executable bhma4nsmf.exe has been detected as malware by 1 anti-virus scanner. This is a setup program which is used to install the application. The file has been seen being downloaded from dgkytklfjrqkb.cloudfront.net. While running, it connects to the Internet address server-54-192-14-207.ams1.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Xin Zhou  (signed and verified)

MD5:
da0abfb6d102eb352d570a262884ec3f

SHA-1:
bbe5f9349ad8c57f61911dc940666a60e6932eee

SHA-256:
2731ac37ebbfa7157eeb039dcfab929347c3bea2d18955e90d70fe45019c98d2

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
5/13/2024 1:24:15 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.2.7.21

File size:
418.5 KB (428,592 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\bhma4nsmf.exe

Digital Signature
Signed by:
Xin Zhou

Authority:
thawte, Inc.

Valid from:
1/21/2017 4:00:00 PM

Valid to:
3/22/2017 4:59:59 PM

Subject:
CN=Xin Zhou, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
35F9E707577DD44B242082BD796F64CF

File PE Metadata
Compilation timestamp:
1/19/2017 6:59:23 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x3C1E

Entry point:
E8, 8D, 1D, 00, 00, E9, E9, A9, 00, 00, 55, 8B, EC, E8, 7E, D8, FF, FF, 83, 7D, 08, 00, 74, 05, E8, 3F, 29, 00, 00, DB, E2, 5D, C3, 55, 8B, EC, 83, EC, 1C, 53, 8B, 5D, 10, 33, D2, B8, 4E, 40, 00, 00, 56, 57, 89, 45, FC, 89, 13, 89, 53, 04, 89, 53, 08, 39, 55, 0C, 0F, 86, 3C, 01, 00, 00, 8B, CA, 89, 55, 10, 89, 4D, F4, 89, 55, F8, 8B, 55, F4, 8D, 7D, E4, 8B, F3, 8B, C1, C1, E8, 1F, 03, D2, A5, A5, A5, 8B, 75, 10, 8B, CE, 8B, 7D, F8, 03, F6, 0B, F0, C1, E9, 1F, 03, FF, 8B, C2, 0B, F9, C1, E8, 1F, 8B, CE, 03...
 
[+]

Entropy:
7.8009  (probably packed)

Code size:
375.5 KB (384,512 bytes)

The file bhma4nsmf.exe has been seen being distributed by the following URL.

http://dgkytklfjrqkb.cloudfront.net/.../yomz.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-14-207.ams1.r.cloudfront.net  (54.192.14.207:80)

TCP (HTTP):
Connects to server-52-85-221-248.cdg50.r.cloudfront.net  (52.85.221.248:80)

TCP (HTTP):
Connects to server-54-230-141-8.sfo5.r.cloudfront.net  (54.230.141.8:80)

TCP (HTTP):
Connects to server-52-85-63-73.lhr50.r.cloudfront.net  (52.85.63.73:80)

TCP (HTTP):
Connects to server-54-192-14-212.ams1.r.cloudfront.net  (54.192.14.212:80)

TCP (HTTP):
Connects to server-52-85-221-6.cdg50.r.cloudfront.net  (52.85.221.6:80)

TCP (HTTP):
Connects to server-52-85-221-114.cdg50.r.cloudfront.net  (52.85.221.114:80)

TCP (HTTP):
Connects to server-54-230-141-82.sfo5.r.cloudfront.net  (54.230.141.82:80)

TCP (HTTP):
Connects to server-52-85-63-115.lhr50.r.cloudfront.net  (52.85.63.115:80)

Remove bhma4nsmf.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.