» cachemgr.exe
Overview
Analysis
File Details
Behaviors (1)
Network (5)

cachemgr.exe

The executable cachemgr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StubPath’. While running, it connects to the Internet address windowsruby.in on port 80 using the HTTP protocol.

File name:

cachemgr.exe

MD5:

e4b0fbc37bb01b37e3a931b2c9b02c2b

SHA-1:

0af2034763d0f226bc17ed91fe4b2fd98c3d0512

SHA-256:

d84556c9343943fba49d69e53c4fd6fb9a63873ed09d8fd7e43aab755e31ac4a

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

4/24/2024 5:41:20 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Trojan.Installer (M)

16.7.3.19

File size:

219 KB (224,256 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\ProgramData\cachemgr.exe

File PE Metadata

Compilation timestamp:

6/18/2007 6:24:14 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

1536:yX2tAh15hxrmf7VlBSBzD7TbNau3doRzEg0H86Lx8CAcf+SuqGMLefNe6WE5RXQ:Qv5hm7VmBP7PtReQJUhMLgEE5RX

Entry address:

0x12ECC

Entry point:

E8, 72, 27, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 78, BD, 41, 00, 89, 0D, 74, BD, 41, 00, 89, 15, 70, BD, 41, 00, 89, 1D, 6C, BD, 41, 00, 89, 35, 68, BD, 41, 00, 89, 3D, 64, BD, 41, 00, 66, 8C, 15, 90, BD, 41, 00, 66, 8C, 0D, 84, BD, 41, 00, 66, 8C, 1D, 60, BD, 41, 00, 66, 8C, 05, 5C, BD, 41, 00, 66, 8C, 25, 58, BD, 41, 00, 66, 8C, 2D, 54, BD, 41, 00, 9C, 8F, 05, 88, BD, 41, 00, 8B, 45, 00, A3, 7C, BD, 41, 00, 8B, 45, 04, A3, 80, BD, 41, 00, 8D, 45, 08, A3, 8C, BD, 41... 
[+]

Entropy:

4.4836

Code size:

95 KB (97,280 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

StubPath

Command:

"C:\ProgramData\cachemgr.exe" -as

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to windowsruby.in (207.46.197.32:80)

TCP (HTTP):

Connects to windowsnt.org.bz (207.46.232.182:80)

TCP (HTTP):

Connects to lax02s19-in-f19.1e100.net (74.125.224.115:80)

TCP (HTTP):

Connects to lax02s19-in-f18.1e100.net (74.125.224.114:80)

TCP (HTTP):

Connects to lax02s19-in-f17.1e100.net (74.125.224.113:80)

Remove cachemgr.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.