ContentFinder.exe

ContentFinder

ContentFinder Company

The executable ContentFinder.exe, “ContentFinder application” has been detected as malware by 9 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘ContentFinder’. While running, it connects to the Internet address customer.worldstream.nl on port 80 using the HTTP protocol.
Publisher:
ContentFinder Company

Product:
ContentFinder

Description:
ContentFinder application

Version:
2.8.2.0

MD5:
4768d425fbd33dfbeeedc8d0840caa6d

SHA-1:
154ec81cf6bf342aab5422dcb0df2de725354ee5

SHA-256:
9e4d7fae7f66ba6f5c2e80e5d396d692478f5a07080b45f85b9f321924c91009

Scanner detections:
9 / 68

Status:
Malware

Analysis date:
11/23/2017 10:15:56 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
2014.9-141006

ESET NOD32
Win32/SoundFrost
8.10508

K7 AntiVirus
Trojan
13.183.13550

K7 Gateway Antivirus
Trojan
13.183.13550

McAfee
Artemis!4768D425FBD3
5600.6986

McAfee Web Gateway
Artemis
7.6986

Norman
Suspicious_Gen4.GXGKR
11.20141006

Sophos
Generic PUA BF
4.98

Trend Micro House Call
Suspicious_GEN.F47V0713
7.2.279

File size:
158.5 KB (162,304 bytes)

Product version:
2.8.2.0

Copyright:
Copyright (C) 2005-2014

Original file name:
ContentFinder.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\local\contentfinder.exe

File PE Metadata
Compilation timestamp:
7/7/2014 10:42:54 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:Nea0zhjX7hORyOAaBi7gdaV0co4815oWmiXTbpA2qT2FNGPOx5uNEx26jBifpd:whjX7hORyOAaBi7gQVormX2OG4

Entry address:
0x3124

Entry point:
E8, 8A, 04, 00, 00, E9, 63, FD, FF, FF, FF, 25, AC, 40, 40, 00, FF, 25, A8, 40, 40, 00, FF, 25, A4, 40, 40, 00, 68, 99, 31, 40, 00, 64, FF, 35, 00, 00, 00, 00, 8B, 44, 24, 10, 89, 6C, 24, 10, 8D, 6C, 24, 10, 2B, E0, 53, 56, 57, A1, 60, 91, 40, 00, 31, 45, FC, 33, C5, 50, 89, 65, E8, FF, 75, F8, 8B, 45, FC, C7, 45, FC, FE, FF, FF, FF, 89, 45, F8, 8D, 45, F0, 64, A3, 00, 00, 00, 00, C3, 8B, 4D, F0, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, C3, 8B, FF, 55, 8B, EC, FF, 75, 14, FF, 75, 10...
 
[+]

Entropy:
6.0760

Code size:
12 KB (12,288 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
ContentFinder

Command:
C:\users\{user}\appdata\local\contentfinder.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to customer.worldstream.nl  (217.23.7.144:80)

TCP (HTTP):
Connects to scdc.worra.com  (122.10.84.105:80)

TCP (HTTP):
Connects to server31.worldstream.nl  (93.190.141.64:80)

TCP (HTTP):
Connects to a23-37-209-181.deploy.static.akamaitechnologies.com  (23.37.209.181:80)

TCP (HTTP):
Connects to server-52-84-179-151.gru50.r.cloudfront.net  (52.84.179.151:80)

TCP (HTTP):
Connects to 26.149.96.66.static.eigbox.net  (66.96.149.26:80)

TCP (HTTP):
Connects to srv1-web.debug-informatique.com  (51.254.148.250:80)

TCP (HTTP):
Connects to md-in-16.webhostbox.net  (103.21.59.24:80)

TCP (HTTP):
Connects to ip-50-63-202-36.ip.secureserver.net  (50.63.202.36:80)

TCP (HTTP):

Remove ContentFinder.exe - Powered by Reason Core Security