home

CureTraffic.exe

CureTraffic

Vitbian telecom sl

The application CureTraffic.exe by Vitbian telecom sl has been detected as adware by 2 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘CureTraffic’. This backdoor trojan may be used to conduct distributed denial of service attacks, or used to install additional trojans or other forms of malicious software as well as can steal your sensitive information. While running, it connects to the Internet address unknown.prolexic.com on port 80 using the HTTP protocol.
Publisher:
Vitbian telecom S.L  (signed by Vitbian telecom sl)

Product:
CureTraffic

Version:
1.0.0.7

MD5:
c79ba30055a34f4f7f322a4d4dc2d7f6

SHA-1:
84f3d86a22c80e725d440dfe3b98a123720c766a

SHA-256:
075dc522127ed62457871ddfa85a69e2715d64f15ef5aa4ce6dd92da0a569b7e

Scanner detections:
2 / 68

Status:
Adware

Analysis date:
4/19/2024 11:37:59 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Microsoft Security Essentials
Backdoor:MSIL/Bladabindi.AA
1.165.247.01

Reason Heuristics
PUP.Startup.Vitbiantelecomsl.L
14.4.28.10

File size:
750.9 KB (768,872 bytes)

Product version:
1.0.0.7

Copyright:
Copyright © 2013

Original file name:
CureTraffic.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\curetraffic\curetraffic.exe

Digital Signature
Signed by:
Vitbian telecom sl

Authority:
COMODO CA Limited

Valid from:
2/1/2013 1:00:00 AM

Valid to:
2/2/2014 12:59:59 AM

Subject:
CN=Vitbian telecom sl, O=Vitbian telecom sl, STREET=calle durango 45, L=madrid, S=madrid, PostalCode=28023, C=ES

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
2B1E042090F8B8A605FB4A8E606FAF59

File PE Metadata
Compilation timestamp:
5/2/2013 6:03:11 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:mxZPUeB/OVBh4N8YA4N8YTgq1G4N8YZzjlKFeEFVE4N8Y84N84g:mxZP9OVBh4NxA4NxTN1G4Nxp084Nx84k

Entry address:
0xA98FE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
670.5 KB (686,592 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
CureTraffic

Command:
"C:\Program Files\curetraffic\curetraffic.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to a130-206-192-8.deploy.akamaitechnologies.com  (130.206.192.8:80)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.90:80)

TCP (HTTP):
Connects to a88-221-52-96.deploy.akamaitechnologies.com  (88.221.52.96:80)

TCP (HTTP):
Connects to lb-182-207.above.com  (103.224.182.207:80)

TCP (HTTP):
Connects to ocsp.comodoca.com  (178.255.83.1:80)

Remove CureTraffic.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.