home

dailybee.exe

DailyWiki

The executable dailybee.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘DailyBee’. While running, it connects to the Internet address upload-lb.esams.wikimedia.org on port 443.
Publisher:
DailyWiki  (signed and verified)

MD5:
79a02585027b5e313a4d53f457461458

SHA-1:
c5aa55bf80bb4dbc5aa4ec21561f903968cbdd22

SHA-256:
51d04bff0ea23a860de54c33a67345f8131fa373503d1d70453c7b0ea21f98aa

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
4/26/2024 11:07:57 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.9.27.10

File size:
45.6 MB (47,813,400 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\dailybee\dailybee.exe

Digital Signature
Signed by:
DailyWiki

Authority:
DailyWiki

Valid from:
9/19/2015 3:46:51 PM

Valid to:
9/16/2025 3:46:51 PM

Subject:
CN=DailyWiki, O=DailyWiki, S=Some-State, C=US

Issuer:
CN=DailyWiki, O=DailyWiki, S=Some-State, C=US

Serial number:
00DE81C7E6A224F568

File PE Metadata
Compilation timestamp:
2/20/2016 9:13:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:+uK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQO2tw:HwC64r1c6ZgnUSrLpbUAdBUQq6/BLqyw

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8800

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
DailyBee

Command:
C:\users\{user}\appdata\roaming\dailybee\dailybee.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to upload-lb.esams.wikimedia.org  (91.198.174.208:443)

TCP (HTTP SSL):
Connects to text-lb.esams.wikimedia.org  (91.198.174.192:443)

TCP (HTTP):
Connects to server-54-192-129-83.ams50.r.cloudfront.net  (54.192.129.83:80)

TCP (HTTP):
Connects to ox-173-241-240-143.xa.dc.openx.org  (173.241.240.143:80)

TCP (HTTP):
Connects to img.joshinweb.jp  (210.191.18.50:80)

TCP (HTTP):
Connects to ec2-54-164-175-112.compute-1.amazonaws.com  (54.164.175.112:80)

TCP (HTTP):
Connects to ec2-52-69-200-85.ap-northeast-1.compute.amazonaws.com  (52.69.200.85:80)

TCP (HTTP SSL):
Connects to ec2-52-68-240-123.ap-northeast-1.compute.amazonaws.com  (52.68.240.123:443)

TCP (HTTP SSL):
Connects to ec2-52-28-153-152.eu-central-1.compute.amazonaws.com  (52.28.153.152:443)

TCP (HTTP):
Connects to ec2-52-2-249-126.compute-1.amazonaws.com  (52.2.249.126:80)

TCP (HTTP):
Connects to ec2-52-193-45-153.ap-northeast-1.compute.amazonaws.com  (52.193.45.153:80)

TCP (HTTP SSL):
Connects to cache.google.com  (195.249.145.94:443)

TCP (HTTP):
Connects to a96-7-67-28.deploy.akamaitechnologies.com  (96.7.67.28:80)

TCP (HTTP):
Connects to a23-13-216-15.deploy.static.akamaitechnologies.com  (23.13.216.15:80)

TCP (HTTP):
Connects to a195-249-50-56.deploy.akamaitechnologies.com  (195.249.50.56:80)

TCP (HTTP):
Connects to a195-249-26-34.deploy.akamaitechnologies.com  (195.249.26.34:80)

TCP (HTTP):
Connects to 90.113.148.146.bc.googleusercontent.com  (146.148.113.90:80)

TCP (HTTP):
Connects to 146.106.199.104.bc.googleusercontent.com  (104.199.106.146:80)

TCP (HTTP SSL):
Connects to server-54-192-97-90.arn1.r.cloudfront.net  (54.192.97.90:443)

TCP (HTTP):
Connects to ox-173-241-240-220.xa.dc.openx.org  (173.241.240.220:80)

Remove dailybee.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.