home

downbook.exe

The executable downbook.exe has been detected as malware by 14 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘DownBook’. According to AVG, this software downloads additional adware offers during setup. While running, it connects to the Internet address mc.yandex.ru on port 80 using the HTTP protocol.
MD5:
1b6299916be1b215848b12c39cb1f2d3

SHA-1:
d7a361bee4b6c9826d580556f00f12c3b8269fd4

SHA-256:
512adf3431d9112d8e274b9273d89c2718885acbe6e2611daeec532ce32b8795

Scanner detections:
14 / 68

Status:
Malware

Analysis date:
4/26/2024 6:52:56 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1696618
921

avast!
Win32:Downloader-UJJ [Trj]
2014.9-140728

AVG
Downloader.Banload2
2015.0.3399

Baidu Antivirus
Trojan.Win32.Banload
4.0.3.14728

Bitdefender
Trojan.GenericKD.1696618
1.0.20.1045

Bkav FE
W32.Clod6c7.Trojan
1.3.0.4959

IKARUS anti.virus
Trojan-Downloader.Win32.Banload
t3scan.1.6.1.0

Kaspersky
Trojan-Downloader.Win32.Banload
14.0.0.3490

McAfee
Artemis!1B6299916BE1
5600.7055

nProtect
Trojan.GenericKD.1696618
14.06.10.01

Qihoo 360 Security
HEUR/Malware.QVM11.Gen
1.0.0.1015

Quick Heal
TrojanDownloader.Banload.r3
7.14.14.00

Trend Micro House Call
TROJ_DLOAD.AGB
7.2.209

Trend Micro
TROJ_DLOAD.AGB
10.465.28

File size:
254 KB (260,096 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\downbook\downbook.exe

File PE Metadata
Compilation timestamp:
8/2/2013 8:42:21 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
6144:BjvBIsSfYm/+b3kzMBQARPF+TYF4GWcxUS2o:Bjmsq/+jkqNF4GpV2

Entry address:
0xCD7C0

Entry point:
60, BE, 00, F0, 48, 00, 8D, BE, 00, 20, F7, FF, C7, 87, F0, D9, 0A, 00, 5D, 00, EA, 18, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Entropy:
7.9126

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
252 KB (258,048 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
DownBook

Command:
"C:\users\{user}\appdata\local\downbook\downbook.exe" 1bebaadd86922ef7eacb5f81924d5c7d 6


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mc.yandex.ru  (87.250.250.119:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.10:80)

TCP (HTTP):
Connects to cities.craigslist.org  (208.82.236.242:80)

TCP:
Connects to bugs.uaservers.net  (185.14.28.54:555)

TCP (HTTP):
Connects to a23-72-224-209.deploy.static.akamaitechnologies.com  (23.72.224.209:80)

TCP (HTTP):
Connects to a23-72-224-200.deploy.static.akamaitechnologies.com  (23.72.224.200:80)

TCP (HTTP):
Connects to a23-72-224-193.deploy.static.akamaitechnologies.com  (23.72.224.193:80)

TCP (HTTP):
Connects to a23-72-224-110.deploy.static.akamaitechnologies.com  (23.72.224.110:80)

Remove downbook.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.