home

downloader_turbobit_40b2130728658de68e71c01412ec2400.exe

Downloader Module

LLC Mail.Ru

The application downloader_turbobit_40b2130728658de68e71c01412ec2400.exe by LLC Mail.Ru has been detected as a potentially unwanted program by 8 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from dlm.mail.ru and multiple other hosts. While running, it connects to the Internet address upload80.mail.ru on port 80 using the HTTP protocol.
Publisher:
LLC Mail.Ru  (signed and verified)

Product:
Downloader Module

Version:
1, 0, 0, 31

MD5:
740e7589401a42c00ca80d93c6684f06

SHA-1:
aacd6431d7951ad4504903e431fbed7cffec4858

SHA-256:
9d954742ed620cf35af59ee81ed1d98bd6b5bb86af1a391aaffb388273901d0b

Scanner detections:
8 / 68

Status:
Potentially unwanted

Analysis date:
5/13/2025 10:05:32 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Toolbar.MailRU
7.1.1

Avira AntiVirus
APPL/LoadMoney.A.16
7.11.124.138

Dr.Web
Adware.Downware.179
9.0.1.0361

ESET NOD32
Win32/Toolbar.MailRU
7.9272

F-Prot
W32/Backdoor2.HTQA
v6.4.7.1.166

Reason Heuristics
PUP.Optional.MailRu.u
14.3.28.18

Rising Antivirus
PE:Trojan.RuMail!1.6574
23.00.65.131225

XVirus List
Win.Detected
2.3.31

File size:
877.1 KB (898,136 bytes)

Product version:
1, 0, 0, 31

Copyright:
Copyright 2010

Original file name:
Downloader.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\downloader_turbobit_40b2130728658de68e71c01412ec2400.exe

Digital Signature
Signed by:
LLC Mail.Ru

Authority:
Thawte, Inc.

Valid from:
12/9/2011 4:00:00 AM

Valid to:
2/7/2014 3:59:59 AM

Subject:
CN=LLC Mail.Ru, O=LLC Mail.Ru, L=Moscow, S=Moscow, C=RU

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
1C09DBBC732D4B58F7A88EBACF323417

File PE Metadata
Compilation timestamp:
1/16/2012 3:04:49 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:cvALZGgbNPi11w80r3MoFHGwvgnrCrYV4ogPXXON2QcsLt1iZcH6qAFYNXaayIGp:cT480rcwgNV4ogPXXM2Q/pCcH6PFnp

Entry address:
0x6817E

Entry point:
E8, 39, D2, 00, 00, E9, 79, FE, FF, FF, 6A, 0C, 68, 08, 77, 4A, 00, E8, 58, D2, FF, FF, 33, FF, 89, 7D, E4, 33, C0, 8B, 75, 0C, 3B, F7, 0F, 95, C0, 3B, C7, 75, 20, E8, 47, 37, 00, 00, C7, 00, 16, 00, 00, 00, 57, 57, 57, 57, 57, E8, 12, CB, FF, FF, 83, C4, 14, 83, C8, FF, E9, BC, 00, 00, 00, 56, E8, 56, BD, 00, 00, 59, 89, 7D, FC, F6, 46, 0C, 40, 75, 77, 56, E8, 0C, BC, 00, 00, 59, 83, F8, FF, 74, 1B, 83, F8, FE, 74, 16, 8B, D0, C1, FA, 05, 8B, C8, 83, E1, 1F, C1, E1, 06, 03, 0C, 95, 40, 36, 4B, 00, EB, 05...
 
[+]

Code size:
565.5 KB (579,072 bytes)

The file downloader_turbobit_40b2130728658de68e71c01412ec2400.exe has been seen being distributed by the following 50 URLs.

http://dlm.mail.ru/downloader_fmr_e8fa6d90610f21bdbcd552bc5bd038b7.exe

http://dlm.mail.ru/downloader_fmr_2d25231fb1410b95a912bd0761e1ee33.exe

http://dlm.mail.ru/downloader_fmr_0e79a69cd35675e04f056838c126148f.exe

http://dlm.mail.ru/downloader_fmr_bf5b32fc9bf169c2e7c498641445d287.exe

http://dlm.mail.ru/downloader_fmr_a2b85f10bf15a82875ef024c049defbc.exe

http://dlm.mail.ru/downloader_fmr_6c477baa974a425073129f65781a4936.exe

http://dlm.mail.ru/downloader_fmr_4d8843c9531f32286f8c513d4ce2ef88.exe

http://dlm.mail.ru/downloader_fmr_fe9f31fa1511ed6a88ac0dbef9f40da4.exe

http://turbobit.net/mrtoolbar/downloader/0e0wqzdwuztc/.../

http://dlm.mail.ru/downloader_fmr_b5a0fbee83061c9dd0c6a88d67b16282.exe

http://turbobit.net/mrtoolbar/downloader/taq29igcfwvf/.../

http://dlm.mail.ru/downloader_fmr_6acb6de2229f4a3c8c98518f61fd225d.exe

http://turbobit.net/mrtoolbar/downloader/hixe9h4h1sq8/.../

http://dlm.mail.ru/downloader_turbobit_24d877d25cba25f3e360729f90df2bdf.exe

http://dlm.mail.ru/downloader_webfile_6300240.exe

http://dlm.mail.ru/downloader_fmr_347cb934d14f80b80d1df0dd103303ef.exe

http://turbobit.net/mrtoolbar/downloader/yoqoqhj6ge7k/.../

http://dlm.mail.ru/downloader_fmr_b3314959ebb7a79ed46dca8c783df484.exe

http://dlm.mail.ru/downloader_fmr_c11bb0aefde10021caa00d7b76f531fc.exe

http://turbobit.net/mrtoolbar/downloader/ydgl4ae4x4pj/.../

http://dlm.mail.ru/downloader_fmr_021fea6d5656340d9d15d211ed777343.exe

http://dlm.mail.ru/downloader_fmr_83423fedfbe53a1793a2ff6a07514a5b.exe

http://turbobit.net/mrtoolbar/downloader/pws8uiz3vv2b/.../

http://dlm.mail.ru/downloader_fmr_a4e9e48da1fdde9527b7c4d4902efc19.exe

http://dlm.mail.ru/downloader_fmr_8767d8c1ecc2563d9c5c7cc42d0845c2.exe

http://dlm.mail.ru/downloader_fmr_0398a45cbeb9ea4d026bfd05b3d5f02e.exe

http://dlm.mail.ru/downloader_fmr_3aed00931d54adac91df1fbcec72435c.exe

http://dlm.mail.ru/downloader_fmr_d492378d8418dbdbb419a36aef77d983.exe

http://dlm.mail.ru/downloader_fmr_56bc64e11eb70dd0abab25f245b21d2e.exe

http://dlm.mail.ru/downloader_turbobit_ecdbd0b383dd10dd4b829e5c2d3418ab.exe

Latest 30 of 108 download URLs

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to upload80.mail.ru  (94.100.191.208:80)

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.