downloads.exe

The executable downloads.exe has been detected as malware by 46 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Tok-Cirrhatus-1398’. The file has been seen being downloaded from doc-0o-a0-docs.googleusercontent.com. While running, it connects to the Internet address unknown.prolexic.com on port 80 using the HTTP protocol.
MD5:
e65b9179a1a18ca163baedc2be3f158a

SHA-1:
f9714fb9bf72e71d0f5679c6b573aebe059f450d

SHA-256:
90ca9195fe4ccd981e3a916c0422802c84b66b43bf81e3d9c86cfb4045d7bee7

Scanner detections:
46 / 68

Status:
Malware

Analysis date:
11/22/2017 3:55:14 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Worm.Brontok.N
845

Agnitum Outpost
I-Worm.Brontok.JH
7.1.1

AhnLab V3 Security
Win32/Brontok.worm.107008.B
2014.10.10

Avira AntiVirus
Worm/Brontok.Y
7.11.177.102

Antiy Labs AVL
Worm[Email]/Win32.Brontok
1.0.0.1

avast!
Win32:Brontok-CE [Wrm]
2014.9-141013

AVG
Worm/Brontok
2015.0.3323

Baidu Antivirus
Trojan.Win32.Genome
4.0.3.141013

Bitdefender
Win32.Worm.Brontok.N
1.0.20.1430

Bkav FE
W32.BrontokQ
1.3.0.4959

Clam AntiVirus
Worm.Brontok-10
0.98/21411

CMC Antivirus
Generic.Win32.e65b9179a1!MD
1.1.0.977

Comodo Security
Worm.Win32.Brontok.CO
19747

Dr.Web
BackDoor.Generic.3162
9.0.1.05190

Emsisoft Anti-Malware
Win32.Worm.Brontok.N
8.14.10.13.02

ESET NOD32
Win32/Brontok.CO worm
8.0.319.0

F-Prot
W32/Backdoor.IDJ
4.6.5.141

F-Secure
Win32.Worm.Brontok.N
11.2014-13-10_2

G Data
Win32.Worm.Brontok
14.10.24

IKARUS anti.virus
Email-Worm.Win32.Brontok
t3scan.1.7.8.0

Jiangmin
I-Worm/Brontok.ij
KV141013

K7 AntiVirus
Trojan
13.183.13630

K7 Gateway Antivirus
Trojan
13.183.13630

Kaspersky
Trojan.Win32.Genome
14.0.0.3110

Kingsoft AntiVirus
Worm.Brontok.q.(kcloud)
331020.49267

Malwarebytes
Trojan.Dropper
v2014.10.13.02

McAfee
W32/Rontokbro.gen@MM
5600.6979

McAfee Web Gateway
BehavesLike.Win32.Sality.pc
7.6979

Microsoft Security Essentials
Worm:Win32/Brontok.Y@mm
1.11005

MicroWorld eScan
Win32.Worm.Brontok.N
15.0.0.858

NANO AntiVirus
Trojan.Win32.Alman.btuxjj
0.28.2.62483

Norman
Rontokbro
11.20141013

nProtect
Worm/W32.Brontok.45508
14.10.08.01

Qihoo 360 Security
Trojan.Generic
1.0.0.1015

Quick Heal
W32.Brontok.Q
10.14.14.00

Rising Antivirus
PE:Trojan.Win32.Generic.14341A8A!338958986
23.00.65.141011

Sophos
W32/Brontok-Gen
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-SV
10303

The Hacker
Trojan/Rontokbro.genw
6.8.0.5.481

Total Defense
Win32/Robknot.AN
37.0.11217

Trend Micro House Call
WORM_BRONTOK.BA
7.2.286

Trend Micro
WORM_BRONTOK.BA
10.465.13

Vba32 AntiVirus
Email-Worm.Brontok
3.12.26.3

VIPRE Antivirus
Email-Worm.Win32.Brontok.q
33768

ViRobot
I-Worm.Win32.Brontok.45508
2011.4.7.4223

Zillya! Antivirus
Worm.Brontok.Win32.294
2.0.0.1948

File size:
44.4 KB (45,508 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\downloads.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:9TE/NpcvMl0XAyhv+ahTVa02QCKqcvkSuqTKPNxEWdv35BMC9:B83cVw0/hTDUK9swTKPNxEWZ5x

Entry address:
0x32FAB

Entry point:
E9, A4, D1, FC, FF, 0C, 80, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 82, 2F, 03, 00, 0C, 80, 02, 00...
 
[+]

Entropy:
7.3420

Packer / compiler:
RLPack FullEdition V1.1X

Code size:
512 Bytes (512 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Tok-Cirrhatus-1398

Command:
"C:\users\{user}\appdata\local\br3819on.exe"


The file downloads.exe has been seen being distributed by the following URL.

https://doc-0o-a0-docs.googleusercontent.com/docs/securesc/h243hqeb6obn61qbk84n1guah41lcr68/b456nvqp213ovlbf4orpbmekhf5u2trd/1474192800000/.../08251656453984250367/0B24tLIF_qnikZW5CWnlGUGIwUEE?e=download

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.121:80)

TCP (HTTP SSL):
Connects to ats.sbs.vip.dc11.lumsb.com  (8.12.146.61:443)

Remove downloads.exe - Powered by Reason Core Security