ed2k.exe

aMule

http://www.amule.org/

The application ed2k.exe, “ED2K Links Handler” has been detected as a potentially unwanted program by 2 anti-malware scanners. It runs as a windows Service named “ed2k idle service”. While running, it connects to the Internet address server-54-230-122-171.dfw50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
http://www.amule.org/

Product:
aMule

Description:
ED2K Links Handler

Version:
2.4.0

MD5:
5db90f536c93c9468ed1de4d5cd01fe1

SHA-1:
5b8ca30cc338f369a2deca1cd43b7057296e7c6b

SHA-256:
0a8acf0bbcd45089cf3805fbe5ffcc11204698dd8526ed32033b86a72d4e4264

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
11/15/2018 4:20:06 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Adware.ELEX.EL application
6.3.12010.0

Kaspersky
Trojan-Downloader.Win32.Eroyee
15.0.2.529

File size:
232 KB (237,568 bytes)

Product version:
2.4.0

Copyright:
aMule Team ( admin@amule.org )

Original file name:
ed2k.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\amulec\ed2k.exe

File PE Metadata
Compilation timestamp:
10/8/2016 9:39:24 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
12.0

CTPH (ssdeep):
3072:nyl89PQcgGpPaD9Xpq8MrG2lYpxQWEo6YxOJD3nbC7+fPnf8snU0AwER1pz:nj9PQcFp07qGUWaYg3nbC7MM+Ex

Entry address:
0xDC77

Entry point:
E8, 3F, C6, 00, 00, E9, 7B, FE, FF, FF, E8, C0, 70, 00, 00, 8B, D0, 8B, 42, 6C, 3B, 05, 54, 9E, 43, 00, 74, 10, 8B, 0D, 18, 9F, 43, 00, 85, 4A, 70, 75, 05, E8, 02, 67, 00, 00, 8B, 40, 04, C3, E8, 9A, 70, 00, 00, 8B, D0, 8B, 42, 6C, 3B, 05, 54, 9E, 43, 00, 74, 10, 8B, 0D, 18, 9F, 43, 00, 85, 4A, 70, 75, 05, E8, DC, 66, 00, 00, 05, A0, 00, 00, 00, C3, E8, 72, 70, 00, 00, 8B, D0, 8B, 42, 6C, 3B, 05, 54, 9E, 43, 00, 74, 10, 8B, 0D, 18, 9F, 43, 00, 85, 4A, 70, 75, 05, E8, B4, 66, 00, 00, 8B, 40, 74, C3, 55, 8B...
 
[+]

Code size:
175.5 KB (179,712 bytes)

Service
Display name:
ed2k idle service

Service name:
ed2kidle

Description:
execute ed2k task in idle time

Type:
Win32OwnProcess, InteractiveProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-122-171.dfw50.r.cloudfront.net  (54.230.122.171:80)

TCP (HTTP):
Connects to server-54-230-81-107.mia50.r.cloudfront.net  (54.230.81.107:80)

TCP (HTTP):
Connects to server-54-192-159-61.sin3.r.cloudfront.net  (54.192.159.61:80)

TCP (HTTP):
Connects to server-52-85-63-7.lhr50.r.cloudfront.net  (52.85.63.7:80)

TCP (HTTP):
Connects to server-54-230-216-243.mrs50.r.cloudfront.net  (54.230.216.243:80)

TCP (HTTP):
Connects to server-54-230-0-109.lhr5.r.cloudfront.net  (54.230.0.109:80)

TCP (HTTP):
Connects to server-52-84-174-18.gru50.r.cloudfront.net  (52.84.174.18:80)

TCP (HTTP):
Connects to server-54-230-51-126.jfk5.r.cloudfront.net  (54.230.51.126:80)

TCP (HTTP):
Connects to server-54-192-159-76.sin3.r.cloudfront.net  (54.192.159.76:80)

TCP (HTTP):
Connects to server-52-85-41-235.mel50.r.cloudfront.net  (52.85.41.235:80)

TCP (HTTP):
Connects to server-54-192-230-204.waw50.r.cloudfront.net  (54.192.230.204:80)

TCP (HTTP):
Connects to server-54-192-230-146.waw50.r.cloudfront.net  (54.192.230.146:80)

TCP (HTTP):
Connects to server-54-192-203-74.fra50.r.cloudfront.net  (54.192.203.74:80)

TCP (HTTP):
Connects to server-54-192-203-188.fra50.r.cloudfront.net  (54.192.203.188:80)

TCP (HTTP):
Connects to server-52-85-33-182.mnl50.r.cloudfront.net  (52.85.33.182:80)

TCP (HTTP):
Connects to server-54-239-132-231.sfo9.r.cloudfront.net  (54.239.132.231:80)

TCP (HTTP):
Connects to server-54-230-51-229.jfk5.r.cloudfront.net  (54.230.51.229:80)

TCP (HTTP):
Connects to server-54-230-51-163.jfk5.r.cloudfront.net  (54.230.51.163:80)

TCP (HTTP):
Connects to server-54-230-216-153.mrs50.r.cloudfront.net  (54.230.216.153:80)

TCP (HTTP):
Connects to server-54-230-206-253.atl50.r.cloudfront.net  (54.230.206.253:80)

Remove ed2k.exe - Powered by Reason Core Security