home

ed2k.exe

aMule

http://www.amule.org/

The application ed2k.exe, “ED2K Links Handler” has been detected as a potentially unwanted program by 2 anti-malware scanners. It runs as a windows Service named “ed2k idle service”. While running, it connects to the Internet address server-54-240-186-230.mad50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
http://www.amule.org/

Product:
aMule

Description:
ED2K Links Handler

Version:
SVN rev. 8

MD5:
5a9a467ba7bf8ebab848b8d454ee9115

SHA-1:
fa72ecd50dfa787764987f63c07c4cb642f8c206

SHA-256:
2eba859007ce126c1a2647eb87fdfe0b08e9b6bab043448e51abc02f28724072

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
4/23/2024 11:59:44 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Adware.ELEX.EL application
6.3.12010.0

Kaspersky
Trojan-Downloader.Win32.Eroyee
15.0.2.529

File size:
232 KB (237,568 bytes)

Product version:
SVN rev. 8

Copyright:
aMule Team ( admin@amule.org )

Original file name:
ed2k.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\amulec\ed2k.exe

File PE Metadata
Compilation timestamp:
11/2/2016 4:05:29 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
12.0

CTPH (ssdeep):
3072:BSl89PQcgGZ5aD3Xpq85rG2FY5xQGEo6YxOJDRM7+qPnf83nIqaiMEkp6:BD9PQcFZA7pmkGaYgRM7HN9BEW

Entry address:
0xDC77

Entry point:
E8, 3F, C6, 00, 00, E9, 7B, FE, FF, FF, E8, C0, 70, 00, 00, 8B, D0, 8B, 42, 6C, 3B, 05, 54, 9E, 43, 00, 74, 10, 8B, 0D, 18, 9F, 43, 00, 85, 4A, 70, 75, 05, E8, 02, 67, 00, 00, 8B, 40, 04, C3, E8, 9A, 70, 00, 00, 8B, D0, 8B, 42, 6C, 3B, 05, 54, 9E, 43, 00, 74, 10, 8B, 0D, 18, 9F, 43, 00, 85, 4A, 70, 75, 05, E8, DC, 66, 00, 00, 05, A0, 00, 00, 00, C3, E8, 72, 70, 00, 00, 8B, D0, 8B, 42, 6C, 3B, 05, 54, 9E, 43, 00, 74, 10, 8B, 0D, 18, 9F, 43, 00, 85, 4A, 70, 75, 05, E8, B4, 66, 00, 00, 8B, 40, 74, C3, 55, 8B...
 
[+]

Code size:
175.5 KB (179,712 bytes)

Service
Display name:
ed2k idle service

Service name:
ed2kidle

Description:
execute ed2k task in idle time

Type:
Win32OwnProcess, InteractiveProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-95-104.fra2.r.cloudfront.net  (54.230.95.104:80)

TCP (HTTP):
Connects to server-54-230-95-16.fra2.r.cloudfront.net  (54.230.95.16:80)

TCP (HTTP):
Connects to server-54-192-230-82.waw50.r.cloudfront.net  (54.192.230.82:80)

TCP (HTTP):
Connects to server-54-192-159-60.sin3.r.cloudfront.net  (54.192.159.60:80)

TCP (HTTP):
Connects to server-54-240-186-230.mad50.r.cloudfront.net  (54.240.186.230:80)

TCP (HTTP):
Connects to server-52-85-63-230.lhr50.r.cloudfront.net  (52.85.63.230:80)

TCP (HTTP):
Connects to server-54-192-230-192.waw50.r.cloudfront.net  (54.192.230.192:80)

TCP (HTTP):
Connects to server-52-84-174-128.gru50.r.cloudfront.net  (52.84.174.128:80)

TCP (HTTP):
Connects to server-54-240-186-116.mad50.r.cloudfront.net  (54.240.186.116:80)

TCP (HTTP):
Connects to server-54-230-5-165.dfw3.r.cloudfront.net  (54.230.5.165:80)

TCP (HTTP):
Connects to server-54-230-150-21.sin2.r.cloudfront.net  (54.230.150.21:80)

TCP (HTTP):
Connects to server-54-230-150-200.sin2.r.cloudfront.net  (54.230.150.200:80)

TCP (HTTP):
Connects to server-52-85-167-142.gig50.r.cloudfront.net  (52.85.167.142:80)

TCP (HTTP):
Connects to server-54-240-186-69.mad50.r.cloudfront.net  (54.240.186.69:80)

TCP (HTTP):
Connects to server-54-230-59-108.gru1.r.cloudfront.net  (54.230.59.108:80)

TCP (HTTP):
Connects to server-54-230-191-158.maa3.r.cloudfront.net  (54.230.191.158:80)

TCP (HTTP):
Connects to server-54-192-230-243.waw50.r.cloudfront.net  (54.192.230.243:80)

TCP (HTTP):
Connects to server-54-192-230-204.waw50.r.cloudfront.net  (54.192.230.204:80)

TCP (HTTP):
Connects to server-54-192-230-193.waw50.r.cloudfront.net  (54.192.230.193:80)

TCP (HTTP):
Connects to server-54-192-203-85.fra50.r.cloudfront.net  (54.192.203.85:80)

Remove ed2k.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.