» emangeloh.exe
Overview
Analysis
File Details
Behaviors (1)
Network (9)

emangeloh.exe

The executable emangeloh.exe has been detected as malware by 37 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘T57Z384’. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. While running, it connects to the Internet address control3.numplus.com on port 80 using the HTTP protocol.

File name:

emangeloh.exe

MD5:

313eec1fd166ee7547412141165cf112

SHA-1:

e14e3939fb4d992c9d1924ca07ce550052e47cbd

SHA-256:

aa0081bf269e04e51ccfb6f7969fe33a46989a0d612a383fdcd656278040e02d

Scanner detections:

37 / 68

Status:

File is infected by a Virus

Explanation:

The file is infected by a polymorphic file infector virus.

Analysis date:

4/27/2024 12:10:45 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Sality.3

6209648

Agnitum Outpost

Win32.Sality.AP.Gen

7.1.1

AhnLab V3 Security

HEUR/Fakon.mwf

2015.04.02

avast!

Malware-gen

150319-0

AVG

Win32/Sality

2014.0.4311

Baidu Antivirus

Virus.Win32.Sality.$Emu

4.0.3.1541

Bitdefender

Win32.Sality.3

1.0.20.455

Bkav FE

W32.Sality.PE

1.3.0.6379

Clam AntiVirus

Worm.VB-89

0.98/21511

Comodo Security

Virus.Win32.Sality.gen

21613

Dr.Web

Win32.Sector.30

9.0.1.05190

Emsisoft Anti-Malware

Win32.Sality

9.0.0.4799

ESET NOD32

Win32/Sality.NBA virus

7.0.302.0

F-Prot

W32/Sality.gen2

4.6.5.141

F-Secure

Win32.Sality.3

5.13.68

G Data

Win32.Sality

15.4.25

IKARUS anti.virus

Worm.Win32.VB

t3scan.1.8.9.0

K7 AntiVirus

EmailWorm

13.202.15452

Kaspersky

Virus.Win32.Sality

15.0.0.543

Malwarebytes

Worm.AutoRun

v2015.04.01.01

McAfee

Virus.W32/MoonLight.worm

16.8.708.2

Microsoft Security Essentials

Threat.Undefined

1.195.1215.0

MicroWorld eScan

Win32.Sality.3

16.0.0.273

NANO AntiVirus

Virus.Win32.Sality.yusp

0.30.8.659

Norman

Win32.Sality.3

03.12.2014 13:20:04

nProtect

Virus/W32.Sality.D

15.04.01.01

Panda Antivirus

W32/Sality.AA

15.04.01.01

Quick Heal

W32.Sality.U

4.15.14.00

Rising Antivirus

PE:Worm.VB.fa!1074044955

23.00.65.15330

Sophos

W32/Bobandy-D

4.98

Total Defense

Win32/Sality.AA

37.0.11524

Trend Micro House Call

PE_SALITY.RL

7.2.91

Trend Micro

PE_SALITY.RL

10.465.01

Vba32 AntiVirus

Virus.Win32.Sality.bakb

3.12.26.3

VIPRE Antivirus

Threat.4721115

38950

ViRobot

Win32.Sality.Gen.A[h]

2014.3.20.0

Zillya! Antivirus

Worm.VB.Win32.2

2.0.0.2123

File size:

2.1 MB (2,162,688 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\windows\m70273\emangeloh.exe

File PE Metadata

Compilation timestamp:

3/8/2004 2:57:36 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

24576:2OchKmY+7OchKmY+MKmY+MKmY+MKmY+MKmY+MKmY+OOchKmY+oKmY+oKm+:2OUK8OUKxKxKxKxKxKZOUKpKpKN

Entry address:

0x118C

Entry point:

60, 89, F9, F6, C5, CA, F3, F7, C7, 5A, E5, 90, 2B, C6, C4, 33, B2, C0, C7, C2, 80, 41, E0, AC, 0F, AF, C2, F2, C7, C1, 37, 35, 62, 41, 8D, 05, 87, 34, 92, 99, 0F, AF, C3, E8, 8A, 00, 00, 00, 29, FF, 8B, DD, 84, F9, 88, FE, 88, E1, 68, 3A, DF, 00, 00, 89, CD, 58, 8D, 0D, 9E, 8D, 2B, 07, 84, E6, 35, E4, 44, 00, 00, 8D, 05, C5, 08, 17, 6D, F3, 89, DF, 68, AD, 08, 00, 00, 2D, A6, 66, 4C, BC, 4F, C6, C4, B4, 5E, 86, FE, 81, F6, CA, 0D, 00, 00, 4A, FE, C7, 81, F9, 43, 74, 00, 00, 77, 02, 88, FE, 69, CB, DB, C1... 
[+]

Code size:

72 KB (73,728 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

T57Z384

Command:

C:\windows\sa-76400.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to s11.linuxpl.com (88.198.8.17:80)

TCP (HTTP):

Connects to s01.snkhole.mal-ware.susp-nded.domain (166.78.144.80:80)

TCP (HTTP):

Connects to redirect-v225.secureserver.net (184.168.47.225:80)

TCP (HTTP):

Connects to nat.th.itouchnet.net (203.107.129.145:80)

TCP (HTTP):

Connects to ec2-54-174-31-254.compute-1.amazonaws.com (54.174.31.254:80)

TCP (HTTP):

Connects to control3.numplus.com (203.150.231.210:80)

TCP (HTTP):

Connects to cluster005.ovh.net (213.186.33.16:80)

TCP (HTTP):

Connects to 216-185-153-106.aus.us.siteprotect.com (216.185.153.106:80)

TCP (HTTP):

Connects to 147.62.236.23.bc.googleusercontent.com (23.236.62.147:80)

Remove emangeloh.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.