» firstrun.scr
Overview
Analysis
File Details
Behaviors (1)
Network (4)

firstrun.scr

PandoraTV

The file firstrun.scr has been detected as malware by 4 anti-virus scanners. While running, it connects to the Internet address i0-h0-s80.p59-icn.cdngp.net on port 80 using the HTTP protocol.

File name:

firstrun.scr

Publisher:

Pandora.tv (signed by PandoraTV)

Product:

Pandora.tv

Description:

Screen Saver

Version:

1.0.1.8

MD5:

9d649274dc3d4561e5f2f654979fdc74

SHA-1:

ad114d8ecdaaf3de74ca623ce36ece0b3cc05732

SHA-256:

ccadb7f5279fedbad20b678bff8436990d8d6f024bf83c5b44072fabc674e82d

Scanner detections:

4 / 68

Status:

Malware

Analysis date:

4/24/2024 10:19:22 AM UTC (today)

Scan engine

Detection

Engine version

Bkav FE

W32.Clod584.Trojan

1.3.0.4924

Dr.Web

DLOADER.Trojan

9.0.1.0209

Reason Heuristics

Unnamed.Threat.18

14.2.26.9

Vba32 AntiVirus

suspected of Trojan.Downloader.gen.h

3.12.24.3

File size:

1.8 MB (1,909,928 bytes)

Product version:

1.0.1.5

Language:

Korean (Korea)

Common path:

C:\Program Files\pandora.tv\panservice\firstrun.scr

Digital Signature

Signed by:

PandoraTV

Authority:

Thawte, Inc.

Valid from:

5/14/2012 5:00:00 PM

Valid to:

6/14/2014 4:59:59 PM

Subject:

CN=PandoraTV, O=PandoraTV, L=Gangnam-gu, S=Seoul, C=KR

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

2BF6AC6C0932526A56D17EB4F2C776C5

File PE Metadata

Compilation timestamp:

6/26/2012 6:14:57 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:GJh5afs8nUOVoaBoOapX13anWmQRG8IdrIqk7JlXbFcD2l/OnCT4cgKPIZMaER0p:G0ZlV2XqdldPkNlLFH/OnCMJwbrj1LhW

Entry address:

0xBFDC0

Code size:

763 KB (781,312 bytes)

Scrnsave

Name:

firstrun.scr

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to i0-h0-s80.p59-icn.cdngp.net (14.0.68.15:80)

TCP (HTTP):

Connects to i0-h0-s52.p59-icn.cdngp.net (14.0.67.114:80)

TCP (HTTP):

Connects to i0-h0-s50.p59-icn.cdngp.net (14.0.67.112:80)

TCP (HTTP):

Connects to i0-h0-s2694.p51-icn.cdngp.net (61.110.248.140:80)

Remove firstrun.scr - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.