groupmanager.exe

The executable groupmanager.exe has been detected as malware by 34 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘GroupManager’. While running, it connects to the Internet address 2a.6a.acb8.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Version:
1.0.0.5

MD5:
c50db5d138ba635e6cbb22e87976f4a3

SHA-1:
50d9a06bb00265dfca4e652f0f723f672c5061a9

SHA-256:
c88f4fc17ad9b2554bc9eb61a1e6ab8780bf04bd624e803faf72b094ffd7aadb

Scanner detections:
34 / 68

Status:
Malware

Analysis date:
9/26/2017 10:10:51 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.1782331
282

Agnitum Outpost
Trojan.Bumat
7.1.1

Avira AntiVirus
TR/Click.MSIL.Xone.BV
7.11.213.12

Antiy Labs AVL
Trojan/Win32.TSGeneric
1.0.0.1

avast!
Win32:Trojan-gen
2014.9-160427

AVG
Clicker
2017.0.2760

Baidu Antivirus
Trojan.MSIL.Clicker
4.0.3.16427

Bitdefender
Trojan.Generic.1782331
1.0.20.590

CMC Antivirus
Generic.Win32.c50db5d138!CMCRadar
1.1.0.977

Dr.Web
Trojan.Popuper.15978
9.0.1.0118

Emsisoft Anti-Malware
Trojan.Generic.1782331
8.16.04.27.12

Fortinet FortiGate
Malware_fam.gw
4/27/2016

F-Secure
Trojan.Generic.1782331
11.2016-27-04_4

G Data
Trojan.Generic.1782331
16.4.25

Jiangmin
TrojanClicker.MSIL.Xone.o
KV160427

Kaspersky
Trojan-Clicker.MSIL.Xone
14.0.0.297

Kingsoft AntiVirus
Win32.Troj.Generic.v.(kcloud)
331020.49267

McAfee
Artemis!C50DB5D138BA
5600.6416

McAfee Web Gateway
Artemis!Trojan
7.6416

Microsoft Security Essentials
Trojan:Win32/Bumat!rts
1.1.11400.0

MicroWorld eScan
Trojan.Generic.1782331
17.0.0.354

NANO AntiVirus
Trojan.Win32.Xone.tvzbf
0.30.0.296

Norman
Suspicious_Gen2.QSMU
11.20160427

nProtect
Trojan-Clicker/W32.Agent.32256.J
15.02.27.01

Panda Antivirus
Trj/CI.A
16.04.27.12

Qihoo 360 Security
Win32/Trojan.a1b
1.0.0.1015

Rising Antivirus
PE:Trojan.Win32.Generic.12DDD9F2!316529138
23.00.65.16425

Sophos
Troj/Click-N
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Clicker
9178

The Hacker
Trojan/Xone.bv
6.8.0.5.530

Trend Micro House Call
TROJ_CLICKER.CBM
7.2.118

Trend Micro
TROJ_CLICKER.CBM
10.465.27

VIPRE Antivirus
Trojan.Win32.Generic
38032

Zillya! Antivirus
Trojan.Xone.Win32.15
2.0.0.2085

File size:
31.5 KB (32,256 bytes)

Product version:
1.0.0.5

Copyright:
Copyright © 2008

Original file name:
groupmanager.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Windows\System32\groupmanager.exe

File PE Metadata
Compilation timestamp:
3/18/2009 5:15:03 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
768:H27u37voX8Q0D6QSxq65r6F6HkGqE5cgBl:H263s8Q0D6QSxqm691E5cgf

Entry address:
0x8AAE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
27 KB (27,648 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
GroupManager

Command:
C:\Windows\System32\groupmanager.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 2a.6a.acb8.ip4.static.sl-reverse.com  (184.172.106.42:80)

TCP (HTTP):
Connects to no.rdns.ukservers.com  (94.229.72.116:80)

Remove groupmanager.exe - Powered by Reason Core Security