home

kb43070331.exe

The application kb43070331.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘CrashReportChecker’. While running, it connects to the Internet address r167-58-100-25.dialup.adsl.anteldata.net.uy on port 80 using the HTTP protocol.
MD5:
670448a73d11e084dffaefd400fbc4bd

SHA-1:
8060a62f119b37cabe23ee41fc0d46509ce19468

SHA-256:
ae3ab4712275ec2794563ac9d210a295731ab3142961186c41fe04e7d16e23d5

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
4/19/2024 5:37:45 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Updater.Startup
16.8.22.18

File size:
1 MB (1,048,927 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\kb43070331.exe

File PE Metadata
Compilation timestamp:
8/18/2016 3:29:10 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.0

CTPH (ssdeep):
24576:iX8/vp277XDjN4YEoPPey4wNIXSipYgpAc:hX27XDBlEoPPeyfIbYaAc

Entry address:
0x1980

Entry point:
55, 8B, EC, 6A, FF, 68, 20, 26, 00, 01, 68, C2, 1B, 00, 01, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, 5F, 57, FF, 15, 94, 21, 00, 01, 59, 83, 90, 40, 3C, 00, 01, FF, 83, 0D, 44, 3C, 00, 01, FF, FF, 15, 90, 21, 00, 01, 8B, 0D, 34, 3C, 00, 01, 89, 08, FF, 15, 8C, 21, 00, 01, 8B, 0D, 30, 3C, 00, 01, 89, 08, A1, 88, 21, 00, 01, 8B, 00, A3, 3C, 3C, 00, 01, E8, 90, FD, FF, FF, 39, 1D, 20, 3B, 00, 01, 75, 0C, 68, BE, 1B, 00, 01, FF, 15...
 
[+]

Entropy:
7.9917

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
16.1 MB (16,846,848 bytes)

5 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
CrashReportChecker

Command:
C:\users\{user}\appdata\local\temp\kb43070331.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
CrashReportUpdater

Command:
C:\users\{user}\appdata\local\temp\kb85647328.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
CrashReportSaver

Command:
C:\users\{user}\appdata\local\temp\kb03658863.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
CrashReportNotifyer

Command:
C:\users\{user}\appdata\local\temp\kb455823689.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
CrashReportVerifyer

Command:
C:\users\{user}\appdata\local\temp\kb285063372.exe


4 Startup Files (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
NetworkUpdater

Command:
C:\users\{user}\appdata\local\temp\kb242061384.exe

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
NetworkChecker

Command:
C:\users\{user}\appdata\local\temp\kb623771635.exe

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
NetworkNotifyer

Command:
C:\docume~1\window~1\impost~1\temp\kb17886031.exe

Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
NetworkVerifyer

Command:
C:\users\{user}\appdata\local\temp\kb10708439.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 108.61.161.107.vultr.com  (108.61.161.107:80)

TCP (HTTP):
Connects to bzq-84-108-124-27.cablep.bezeqint.net  (84.108.124.27:80)

TCP (HTTP):
Connects to 95-87-247-39.net1.bg  (95.87.247.39:80)

TCP (HTTP):
Connects to 70.145.11.190.powervt.com.ar  (190.11.145.70:80)

TCP (HTTP):
Connects to static-user-109-124-30-235.tomtelnet.ru  (109.124.30.235:80)

TCP (SMTP):
Connects to mta-v6.mail.vip.ne1.yahoo.com  (98.138.112.32:25)

TCP (HTTP):
Connects to host-84.243.241.46.ucom.am  (46.241.243.84:80)

TCP (HTTP):
Connects to broadband.actcorp.in  (49.204.143.137:80)

TCP (HTTP):
Connects to ab88-151-191-197.mxc.ru  (88.151.191.197:80)

TCP (HTTP):
Connects to 93-79-20-55.sumy.volia.net  (93.79.20.55:80)

TCP (HTTP):
Connects to 46-164-189-138-dynamic.retail.datagroup.ua  (46.164.189.138:80)

TCP (HTTP):
Connects to 46-119-29-161.broadband.kyivstar.net  (46.119.29.161:80)

TCP (HTTP):
Connects to 46-118-24-51.broadband.kyivstar.net  (46.118.24.51:80)

TCP (HTTP):
Connects to WIN-MGIB0IP4L15  (113.188.151.12:80)

TCP (SMTP):
Connects to wb-in-f26.1e100.net  (66.102.1.26:25)

TCP (HTTP):
Connects to static-48.5.96.14-tataidc.co.in  (14.96.5.48:80)

TCP (HTTP):
Connects to static-31.145.97.14-tataidc.co.in  (14.97.145.31:80)

TCP (HTTP):
Connects to static-233.39.99.14-tataidc.co.in  (14.99.39.233:80)

TCP (HTTP):
Connects to static-214.8.99.14-tataidc.co.in  (14.99.8.214:80)

TCP (HTTP):
Connects to static-205.42.99.14-tataidc.co.in  (14.99.42.205:80)

Remove kb43070331.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.