» mailcracker.exe
Overview
Analysis
File Details
Network (67)

mailcracker.exe

Sanmao SMTP Mail Cracker

The executable mailcracker.exe, “Made by Sanmao MSN/Mail:suruiqiang@msn.com” has been detected as malware by 37 anti-virus scanners. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. While running, it connects to the Internet address mail.inbox.lv on port 25.

File name:

mailcracker.exe

Product:

Sanmao SMTP Mail Cracker

Description:

Made by Sanmao MSN/Mail:suruiqiang@msn.com

Version:

1, 0, 0, 1

MD5:

e22a6b66e211041dd640ccbc32c3d6e1

SHA-1:

7c99c548c8521411001017e80c0a07007a8a215f

SHA-256:

708fcec6b30359d697cf18ab5ec25ca32d4e479a26af36ba1e96f0a5f88bea3f

Scanner detections:

37 / 68

Status:

File is infected by a Virus

Explanation:

The file is infected by a polymorphic file infector virus.

Analysis date:

4/19/2024 5:28:40 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Sality.E

923

Agnitum Outpost

Win32.Sality.L

7.1.1

AhnLab V3 Security

Win32/Sality.F

2014.07.27

Avira AntiVirus

W32/Sality.L

7.11.30.172

avast!

Win32:Sality-AB

140617-1

AVG

Win32/Tanatos.T

2014.0.3986

Baidu Antivirus

Virus.Win32.Sality.$l

4.0.3.14726

Bitdefender

Win32.Sality.E

1.0.20.1035

Clam AntiVirus

W32.Sality.N

0.98/19185

Comodo Security

Virus.Win32.Sality.L

18986

Dr.Web

Win32.Sector.20480

9.0.1.05190

Emsisoft Anti-Malware

Win32.Sality

8.14.07.26.11

ESET NOD32

Win32/Sality.NAE virus

7.0.302.0

Fortinet FortiGate

W32/Sality.P

7/26/2014

F-Prot

W32/Sality.K

4.6.5.141

F-Secure

Win32.Sality.E

11.2014-26-07_7

G Data

Win32.Sality

14.7.24

IKARUS anti.virus

Trojan-Downloader.Win32.Adload

t3scan.1.6.1.0

K7 AntiVirus

Virus

13.181.12846

Kaspersky

Virus.Win32.Sality

15.0.0.494

McAfee

W32/Sality.n

5600.7057

Microsoft Security Essentials

Threat.Undefined

1.179.1221.0

MicroWorld eScan

Win32.Sality.E

15.0.0.621

NANO AntiVirus

Virus.Win32.Sality.cdbf

0.28.2.60990

Norman

Sality.FOA

11.20140726

nProtect

Win32.Sality.E

14.07.25.01

Panda Antivirus

W32/Sality.O

14.07.26.11

Qihoo 360 Security

Malware.QVM19.Gen

1.0.0.1015

Quick Heal

W32.Sality.K

7.14.14.00

Rising Antivirus

PE:Win32.Sality!214858

23.00.65.14724

Sophos

W32/Sality-AI

4.98

Total Defense

Win32/Sality.J

37.0.11083

Trend Micro House Call

PE_SALITY.AE

7.2.207

Trend Micro

PE_SALITY.AE

10.465.26

Vba32 AntiVirus

Win32.HLLP.Kuku.304

3.12.26.3

VIPRE Antivirus

Threat.226310

31208

ViRobot

Win32.Sality.G

2011.4.7.4223

File size:

292 KB (299,008 bytes)

Product version:

1, 0, 0, 1

File type:

Executable application (Win32 EXE)

Language:

Chinese

File PE Metadata

Compilation timestamp:

10/19/2010 5:20:57 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

3072:qyv6kRzP1flk5YZX1JaMZl5dyAhpxeBrw46i9gAN7ME+Tj5EvtNE+oNozs/ne2aR:qiHLflkGlJaolgj6i95A3ne28liS/pMm

Entry address:

0xD490

Entry point:

60, E8, 52, 00, 00, 00, 66, B9, 00, 28, 68, 70, AB, 03, 00, 8D, BD, 00, 10, 40, 00, 03, 3C, 24, 8B, F7, 68, 32, 10, 40, 00, 55, 9B, DB, E3, DB, 04, 24, DB, 44, 24, 04, DE, C1, DB, 1C, 24, 8B, 1C, 24, 66, AD, 51, DB, 04, 24, DA, 8D, 66, 10, 40, 00, DB, 1C, 24, D1, E1, 29, 0C, 24, 33, 04, 24, D1, E9, 66, AB, 58, E2, 14, 66, B9, FC, 4F, 2B, F9, FF, E7, 33, C9, 8B, 2C, 24, 81, ED, 06, 10, 40, 00, C3, FF, E3, 00, C5, 00, 00, 59, E8, 9C, 43, 00, 00, 85, C0, 75, 08, 6A, 10, E8, B2, 00, 00, 00, 59, 33, F6, 89, 75... 
[+]

Packer / compiler:

ASPack v1.08.04

Code size:

188 KB (192,512 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (SMTP):

Connects to ysgmta01.netvigator.com (218.102.23.233:25)

TCP (SMTP):

Connects to web3.globe.de (212.124.37.50:25)

TCP (SMTP):

Connects to vxmaa-23mc.srv.cat (134.0.12.15:25)

TCP (SMTP):

Connects to vs4515.denkis.nl (62.148.191.43:25)

TCP (SMTP):

Connects to vs01.digiport.nl (94.126.67.159:25)

TCP (SMTP):

Connects to vps9061.inmotionhosting.com (198.46.84.238:25)

TCP (SMTP):

Connects to unused.networksolutions.com (206.188.198.69:25)

TCP (SMTP):

Connects to su9.dns77.com (64.141.114.116:25)

TCP (SMTP):

Connects to smtp-in-114.livemail.co.uk (213.171.216.114:25)

TCP (SMTP):

Connects to smtpgw.dds.nl (91.142.252.201:25)

TCP (SMTP):

Connects to smtp-04.servidoresdns.net (217.76.146.62:25)

TCP (SMTP):

Connects to smtp.yandex.ru (93.158.134.38:25)

TCP (SMTP):

Connects to smtp.xtra.co.nz (210.54.141.2:25)

TCP (SMTP):

Connects to smtp.xs4all.nl (194.109.6.51:25)

TCP (SMTP):

Connects to smtp.rcn.com (69.168.97.78:25)

TCP (SMTP):

Connects to smtp.pt.lu (195.46.255.228:25)

TCP (SMTP):

Connects to smtp.netcologne.de (213.168.87.11:25)

TCP (SMTP):

Connects to smtp.mail.ru (217.69.139.160:25)

TCP (SMTP):

Connects to smtp.bk.ru (94.100.180.163:25)

TCP (SMTP):

Connects to server-en.yopmail.com (87.98.250.141:25)

Remove mailcracker.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.