Mary.exe

Mary

The application Mary.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address s3.lfs.net on port 80 using the HTTP protocol.
Product:
Mary

Version:
0.9

MD5:
7120eee36bb35c3c3d754e3177217458

SHA-1:
daceceafa467887f0bc2f430a62712f2346d3e79

SHA-256:
1e8420fc3379ffe8e4d7f1ce5c6d087ef00444603377dd03be133650602de2a5

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/25/2016 12:13:31 AM UTC  (eleven months)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Eorezo.RE (M)
16.11.24.19

File size:
303.5 KB (310,784 bytes)

Product version:
0.9

Copyright:
Copyright © MariusMM

Original file name:
Mary.exe

File type:
Executable application (Win64 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\mary\mary.exe

File PE Metadata
Compilation timestamp:
9/26/2016 7:15:19 PM

OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
48.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:rMSgKKly3hNTqkwPCkwiQhN/9VvYkoV5wE3JNINH3rGiSDtLP:3IwaiH3rGiSDt

Entry address:
0x3CAE2

Entry point:
4D, 5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 80, 00, 00, 00, 0E, 1F, BA, 0E, 00, B4, 09, CD, 21, B8, 01, 4C, CD, 21, 54, 68, 69, 73, 20, 70, 72, 6F, 67, 72, 61, 6D, 20, 63, 61, 6E, 6E, 6F, 74, 20, 62, 65, 20, 72, 75, 6E, 20, 69, 6E, 20, 44, 4F, 53, 20, 6D, 6F, 64, 65, 2E, 0D, 0D, 0A, 24, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Code size:
235 KB (240,640 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to s3.lfs.net  (188.122.74.150:80)

Remove Mary.exe - Powered by Reason Core Security