home

programan.exe

Setup

The executable programan.exe has been detected as malware by 3 anti-virus scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from cdn4.downloadjelly.com and multiple other hosts.
Product:
Setup

Version:
1.0.0.1

MD5:
f27dcd6109760d258ba5d057e268e665

SHA-1:
a261c4a9b2eee9a9655910aaf939d186ab3f6472

SHA-256:
36a9a0149544925162bc05944777823a21fa91ea489a9fc329b9b6501869f55d

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
4/16/2024 10:00:08 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Dropper.Gen
8.3.2.4

avast!
Win32:Dropper-gen [Drp]
151004-0

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1077

File size:
317.5 KB (325,120 bytes)

Product version:
1.0.0.1

Copyright:
Copyright (C) 2015

Original file name:
Setup.exe

File type:
Executable application (Win32 EXE)

Language:
Hebrew (Israel)

Common path:
C:\users\{user}\appdata\local\temp\programan.exe

File PE Metadata
Compilation timestamp:
11/24/2015 1:24:10 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:Q0yJrFtXb3CAtGC7eJ9Z6uiMUeoh2uEmS7nvFenqEUPtQd:QLRVqJ9Z1i3kDNAqEWtc

Entry address:
0x42C4

Entry point:
E8, D0, 22, 00, 00, E9, 10, FE, FF, FF, E9, 94, 29, 00, 00, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, EB, 03, EB, 00, E9, E8, 03, 00, 00, 00, 0F, 06, EB, 83, 04, 24, 09, C3, 00, E8, 5F, 00, 00, 00, C7, 06, FC, C2, 41, 00, 8B, C6, 5E, 5D, C2, 04, 00, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, 5F, 00, 00, 00, C7, 06, FC, C2, 41, 00, 8B, C6, 5E, 5D, C2, 04, 00, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, C6, 00, 00, 00, C7, 06, E4, C2, 41, 00, 8B, C6, 5E, 5D, C2, 04, 00, 55, 8B, EC, 56, 8D, 45, 08, 50, 8B, F1, E8, 57, 00...
 
[+]

Entropy:
7.2382

Code size:
101 KB (103,424 bytes)

The file programan.exe has been seen being distributed by the following 3 URLs.

http://cdn4.downloadjelly.com/.../Bundle.exe

http://osdsoft.com/.../Bundle.exe

http://cdn4.downloadcrest.com/.../Bundle.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-83-25-106.compute-1.amazonaws.com  (54.83.25.106:80)

TCP (HTTP):
Connects to ec2-184-73-225-10.compute-1.amazonaws.com  (184.73.225.10:80)

Remove programan.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.