home

purevpn_4.1.1.0.exe

Muf

Sivensys SRL

The executable purevpn_4.1.1.0.exe, “Muf Setup ” has been detected as malware by 1 anti-virus scanner. The program is a setup application that uses the Inno Setup installer. The file has been seen being downloaded from www.funcentralnew.com and multiple other hosts. While running, it connects to the Internet address generic.external.zlb.scl3.mozilla.com on port 443.
Publisher:
Sivensys SRL  (signed and verified)

Product:
Muf

Description:
Muf Setup

Version:
3.1.3.0

MD5:
605b2e579d0895eb78087f2f349134d9

SHA-1:
3186b6b6a1dd0fdf4f823556ed5c077a831e1f3f

SHA-256:
c0b1384d1b048291448b00735228011b6ad655efe9a7c1e0e7f707173b906fe0

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
5/5/2024 7:19:21 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.2.22.16

File size:
1.2 MB (1,299,912 bytes)

Product version:
1.0.9

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\purevpn_4.1.1.0.exe

Digital Signature
Signed by:
Sivensys SRL

Authority:
GlobalSign nv-sa

Valid from:
10/20/2016 8:04:57 AM

Valid to:
10/21/2017 8:04:57 AM

Subject:
CN=Sivensys SRL, O=Sivensys SRL, L=IASI, C=RO

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE

Serial number:
0D38E905F0B0BA5733036DFB

File PE Metadata
Compilation timestamp:
6/19/1992 10:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xAA98

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 2E, 86, FF, FF, E8, 35, 98, FF, FF, E8, 9C, 9B, FF, FF, E8, B7, 9F, FF, FF, E8, 56, BF, FF, FF, E8, ED, E8, FF, FF, E8, 54, EA, FF, FF, 33, C0, 55, 68, 69, B1, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 32, B1, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, D0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, C2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, 24, 93, FF, FF, 8D, 55, F0, 33, C0, E8, 66, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9855

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
40.5 KB (41,472 bytes)

The file purevpn_4.1.1.0.exe has been seen being distributed by the following 2 URLs.

http://www.funcentralnew.com/Y6KGeznpMfAvIbBJCN4xm9Z oQoishBrGvs7fgacl2wnesMvCnco5iTZQP7TfMzcnAlk6XPVQqDkDoKPsVlQ 2q8LlRdv53aI8o4AwsCVjI7qqXbFHhIC56W8DVnyPpfbR4yfipd7Kd19VmkXSJNV6cRKwrJlgGHRB7KgQEiy 94jHSu2AlikjKRnY VNAhQu7CPYwuka if7Z2KD5yWvwREvdWp9vRCKPE9Pyss85jxlcflNNXay6rIMRR8 k9e2gizp4firgRnUFgKVb_HDSRM6UaU0zvs cQgqKeomGHGMeM_tC2ynRb9kfy5sLPZBTXvdDZVQyOFstd0sFsjHP4HjabzEdtz9Me5CVYrMRBGtlt3eTUssIcicJaOTAycf67Pg8IvadkLwBKbc817RkGpNvOow==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA-e

http://www.funcentralnew.com/i4XkTGiw74Iqep76Mt BKASpvqVRx9BeNAOaZbc52togJXuVyXCHr xoYBqQC85PJmwKh_8jE8ehQeIS_wO1QvwbBEzmkB5Y15DA6TpVswEFd4dde hB25ArLb3Hqzz1ispwjC4iS0BlSb6CaSeCPrhKsBFONsZSWiLeZTjNqvbsPLynsmdIEIVuIG5QtDhWdjRNrQWthumPrGiyLsta REhmMiJDfDhmxWCyV58UahgB4KVjbbdr2uJb5h_onCWoNgvD8oTHpwa9PSr6Qi0dSqcASyGswfXtrUpJxgNvBJq0T8bvKhKXwBVP8mG82Dcej8m 39xOXEY8jc7vbIBRFnW6T8uYEOfvN5U_xtTA_pwhGVD1CFewrfSPlM5nvkoAbi5a9IiMoAfQqlWo8wBeFVyae8x3g==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA-e

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to generic.external.zlb.scl3.mozilla.com  (63.245.213.12:443)

TCP (HTTP):
Connects to server-54-230-95-110.fra2.r.cloudfront.net  (54.230.95.110:80)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (54.231.80.224:80)

TCP (HTTP):
Connects to ec2-52-50-196-247.eu-west-1.compute.amazonaws.com  (52.50.196.247:80)

TCP (HTTP):
Connects to ec2-52-49-170-39.eu-west-1.compute.amazonaws.com  (52.49.170.39:80)

TCP (HTTP):
Connects to ec2-176-34-130-130.eu-west-1.compute.amazonaws.com  (176.34.130.130:80)

Remove purevpn_4.1.1.0.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.