rs.exe

The application rs.exe has been detected as a potentially unwanted program by 4 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘Rs’. While running, it connects to the Internet address dmpro-ca-01.fooservers.com on port 80 using the HTTP protocol.
MD5:
0afcd87b9a9b5b3a9441e3ea1e7ff8bc

SHA-1:
4f78496babf9b1b45c0201d7cd3847176e128f1b

SHA-256:
6fba872f1d3a644327afe393b28b8a506d9c772e847972c14781508b4a9a26b3

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
8/19/2018 9:44:19 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
2014.9-151220

ESET NOD32
Win32/HideBaid.N potentially unwanted (variant)
9.12749

Panda Antivirus
Trj/Genetic.gen
15.12.20.12

Rising Antivirus
PE:Malware.RDM.26!5.20 [F]
23.00.65.151218

File size:
184 KB (188,416 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\intel\rs.exe

File PE Metadata
Compilation timestamp:
12/5/2015 2:44:33 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:bljgvw7VCzTCljI1cuWcRLeXa0vA7ft5RlF0KtULsp0:lgwScu7eK0EF5R0sp

Entry address:
0xACAA

Entry point:
55, 8B, EC, 6A, FF, 68, 78, 29, 42, 00, 68, 7C, E0, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, C0, 11, 42, 00, 33, D2, 8A, D4, 89, 15, 2C, DF, 42, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 28, DF, 42, 00, C1, E1, 08, 03, CA, 89, 0D, 24, DF, 42, 00, C1, E8, 10, A3, 20, DF, 42, 00, 6A, 01, E8, F1, 49, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, C3, 00, 00, 00, 59, E8, 52, 2A, 00, 00, 85, C0, 75, 08, 6A, 10, E8, B2, 00, 00, 00, 59, 33, F6, 89, 75...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
128 KB (131,072 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Rs

Command:
"C:\Program Files\intel\rs.exe" httC:\down.baidu2016.com\qq\test.txt \start


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to dmpro-ca-01.fooservers.com  (167.114.156.214:80)

Remove rs.exe - Powered by Reason Core Security