home

screensaverpro.scr

Sunce

House

The file screensaverpro.scr has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Screen Saver Pro 3.1’. While running, it connects to the Internet address 217-160-0-39.elastic-ssl.ui-r.com on port 80 using the HTTP protocol.
Publisher:
House

Product:
Sunce

Description:
Marko

Version:
1, 3, 4, 7

MD5:
fb7f86fe1b7cba46bbff3081bd0b7dd4

SHA-1:
7dcd8b2d48d1a75f0db754e3af48cb9aef11ed08

SHA-256:
da05422a15a79d777c3e67483daaea104c893445d2be83a74af123c29a811911

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
4/27/2024 7:52:51 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.SCRNSaverPro (M)
17.2.3.15

File size:
351 KB (359,424 bytes)

Product version:
3, 0, 0, 0

Copyright:
Copyright Mamuze© 2013

Trademarks:
Fioka©"

Original file name:
Voda.exe

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\screensaverpro.scr

File PE Metadata
Compilation timestamp:
4/13/2013 5:05:59 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x2C20

Entry point:
60, E8, 00, 00, 00, 00, 5D, 0F, AF, F8, 8D, 0D, 42, E3, C2, D6, F6, C5, 42, 30, DB, 80, EC, 0B, 46, FE, CC, 81, C5, 5F, 79, 04, 00, 49, 80, F6, 52, 81, ED, 7E, 0F, 00, 00, 55, F7, C5, B5, 3C, 4B, 93, C3, FF, C7, 45, EC, 72, 00, 00, 00, 68, 28, 46, 40, 00, 6A, 00, 6A, 00, 68, A0, 24, 40, 00, 6A, 00, 6A, 00, FF, 15, EC, 43, 40, 00, A3, F8, 43, 40, 00, C7, 45, F8, 37, 00, 00, 00, 6A, FF, A1, F8, 43, 40, 00, 50, FF, 15, 2C, 46, 40, 00, 33, C0, 8B, E5, 5D, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.7983

Packer / compiler:
ASPack v1.08.04

Code size:
7.5 KB (7,680 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Screen Saver Pro 3.1

Command:
C:\users\{user}\appdata\roaming\screensaverpro.scr


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to scirocco.icertified.net  (205.196.16.16:80)

TCP (HTTP):
Connects to sv2.byethost2.org  (31.22.4.140:80)

TCP (HTTP):
Connects to sadira.avaruus.net  (178.251.153.37:80)

TCP (HTTP):
Connects to box383.bluehost.com  (69.89.31.183:80)

TCP (HTTP):
Connects to 217-160-0-4.elastic-ssl.ui-r.com  (217.160.0.4:80)

TCP (HTTP):
Connects to 217-160-0-39.elastic-ssl.ui-r.com  (217.160.0.39:80)

TCP (HTTP):
Connects to box361.bluehost.com  (69.89.31.161:80)

TCP (HTTP):
Connects to cluster-ssl.webshopapp.com  (87.250.130.135:80)

Remove screensaverpro.scr - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.