home

sd0uamojw.exe

The application sd0uamojw.exe has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from livestatscounter.com. While running, it connects to the Internet address ch4plpkivs-v01.any.prod.ord1.secureserver.net on port 80 using the HTTP protocol.
MD5:
5c9336efb1faf577655bcd88a444c26b

SHA-1:
3a46124a6a3222a1eb5d3a9212f4c86574a33b30

SHA-256:
f120fd505378e28c64e1057de7aea81f6b346b70d1fd4d0fd23c46e8c9bbd4ba

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
4/24/2024 10:03:16 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.ClickMeIn.2178
9.0.1.0273

Reason Heuristics
Adware.CMI (M)
16.2.19.17

SUPERAntiSpyware
Trojan.Agent/Gen-Downloader
9670

File size:
162 KB (165,898 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\content.ie5\12mvmbse\sd0uamojw.exe

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:AgXdZt9P6D3XJ8M59gvIUepNoVGQFGnuTG/qKrOqGiD/pMIWgWsO0uMzfn:Ae34f59yepNoVGbui/hFD/pMpgWsdDn

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8549

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file sd0uamojw.exe has been seen being distributed by the following URL.

http://livestatscounter.com/SysInfo/.../timer.php

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-38-178.jfk1.r.cloudfront.net  (54.230.38.178:80)

TCP (HTTP SSL):
Connects to ec2-54-172-56-45.compute-1.amazonaws.com  (54.172.56.45:443)

TCP (HTTP SSL):
Connects to ec2-52-7-39-118.compute-1.amazonaws.com  (52.7.39.118:443)

TCP (HTTP SSL):
Connects to ec2-52-6-160-173.compute-1.amazonaws.com  (52.6.160.173:443)

TCP (HTTP SSL):
Connects to ec2-52-5-145-21.compute-1.amazonaws.com  (52.5.145.21:443)

TCP (HTTP SSL):
Connects to ec2-52-4-85-129.compute-1.amazonaws.com  (52.4.85.129:443)

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

TCP (HTTP):
Connects to ec2-107-21-122-166.compute-1.amazonaws.com  (107.21.122.166:80)

TCP (HTTP):
Connects to ch4plpkivs-v01.any.prod.ord1.secureserver.net  (50.63.243.228:80)

TCP (HTTP):
Connects to c-0001.c-msedge.net  (191.234.4.50:80)

TCP (HTTP):
Connects to a96-6-113-9.deploy.akamaitechnologies.com  (96.6.113.9:80)

TCP (HTTP):
Connects to a23-15-8-234.deploy.static.akamaitechnologies.com  (23.15.8.234:80)

TCP (HTTP):
Connects to a1plpkivs-v03.any.prod.ash1.secureserver.net  (72.167.239.239:80)

TCP (HTTP):
Connects to a184-51-126-154.deploy.static.akamaitechnologies.com  (184.51.126.154:80)

TCP (HTTP):
Connects to a184-51-126-153.deploy.static.akamaitechnologies.com  (184.51.126.153:80)

Remove sd0uamojw.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.