» sig54bd.tmp
Overview
Analysis
File Details
Behaviors (2)
Network (42)

sig54bd.tmp

The file sig54bd.tmp has been detected as malware by 12 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. This is the uninstaller utility registered in the Windows Control Panel for the program Search Provided by Yahoo.

File name:

sig54bd.tmp

MD5:

807888e3abd17792f98d745f05b5d4f7

SHA-1:

93a77fb585a4728550dff9810eb6ebc2ef580130

SHA-256:

25050eff4e853e78ce805b43b3583eb1d15d310b4857ac5c9e4bf569ecc1a0c4

Scanner detections:

12 / 68

Status:

Malware

Analysis date:

4/24/2024 6:31:52 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Strictor.122444

-29

AegisLab AV Signature

Gen.Variant.Strictor!c

2.1.4+

Arcabit

Trojan.Strictor.D1DE4C

1.0.0.795

Bitdefender

Gen:Variant.Strictor.122444

1.0.20.315

Emsisoft Anti-Malware

Gen:Variant.Strictor.122444

8.17.03.04.07

F-Secure

Variant.Strictor.122444

5.16.24

G Data

Gen:Variant.Strictor.122444

17.3.25

McAfee

PUP-FPD

5600.6105

MicroWorld eScan

Gen:Variant.Strictor.122444

18.0.0.189

Panda Antivirus

Trj/GdSda.A

17.03.04.07

Qihoo 360 Security

HEUR/QVM05.1.0000.Malware.Gen

1.0.0.1120

Rising Antivirus

Malware.Heuristic!ET#91% (rdm+)

23.00.65.17302

File size:

2.3 MB (2,378,752 bytes)

Common path:

C:\windows\temp\sig54bd.tmp

File PE Metadata

Compilation timestamp:

5/8/2016 10:34:08 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0x20B3B8

Entry point:

55, 8B, EC, 83, C4, F0, B8, B8, 2B, 60, 00, E8, 74, 2A, E0, FF, A1, 00, 0E, 61, 00, 8B, 00, E8, 5C, 37, FC, FF, 8B, 0D, F8, 0E, 61, 00, A1, 00, 0E, 61, 00, 8B, 00, 8B, 15, 7C, 71, 5D, 00, E8, 5C, 37, FC, FF, A1, 00, 0E, 61, 00, 8B, 00, E8, AC, 38, FC, FF, E8, 13, DB, DF, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 32, 13, 00, 00, 00, 19, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.7394

Developed / compiled with:

Microsoft Visual C++

Code size:

2 MB (2,135,552 bytes)

Program Uninstaller

Program name:

Search Provided by Yahoo

Uninstall string:

"C:\users\{user}\appdata\local\{876ab136-a3c2-dd8e-ce5a-f866ea3204fe}\uninstall.exe" \uninstall \s \noun \delselfdir

Scheduled Task

Task name:

{3D8967E9-1A17-4D01-8588-4DD689A412BA}

Trigger:

Daily (Runs daily at 13:27)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-54-225-212-5.compute-1.amazonaws.com (54.225.212.5:80)

TCP (HTTP):

Connects to s3-1-w.amazonaws.com (52.216.0.144:80)

TCP (HTTP):

Connects to ec2-23-21-246-202.compute-1.amazonaws.com (23.21.246.202:80)

TCP (HTTP SSL):

Connects to geoip-zlb.vips.scl3.mozilla.com (63.245.215.82:443)

TCP (HTTP):

Connects to ec2-107-20-201-65.compute-1.amazonaws.com (107.20.201.65:80)

TCP (HTTP):

Connects to ec2-107-21-228-208.compute-1.amazonaws.com (107.21.228.208:80)

TCP (HTTP):

Connects to ec2-23-23-166-158.compute-1.amazonaws.com (23.23.166.158:80)

TCP (HTTP):

Connects to server-54-230-59-26.gru1.r.cloudfront.net (54.230.59.26:80)

TCP (HTTP):

Connects to server-54-230-191-21.maa3.r.cloudfront.net (54.230.191.21:80)

TCP (HTTP):

Connects to server-54-230-163-134.jax1.r.cloudfront.net (54.230.163.134:80)

TCP (HTTP):

Connects to server-54-192-19-221.iad12.r.cloudfront.net (54.192.19.221:80)

TCP (HTTP):

Connects to server-52-84-203-80.tpe50.r.cloudfront.net (52.84.203.80:80)

TCP (HTTP):

Connects to server-52-84-174-64.gru50.r.cloudfront.net (52.84.174.64:80)

TCP (HTTP):

Connects to server-52-84-174-14.gru50.r.cloudfront.net (52.84.174.14:80)

TCP (HTTP):

Connects to ec2-54-83-207-70.compute-1.amazonaws.com (54.83.207.70:80)

TCP (HTTP):

Connects to ec2-54-69-114-228.us-west-2.compute.amazonaws.com (54.69.114.228:80)

TCP (HTTP):

Connects to ec2-54-243-75-224.compute-1.amazonaws.com (54.243.75.224:80)

TCP (HTTP):

Connects to ec2-54-225-136-136.compute-1.amazonaws.com (54.225.136.136:80)

TCP (HTTP):

Connects to ec2-23-23-110-40.compute-1.amazonaws.com (23.23.110.40:80)

TCP (HTTP):

Connects to ec2-23-21-246-179.compute-1.amazonaws.com (23.21.246.179:80)

Remove sig54bd.tmp - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.