home

snsxdedb.tmp

The file snsxdedb.tmp has been detected as a potentially unwanted program by 25 anti-malware scanners. The file has been seen being downloaded from 113.171.224.168 and multiple other hosts. While running, it connects to the Internet address dl21.clickmein.com on port 80 using the HTTP protocol.
MD5:
812400977140134b25074657b0c4f06a

SHA-1:
491164fe123db6da6e777864326d6213ad986a78

SHA-256:
d85e079bb67a02139b69ea7fb77c627259c9a00d83c5d51fcb69250c1ce76e39

Scanner detections:
25 / 68

Status:
Potentially unwanted

Analysis date:
4/27/2024 2:57:59 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2512006
564

Agnitum Outpost
PUA.ConvertAd
7.1.1

Avira AntiVirus
TR/Rogue.120832.62
8.3.1.6

Arcabit
Trojan.Generic.D265486
1.0.0.425

avast!
Win32:Rootkit-gen [Rtk]
2014.9-150721

AVG
Crypt_r
2016.0.3042

Bitdefender
Trojan.GenericKD.2512006
1.0.20.1010

Dr.Web
Adware.ClickMeIn.1838
9.0.1.0202

Emsisoft Anti-Malware
Trojan.GenericKD.2512006
8.15.07.21.11

ESET NOD32
Win32/Adware.ConvertAd.UC
9.11971

Fortinet FortiGate
Riskware/ConvertAd
7/21/2015

F-Secure
Trojan.GenericKD.2512006
11.2015-21-07_3

G Data
Trojan.GenericKD.2512006
15.7.25

IKARUS anti.virus
Trojan.Crypt
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.207.16622

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.1703

McAfee
Artemis!812400977140
5600.6698

MicroWorld eScan
Trojan.GenericKD.2512006
16.0.0.606

NANO AntiVirus
Riskware.Win32.ClickMeIn.dtmetp
0.30.24.2487

nProtect
Trojan.GenericKD.2512006
15.07.20.01

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
15.8.21.23

VIPRE Antivirus
Trojan.Win32.Generic
42190

ViRobot
Trojan.Win32.S.Agent.120832.FR[h]
2014.3.20.0

Zillya! Antivirus
Adware.ConvertAd.Win32.1351
2.0.0.2303

File size:
118 KB (120,832 bytes)

Common path:
C:\users\{user}\appdata\local\4c4c4544-1435162034-3310-8035-c4c04f534e31\snsxdedb.tmp

File PE Metadata
Compilation timestamp:
6/24/2015 10:28:03 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:ml0uCCSD6ygeuw0idt1xGX36mpOM7mfADnT:mUCSmyEwxnxGX5pt7nDn

Entry address:
0x967B

Entry point:
E8, 9E, 4F, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 30, 62, 41, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 88, 60, 41, 00, C9, C2, 08, 00, 8B, FF, 55, 8B, EC, 8B, 55, 08, 56, 57, 85, D2, 74, 07, 8B, 7D, 0C, 85, FF, 75, 13, E8, 56, 03, 00, 00, 6A, 16, 5E, 89, 30, E8, E0, 17, 00, 00, 8B, C6, EB, 33, 8B, 45...
 
[+]

Entropy:
6.3927

Code size:
83.5 KB (85,504 bytes)

The file snsxdedb.tmp has been seen being distributed by the following 5 URLs.

http://113.171.224.168/.../SU_Srv.exe

http://113.171.224.203/.../SU_Srv.exe

http://113.171.224.206/.../SU_Srv.exe

http://113.171.224.170/.../SU_Srv.exe

http://d1mdi78qyff344.cloudfront.net/SU_Srv.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to dl21.clickmein.com  (216.227.128.186:80)

TCP (HTTP):
Connects to dl19.clickmein.com  (50.7.184.162:80)

TCP (HTTP):
Connects to dl16.clickmein.com  (50.7.99.2:80)

TCP (HTTP):
Connects to dl9.clickmein.com  (50.7.241.202:80)

TCP (HTTP):
Connects to dl23.clickmein.com  (50.7.74.18:80)

TCP (HTTP):
Connects to dl22.clickmein.com  (216.227.128.162:80)

TCP (HTTP):
Connects to dl20.clickmein.com  (50.7.184.170:80)

TCP (HTTP):
Connects to dl12.clickmein.com  (50.7.133.50:80)

Remove snsxdedb.tmp - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.