home

tmp9d68.exe

pDParser

The executable tmp9d68.exe has been detected as malware by 14 anti-virus scanners. While running, it connects to the Internet address cache.google.com on port 80 using the HTTP protocol.
Product:
pDParser

Version:
1.00

MD5:
c0033a0380ebd08e54a6d5c16d0e9d8a

SHA-1:
c9f1490d0aef34d74494c609fe51004d5b139b42

SHA-256:
b5005f52075b87aa1bd5b42da19fd8ff380defebfa969fa1cd97ddfc21840d5e

Scanner detections:
14 / 68

Status:
Malware

Analysis date:
4/25/2024 4:52:09 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Trojan.Heur.VB.cm0@dGm1Cxki
789

Avira AntiVirus
TR/VB.Downloader.Gen
7.11.193.162

avast!
Win32:Dropper-gen [Drp]
2014.9-141208

AVG
Win32/DH{gQqBEkKBE4EPAA81}
2015.0.3267

Bitdefender
Gen:Trojan.Heur.VB.cm0@dGm1Cxki
1.0.20.1710

ESET NOD32
probably unknown NewHeur_PE
8.10842

F-Secure
Gen:Trojan.Heur.VB.cm0@dGm1Cxki
11.2014-08-12_2

G Data
Gen:Trojan.Heur.VB.cm0@dGm1Cxki
14.12.24

Kaspersky
Trojan.Win32.Scar
14.0.0.2828

McAfee
Artemis!C0033A0380EB
5600.6923

MicroWorld eScan
Gen:Trojan.Heur.VB.cm0@dGm1Cxki
15.0.0.1026

Panda Antivirus
Generic Suspicious
14.12.08.11

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Trend Micro House Call
TROJ_GEN.R047H09L814
7.2.342

File size:
44 KB (45,056 bytes)

Product version:
1.00

Original file name:
winterd.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\ProgramData\application data\microsoft\secure\icons\temp\tmp9d68.exe

File PE Metadata
Compilation timestamp:
12/7/2014 10:31:39 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
384:HFrpUBcNjDvBQHK6dWMEE5JZ7cppMbBey20eaysQG63Awv8WErnt3BTFHK8o3kD5:HlpUBmjDvyHXlEE5z79d31Ud4VHo+US

Entry address:
0x1B74

Entry point:
68, 04, 1D, 40, 00, E8, F0, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 1F, 9A, 33, DB, 70, D9, 6A, 4B, 80, ED, 0D, 76, DC, C5, 57, 13, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 70, 44, 50, 61, 72, 73, 65, 72, 00, 72, 75, 74, 65, 5C, 76, 62, 00, 00, 00, 00, 01, 00, 00, 00, E8, 23, 40, 00, 00, 00, 00, 00, FF, FF, FF, FF, FF, FF, FF, FF, 00, 00, 00, 00, 3C, 24, 40, 00, 08, 90, 40, 00, 04, 00, 00, 00, FC, 1B, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
32 KB (32,768 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to rtr2.l7.search.vip.ir2.yahoo.com  (188.125.66.104:80)

TCP (HTTP):
Connects to ec1.ycs.vip.ch1.yahoo.net  (87.248.125.53:80)

TCP (HTTP):
Connects to yts2.yql.vip.bf1.yahoo.com  (98.137.201.232:80)

TCP (HTTP):
Connects to www76.your-server.de  (213.133.104.76:80)

TCP (HTTP):
Connects to wl42.webland.ch  (92.43.216.142:80)

TCP (HTTP):
Connects to wl38.webland.ch  (92.43.216.138:80)

TCP (HTTP):
Connects to wl34.webland.ch  (92.43.216.134:80)

TCP (HTTP):
Connects to web02.wnn.apa.net  (194.232.114.67:80)

TCP (HTTP):
Connects to web01.agrinet.ch  (81.221.254.5:80)

TCP (HTTP):
Connects to vcenturio10.mychoice.ch  (188.92.147.235:80)

TCP (HTTP):
Connects to ta33.tripple.at  (195.58.165.141:80)

TCP (HTTP):
Connects to server-54-230-93-43.fra2.r.cloudfront.net  (54.230.93.43:80)

TCP (HTTP):
Connects to server48.hostfactory.ch  (62.146.59.45:80)

TCP (HTTP):
Connects to r2.ycpi.vip.ir2.yahoo.net  (217.12.13.41:80)

TCP (HTTP):
Connects to plesk03.entex.ch  (77.109.160.213:80)

TCP (HTTP):
Connects to ks380344.kimsufi.com  (188.165.249.103:80)

TCP (HTTP):
Connects to engr-courses.engr.illinois.edu  (130.126.112.167:80)

TCP (HTTP):
Connects to ec2-54-76-76-220.eu-west-1.compute.amazonaws.com  (54.76.76.220:80)

TCP (HTTP):
Connects to ec2-54-236-189-64.compute-1.amazonaws.com  (54.236.189.64:80)

TCP (HTTP):
Connects to ec1.ycs.vip.ir2.yahoo.net  (212.82.108.12:80)

Remove tmp9d68.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.