tools_update.exe

世元 何

The application tools_update.exe by 世元 何 has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in.
Publisher:
世元 何  (signed and verified)

MD5:
6acd0f18a9ba4215a45844a0d4648a1e

SHA-1:
20f9f5b78fba8fa34e9799c39f8bc98f9ea3ed78

SHA-256:
c1e6d18a8cc0120ad09b5588a143b0fa5fb3ecc19b7a9d390cbcedfaac2ffd20

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/12/2017 7:20:57 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Mzip (M)
16.11.11.1

File size:
1017.1 KB (1,041,512 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\tools\update\tools_update.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
5/3/2016 9:00:00 PM

Valid to:
5/4/2017 8:59:59 PM

Subject:
CN=世元 何, OU=Individual Developer, O=No Organization Affiliation, L=重庆, S=重庆, C=CN

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
70F6347DB1CBD91C6E2ECAA87711C6FF

File PE Metadata
Compilation timestamp:
6/1/2016 4:02:27 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:prSe+v5Sd3OJHBWRxE+Y36O+QUFls9cVvVa8R3O:pmv5uNbFlpa8R3O

Entry address:
0x9873A

Entry point:
E8, 65, 0B, 01, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 51, 53, 8B, 5D, 08, 56, 57, 33, FF, 39, 7D, 14, 75, 10, 3B, DF, 75, 10, 39, 7D, 0C, 75, 12, 33, C0, 5F, 5E, 5B, C9, C3, 3B, DF, 74, 07, 8B, 4D, 0C, 3B, CF, 77, 1B, E8, D0, 0A, 00, 00, 6A, 16, 5E, 89, 30, 57, 57, 57, 57, 57, E8, 25, D8, FF, FF, 83, C4, 14, 8B, C6, EB, D5, 8B, 55, 10, 39, 7D, 14, 74, 0B, 3B, D7, 75, 07, 33, C0, 66, 89, 03, EB, D2, 6A, 02, 8B, C3, 89, 4D, FC, 5E, 66, 39, 38, 74, 07, 03, C6, FF, 4D, FC, 75, F4, 39, 7D, FC, 74, E0, 83...
 
[+]

Code size:
772.5 KB (791,040 bytes)

Scheduled Task
Task name:
Tools_Update_{CFAC34AB-5DB5-4dea-94EC-1D42E3942873}

Trigger:
Logon (Runs on logon)

Description:
Tools update check when system start. It will automatically unload if there is no Tools soft.


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-205-194-174.compute-1.amazonaws.com  (52.205.194.174:80)

TCP (HTTP):
Connects to ec2-52-200-155-121.compute-1.amazonaws.com  (52.200.155.121:80)

TCP (HTTP):
Connects to ec2-54-71-99-84.us-west-2.compute.amazonaws.com  (54.71.99.84:80)

TCP (HTTP):
Connects to ec2-34-192-86-237.compute-1.amazonaws.com  (34.192.86.237:80)

TCP (HTTP):
Connects to ec2-34-192-147-223.compute-1.amazonaws.com  (34.192.147.223:80)

Remove tools_update.exe - Powered by Reason Core Security