topsadon1c.exe

neomedia

The application topsadon1c.exe by neomedia has been detected as a potentially unwanted program by 3 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘topsadonc’. The file has been seen being downloaded from down1.topsadon1.com.
Publisher:
neomedia  (signed and verified)

MD5:
2dffef8c489d5267a49ca67e47315dab

SHA-1:
371c174128cb30ad3882c7677bdb542047b03bd7

SHA-256:
a0dc255e9ae00fe76c7e76639eb3030daccc0cceda611892963562dee91c3a82

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
6/20/2018 6:21:52 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/AdWare.KeywordFind.D application
6.3.12010.0

F-Prot
W32/Themida_Packed
4.6.5.141

Reason Heuristics
Adware.Neomedia (M)
16.11.2.23

File size:
1.2 MB (1,295,080 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\topsadon\topsadon1c.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/25/2016 9:00:00 AM

Valid to:
1/25/2017 8:59:59 AM

Subject:
CN=neomedia, OU=IT Team, O=neomedia, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
343766F67EC25EF07DB4A9C47879EAF6

File PE Metadata
Compilation timestamp:
10/9/2016 10:59:28 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:bUgLPXfDHoT3Tm91zJ+w61zW/RuGDzSt2Hi:bPLff0XO3C89zW

Entry address:
0x2B1000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, F0, 0F, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 30, 1D, E4, 29, 68, 7C, C7, AD, 7A, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.0187

Code size:
418.5 KB (428,544 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
topsadonc

Command:
"C:\users\{user}\appdata\roaming\topsadon\topsadon1c.exe"


The file topsadon1c.exe has been seen being distributed by the following URL.

http://down1.topsadon1.com/.../topsadon1c.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

TCP (HTTP):
Connects to i0-h0-s39.p59-icn.cdngp.net  (14.0.67.86:80)

TCP (HTTP):

TCP (HTTP):
Connects to i0-h0-s35.p59-icn.cdngp.net  (14.0.67.53:80)

TCP (HTTP):

TCP (HTTP):
Connects to i0-h0-s40.p59-icn.cdngp.net  (14.0.67.87:80)

TCP (HTTP):
Connects to i0-h0-s36.p59-icn.cdngp.net  (14.0.67.54:80)

TCP (HTTP):
Connects to i0-h0-s1693.p59-icn.cdngp.net  (14.0.77.205:80)

TCP (HTTP):
Connects to i0-h0-s1687.p59-icn.cdngp.net  (14.0.77.143:80)

Remove topsadon1c.exe - Powered by Reason Core Security