home

topsadon1c.exe

neomedia

The application topsadon1c.exe by neomedia has been detected as a potentially unwanted program by 3 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘topsadonc’. The file has been seen being downloaded from down1.topsadon1.com. While running, it connects to the Internet address i0-h0-s2009.p59-icn.cdngp.net on port 80 using the HTTP protocol.
Publisher:
neomedia  (signed and verified)

MD5:
7f149e8e194963d7a28e14a36e012756

SHA-1:
97aaace8e95122bcff00eebe7f586551e7e07baa

SHA-256:
975d45a15bb6528469d1648ad17bb8e88366849abc909e69c41cd6406d477fc3

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
4/19/2024 4:29:51 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/AdWare.KeywordFind.D application
6.3

F-Prot
W32/Themida_Packed
4.6.5.141

McAfee
Trojan.Artemis!7F149E8E1949
18.0.204.0

File size:
993.2 KB (1,017,064 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\topsadon\topsadon1c.exe

Digital Signature
Signed by:
neomedia

Authority:
thawte, Inc.

Valid from:
1/25/2016 9:00:00 AM

Valid to:
1/25/2017 8:59:59 AM

Subject:
CN=neomedia, OU=IT Team, O=neomedia, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
343766F67EC25EF07DB4A9C47879EAF6

File PE Metadata
Compilation timestamp:
8/9/2016 8:13:48 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:PAL2+ZU2NZJTJgK3N4CE2AZ3mdRFw1ogCi/Xd1LcsiP1:YL2YbzqK3aCvAYRFCogCiDlid

Entry address:
0x229000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, B0, 0B, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, C0, 9B, A7, 3D, 68, F6, 08, 57, 71, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.5790

Code size:
418.5 KB (428,544 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
topsadonc

Command:
"C:\users\{user}\appdata\roaming\topsadon\topsadon1c.exe"


The file topsadon1c.exe has been seen being distributed by the following URL.

http://down1.topsadon1.com/.../topsadon1c.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to i0-h0-s343.p59-icn.cdngp.net  (14.0.70.137:80)

TCP (HTTP):
Connects to ec2-52-78-199-68.ap-northeast-2.compute.amazonaws.com  (52.78.199.68:80)

TCP (HTTP):
Connects to i0-h0-s2009.p59-icn.cdngp.net  (61.110.225.89:80)

TCP (HTTP):
Connects to ec2-52-78-189-156.ap-northeast-2.compute.amazonaws.com  (52.78.189.156:80)

Remove topsadon1c.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.