topsadon1c.exe

neomedia

The application topsadon1c.exe by neomedia has been detected as a potentially unwanted program by 3 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘topsadonc’. The file has been seen being downloaded from down1.topsadon1.com. While running, it connects to the Internet address i0-h0-s2009.p59-icn.cdngp.net on port 80 using the HTTP protocol.
Publisher:
neomedia  (signed and verified)

MD5:
7f149e8e194963d7a28e14a36e012756

SHA-1:
97aaace8e95122bcff00eebe7f586551e7e07baa

SHA-256:
975d45a15bb6528469d1648ad17bb8e88366849abc909e69c41cd6406d477fc3

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
8/16/2018 11:27:49 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/AdWare.KeywordFind.D application
6.3

F-Prot
W32/Themida_Packed
4.6.5.141

McAfee
Trojan.Artemis!7F149E8E1949
18.0.204.0

File size:
993.2 KB (1,017,064 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\topsadon\topsadon1c.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/25/2016 9:00:00 AM

Valid to:
1/25/2017 8:59:59 AM

Subject:
CN=neomedia, OU=IT Team, O=neomedia, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
343766F67EC25EF07DB4A9C47879EAF6

File PE Metadata
Compilation timestamp:
8/9/2016 8:13:48 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:PAL2+ZU2NZJTJgK3N4CE2AZ3mdRFw1ogCi/Xd1LcsiP1:YL2YbzqK3aCvAYRFCogCiDlid

Entry address:
0x229000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, B0, 0B, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, C0, 9B, A7, 3D, 68, F6, 08, 57, 71, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.5790

Code size:
418.5 KB (428,544 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
topsadonc

Command:
"C:\users\{user}\appdata\roaming\topsadon\topsadon1c.exe"


The file topsadon1c.exe has been seen being distributed by the following URL.

http://down1.topsadon1.com/.../topsadon1c.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to i0-h0-s343.p59-icn.cdngp.net  (14.0.70.137:80)

TCP (HTTP):

TCP (HTTP):
Connects to i0-h0-s2009.p59-icn.cdngp.net  (61.110.225.89:80)

TCP (HTTP):

Remove topsadon1c.exe - Powered by Reason Core Security