home

u1301.exe

Ultrareach Internet Corp.

The application u1301.exe by Ultrareach Internet has been detected as a potentially unwanted program by 9 anti-malware scanners. This is a setup program which is used to install the application. This executable runs as a local area network (LAN) Internet proxy server listening on port 9666 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. The file has been seen being downloaded from docs.google.com and multiple other hosts. While running, it connects to the Internet address 63-249-171-22.static.dal01.corespace.com on port 443.
Publisher:
Ultrareach Internet Corp.  (signed and verified)

MD5:
e1a49c030ca2f679b70d92ec3637bf1e

SHA-1:
5084a35f359b1d9dee0fc57096a9ba9c91d93fec

SHA-256:
6ab19b62e029c988df13b507347021eb8e7483b10b0664b2cab30b1b85657f24

Scanner detections:
9 / 68

Status:
Potentially unwanted

Analysis date:
4/23/2024 6:26:24 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.Clodc9a.Trojan
1.3.0.4959

Dr.Web
Tool.UltraSurf.8
9.0.1.0104

ESET NOD32
Win32/UltraReach.AF
7.9185

K7 AntiVirus
Unwanted-Program
13.174.10548

Kaspersky
not-a-virus:NetTool.Win32.UltraSurf
14.0.0.4019

NANO AntiVirus
Riskware.Win32.UltraSurf.cumkjv
0.28.0.59048

Reason Heuristics
PUP.Optional.UltrareachInternetCorp.F
14.3.1.6

Trend Micro House Call
HKTL_PROXSURF
7.2.352

Trend Micro
HKTL_PROXSURF
10.465.18

File size:
1.9 MB (2,000,488 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\u1301.exe

Digital Signature
Signed by:
Ultrareach Internet Corp.

Authority:
GlobalSign nv-sa

Valid from:
12/6/2012 4:33:59 AM

Valid to:
1/11/2016 10:34:39 PM

Subject:
CN=Ultrareach Internet Corp., O=Ultrareach Internet Corp., L=Cheyenne, S=WY, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121C51978F0ED636CA3C5B5C4D33D022C10

File PE Metadata
Compilation timestamp:
3/27/2013 11:44:28 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:RwLOB/CoP4JwOHRLJ2LGimZHbK5I/XSsohmfCbh:R010QHRLUL445I/XVCbh

Entry address:
0x7E1000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 89, C3, 40, 2D, 00, 30, 11, 00, 2D, 7F, CF, 09, 10, 05, 74, CF, 09, 10, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 6E, 9F, CD, 2A, 68, 36, 62, 5D, 2D, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 89, E5, 50, 53, 51, 56, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, 85, C9, 74, 0A, 31, 06, 01, 1E, 83, C6, 04, 49, EB, F2, 5E, 59, 5B, 58, C9, C2, 10, 00, FB, 21, 32, 77, C7, D0, C8, 9A, F4, 14, B1, A8, 76, A7...
 
[+]

Entropy:
7.9071  (probably packed)

Code size:
596 KB (610,304 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:9666/

Local host port:
9666

Default credentials:
No


8 Windows Firewall Allowed Programs
Name:
C:\Documents and Settings\jesus\Desktop\u1301.exe

Name:
C:\Documents and Settings\khodaie\Desktop\optimize\u1301.exe

Name:
D:\u\u1301.exe

Name:
C:\Documents and Settings\Administrator\My Documents\Downloads\u1301.exe

Name:
C:\Documents and Settings\dowdy\Desktop\u1301.exe

Name:
D:\Downloads\UltraSurf\U1301.exe


The file u1301.exe has been seen being distributed by the following 11 URLs.

https://docs.google.com/uc?id=0ByCftcgIGYQpSnM5SjBRSUVvalE&export=download

http://s4.picofile.com/d/.../Ultra_Surf_1301_Mega_Games1.exe

https://mg.mail.yahoo.com/ya/.../C9wEkSpOI&fid=Sent&pid=2&clean=0&appid=YahooMailNeo

http://s4.picofile.com/d/.../Ultra_Surf_1301_Mega_Games1.exe

http://115.146.127.187/Data/Soft/Free/.../Ultrasurf1301.exe

http://download2.rada.vn/Data/Soft/Free/.../Ultrasurf1301.exe

http://dc495.4shared.com/download/.../u1301.exe

http://www.upf.co.il/downloadnew/file/.../6948f1e2531d783cf9256d04b9b12667_MTQ0NTgxNzg5NA==

http://d5.sevas-s.com/.../u1301.exe

http://installs.sevas-s.com/.../u1301.exe&u={DABB0012-EA51-447E-BD93-E0C72EB0468E}

http://wujieliulan.com/.../u1301.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to s3-1.amazonaws.com  (52.216.225.203:443)

TCP (HTTP SSL):
Connects to host50.veryinvestment.com  (89.144.4.74:443)

TCP (HTTP SSL):
Connects to grokhawthorn.com  (199.114.221.19:443)

TCP (HTTP):
Connects to fra02s21-in-f17.1e100.net  (173.194.113.81:80)

TCP (HTTP SSL):
Connects to eupdate.dnb.com  (159.137.146.39:443)

TCP (HTTP):
Connects to any-in-2678.1e100.net  (216.239.38.120:80)

TCP (HTTP):
Connects to a23-54-235-27.deploy.static.akamaitechnologies.com  (23.54.235.27:80)

TCP (HTTP SSL):
Connects to 66-221-249-16.static.dal01.corespace.com  (66.221.249.16:443)

TCP (HTTP SSL):
Connects to 66.34.138-35.static.dal01.corespace.com  (66.34.138.35:443)

TCP (HTTP SSL):
Connects to 63-249-229-119.static.dal01.corespace.com  (63.249.229.119:443)

TCP (HTTP SSL):
Connects to 63-249-191-28.static.dal01.corespace.com  (63.249.191.28:443)

TCP (HTTP SSL):
Connects to 63-249-171-22.static.dal01.corespace.com  (63.249.171.22:443)

TCP (HTTP SSL):
Connects to 209-164-106-38.static.dal01.corespace.com  (209.164.106.38:443)

Remove u1301.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.