home

u1303.exe

Ultrareach Internet Corp.

The application u1303.exe by Ultrareach Internet has been detected as a potentially unwanted program by 4 anti-malware scanners. This is a setup program which is used to install the application. It runs as a scheduled task under the Windows Task Scheduler. This executable runs as a local area network (LAN) Internet proxy server listening on port 9666 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. The file has been seen being downloaded from dl-mail.ymail.com and multiple other hosts.
Publisher:
Ultrareach Internet Corp.  (signed and verified)

MD5:
aa6d2272617597069417744260e17ff7

SHA-1:
db8163ab027d9d0aab9caf13b1d24cb647e755b3

SHA-256:
9060f8f19d46a256fd2d67d8222956a3d6df427ce77732e0136810df0106a7a5

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
4/26/2024 3:39:35 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Unwanted/Win32.HackTool
2013.12.18

ESET NOD32
Win32/UltraReach
7.9184

Reason Heuristics
PUP.Optional.UltrareachInternetCorp.F
14.3.1.6

XVirus List
Win.Detected
2.3.31

File size:
1.9 MB (2,004,704 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\u1303.exe

Digital Signature
Signed by:
Ultrareach Internet Corp.

Authority:
GlobalSign nv-sa

Valid from:
12/6/2012 4:33:59 AM

Valid to:
1/11/2016 10:34:39 PM

Subject:
CN=Ultrareach Internet Corp., O=Ultrareach Internet Corp., L=Cheyenne, S=WY, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121C51978F0ED636CA3C5B5C4D33D022C10

File PE Metadata
Compilation timestamp:
11/17/2013 10:11:55 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:v81BMu+VwGSrICIhST8tRb14k8pQd0xbZRFscvezu:DbGECWGWRj50xFLezu

Entry address:
0x81A000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 89, C3, 40, 2D, 00, 70, 0D, 00, 2D, 8F, 8E, 0A, 10, 05, 84, 8E, 0A, 10, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, F2, 2C, 01, 23, 68, DF, 6D, 5E, 1D, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 89, E5, 50, 53, 51, 56, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, 85, C9, 74, 0A, 31, 06, 01, 1E, 83, C6, 04, 49, EB, F2, 5E, 59, 5B, 58, C9, C2, 10, 00, 98, FE, 6B, 67, 1A, 45, 12, 3A, 87, AC, 17, 5A, 6B, 72...
 
[+]

Entropy:
7.9398  (probably packed)

Code size:
936 KB (958,464 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:9666/

Local host port:
9666

Default credentials:
No


Scheduled Task
Task name:
{3E02E3E8-B351-45A3-A45E-4A3070513374}

Trigger:
Registration (Runs on registration)


2 Windows Firewall Allowed Programs
Name:
D:\Documents and Settings\backup\Desktop\u1303.exe

Name:
G:\captain\pendrive\SOFTWARE\pops\U1303.exe


The file u1303.exe has been seen being distributed by the following 3 URLs.

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-IyUQAW8LlhwR7iqLWIuMHmBeGar8wsbE4QvxKuieEUcjTRuMMx4nrzOvwpnKXMWgyqtsdt-jko-uK0ko8KHOrw/messages/@.id==AObkimIAAB21UuiP6QAAALvUhbQ/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBawHplqcK1cnkKOw37rQY_md9fvishZ-sucP5eqMNbqu_d4s7njuFlmv25KUXKuEYfoXrvqWXAmKM0cYz1HHvee&error=https://mg.mail.yahoo.com/.../iframemsg?id=25a6c4f3-c9be-84c3-1bed-a6611648c4ef&ymreqid=1b7bfc59-705d-3c21-01a7-640020010000

https://docs.google.com/uc?authuser=0&id=0B4TTj3lF6qMoRUo2b1pqNmNqbjg&export=download

http://www29.zippyshare.com/d/38769984/.../U1303.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to wg-in-f141.1e100.net  (173.194.78.141:443)

TCP (HTTP SSL):
Connects to scoperan.net  (95.143.46.232:443)

TCP (HTTP SSL):
Connects to sa-in-f141.1e100.net  (74.125.200.141:443)

TCP (HTTP SSL):
Connects to s3-ap-southeast-1.amazonaws.com  (203.83.220.68:443)

TCP (HTTP SSL):
Connects to s3-1.amazonaws.com  (54.231.121.10:443)

TCP (HTTP SSL):
Connects to lhr14s19-in-f21.1e100.net  (173.194.34.85:443)

TCP (HTTP SSL):
Connects to lhr14s19-in-f0.1e100.net  (173.194.34.64:443)

TCP (HTTP SSL):
Connects to lhr08s04-in-f17.1e100.net  (173.194.41.177:443)

Remove u1303.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.