» u1601.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)
Network (2)

u1601.exe

Ultrareach Internet Corp.

The application u1601.exe by Ultrareach Internet has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. This executable runs as a local area network (LAN) Internet proxy server listening on port 9666 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. The file has been seen being downloaded from s3-ap-southeast-1.amazonaws.com.

File name:

u1601.exe

Publisher:

Ultrareach Internet Corp. (signed and verified)

MD5:

33a0d53c4d22b84d399ae7d4ae2a866c

SHA-1:

fbb522a95028e37c931ad48981fdf821c4755d32

SHA-256:

8d2978f685e42d578f03b465532da1f3dd8602efe21e94905ad80a8f41d23f34

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

4/29/2024 6:00:45 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Win32.Generic

16.7.2.3

File size:

2.5 MB (2,597,688 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\u1601.exe

Digital Signature

Signed by:

Ultrareach Internet Corp.

Authority:

GlobalSign nv-sa

Valid from:

10/15/2015 12:26:22 AM

Valid to:

1/15/2019 12:26:22 AM

Subject:

CN=Ultrareach Internet Corp., O=Ultrareach Internet Corp., L=Cheyenne, S=Wyoming, C=US

Issuer:

CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:

112100B48FCB5938306938B171E279305E27

File PE Metadata

Compilation timestamp:

7/1/2016 2:54:30 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

49152:iY6vfRJpi0WSr9tTEtB0HFxVXHS0RM/LwA0hRwk+HplOy+IHJ9E5/oFVvv8f5tZf:/2JJsSJit2HhXHSz/LHK7+/Oyg5/oFVW

Entry address:

0x3B5120

Entry point:

60, BE, 00, F0, 53, 00, 8D, BE, 00, 20, EC, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89... 
[+]

Entropy:

7.8386

Packer / compiler:

UPX 2.90LZMA

Code size:

2.5 MB (2,584,576 bytes)

Local Proxy Server

Proxy for:

Internet Settings

Local host address:

http://127.0.0.1:9666/

Local host port:

9666

Default credentials:

The file u1601.exe has been seen being distributed by the following URL.

https://s3-ap-southeast-1.amazonaws.com/.../u.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to server-54-230-187-227.cdg51.r.cloudfront.net (54.230.187.227:443)

TCP (HTTP SSL):

Connects to any-in-2678.1e100.net (216.239.38.120:443)

Remove u1601.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.