u1603.exe

Ultrareach Internet Corp.

The application u1603.exe by Ultrareach Internet has been detected as a potentially unwanted program by 2 anti-malware scanners. This is a setup program which is used to install the application. This file is typically installed with the program UsbFix by El Desaparecido. The file has been seen being downloaded from f30.y8top.net and multiple other hosts. While running, it connects to the Internet address server-54-230-150-41.sin2.r.cloudfront.net on port 443.
Publisher:
Ultrareach Internet Corp.  (signed and verified)

MD5:
c92ca9b2e2b5463fe2ada76c7eed1b58

SHA-1:
77fab0ee5ce094d1f465eba9053d425e10c1d199

SHA-256:
b1ee895330ffb1721b35c7ad5eda7ef98e45b494c2c6c73050df78fcd6137232

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
11/14/2018 12:49:22 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/UltraReach.AG potentially unsafe application
6.3.12010.0

Reason Heuristics
Win32.Generic
17.2.17.13

File size:
2.5 MB (2,628,920 bytes)

File type:
Executable application (Win32 EXE)

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
10/14/2015 12:26:22 PM

Valid to:
1/14/2019 11:26:22 AM

Subject:
CN=Ultrareach Internet Corp., O=Ultrareach Internet Corp., L=Cheyenne, S=Wyoming, C=US

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112100B48FCB5938306938B171E279305E27

File PE Metadata
Compilation timestamp:
7/8/2016 6:02:33 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:AeUNXa7zG0CJD7QMJNU/Jk0qAgm9Xu2ctraTo4Yhre1010d2KhkQXFhi+NF:Ae2XkiJHQINIvVgm99c1aTQoow1FhiSF

Entry address:
0x3B6B20

Entry point:
60, BE, 00, 90, 53, 00, 8D, BE, 00, 80, EC, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Entropy:
7.8372

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
2.5 MB (2,613,248 bytes)

The file u1603.exe has been discovered within the following program.

UsbFix  by El Desaparecido
About 8% of users remove it
 
Powered by Should I Remove It?

The file u1603.exe has been seen being distributed by the following 15 URLs.

http://f30.y8top.net/2107tmp/cf/soft/2016/8/ba/.../ultrasurf_1603.exe

http://www.storekm.org/.../Ultrasurf16.03.exe

https://p-def1.pcloud.com/.../u1603.exe

http://f51.x8top.net/2107tmp/cf/soft/2016/8/ba/.../ultrasurf_1603.exe

http://www.storekom.com/download/39286/.../get

https://dl-web.dropbox.com/get/.../U1603.exe

http://bit.do/kavoshgar-u1603

http://ultrasurf.us/.../u.exe

http://f51.y8top.net/2107tmp/cf/soft/2016/8/ba/.../ultrasurf_1603.exe

http://c236.y8top.net/2107tmp/cf/soft/2016/8/ba/.../ultrasurf_1603.exe

http://c236.x8top.net/2107tmp/cf/soft/2016/8/ba/.../ultrasurf_1603.exe

https://wujieupdate.s3.amazonaws.com/.../u.exe

https://s3.amazonaws.com/vp-android/win/.../u1603.exe

https://s3-ap-southeast-1.amazonaws.com/.../u.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-230-81-61.mia50.r.cloudfront.net  (54.230.81.61:443)

TCP (HTTP SSL):
Connects to server-216-137-63-233.lhr3.r.cloudfront.net  (216.137.63.233:443)

TCP (HTTP SSL):
Connects to server-52-84-25-64.sea32.r.cloudfront.net  (52.84.25.64:443)

TCP (HTTP SSL):
Connects to server-54-230-81-186.mia50.r.cloudfront.net  (54.230.81.186:443)

TCP (HTTP SSL):
Connects to server-54-230-81-153.mia50.r.cloudfront.net  (54.230.81.153:443)

TCP (HTTP SSL):
Connects to server-54-230-51-175.jfk5.r.cloudfront.net  (54.230.51.175:443)

TCP (HTTP SSL):
Connects to any-in-2014.1e100.net  (216.239.32.20:443)

TCP (HTTP SSL):
Connects to server-54-230-242-93.mel50.r.cloudfront.net  (54.230.242.93:443)

TCP (HTTP SSL):
Connects to server-54-230-218-226.mrs50.r.cloudfront.net  (54.230.218.226:443)

TCP (HTTP SSL):
Connects to server-54-230-150-41.sin2.r.cloudfront.net  (54.230.150.41:443)

TCP (HTTP SSL):
Connects to server-54-230-0-77.lhr5.r.cloudfront.net  (54.230.0.77:443)

TCP (HTTP SSL):
Connects to server-54-192-25-92.mxp4.r.cloudfront.net  (54.192.25.92:443)

TCP (HTTP SSL):
Connects to server-54-192-25-28.mxp4.r.cloudfront.net  (54.192.25.28:443)

TCP (HTTP SSL):
Connects to server-54-192-25-241.mxp4.r.cloudfront.net  (54.192.25.241:443)

TCP (HTTP SSL):
Connects to server-52-85-74-89.lhr3.r.cloudfront.net  (52.85.74.89:443)

TCP (HTTP SSL):
Connects to server-52-85-74-55.lhr3.r.cloudfront.net  (52.85.74.55:443)

TCP (HTTP SSL):
Connects to server-216-137-63-133.lhr3.r.cloudfront.net  (216.137.63.133:443)

TCP (HTTP SSL):
Connects to s3-ap-southeast-1.amazonaws.com  (52.219.32.5:443)

TCP (HTTP SSL):
Connects to s3-1.amazonaws.com  (52.216.0.251:443)

TCP (HTTP):
Connects to ip-172-29-27-3.ec2.internal  (172.29.27.3:80)

Remove u1603.exe - Powered by Reason Core Security