» update.exe
Overview
Analysis
File Details
Network (4)

update.exe

PangYa Updater

The executable update.exe, “Ntreev Soft Co., Ltd.” has been detected as malware by 4 anti-virus scanners. While running, it connects to the Internet address mx-ll-110.164.128-82.static.3bb.co.th on port 80 using the HTTP protocol.

File name:

update.exe

Product:

PangYa Updater

Description:

Ntreev Soft Co., Ltd.

Version:

2.00

MD5:

dec161bfd5b0807847491626f045c294

SHA-1:

b64f094325569f5ee20fe001b0fff64e5665bae5

SHA-256:

37e1928c951556514108bd3b0bd1dfb6f5fd0a3f385b05eed78ee36d19cc5efc

Scanner detections:

4 / 68

Status:

Malware

Analysis date:

5/22/2024 3:30:48 PM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

W32/Sality.AG

7.11.30.172

Dr.Web

Trojan.DownLoader13.2018

9.0.1.05190

McAfee

Artemis!DEC161BFD5B0

5600.6734

Trend Micro House Call

Suspicious_GEN.F47V0508

7.2.166

File size:

3.5 MB (3,700,224 bytes)

Product version:

2.00

Original file name:

PangYa Update.exe

File type:

Executable application (Win32 EXE)

Language:

Korean (Korea)

Common path:

C:\Program Files\ntreevsoft\pangya_th\update.exe

File PE Metadata

Compilation timestamp:

12/4/2014 4:25:52 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

98304:yadkiS5yD91KuEMztA0mRnugiNAs3Mjt5mUHO02Kf+UOkCv:o5yDG09XamUWKf+UnC

Entry address:

0x12A79B

Entry point:

E8, 15, 16, 01, 00, E9, 89, FE, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 4C, 67, 5A, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 4C, 67, 5A, 00, 33, C5, 50, 89, 65, F0, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B... 
[+]

Entropy:

5.6192

Code size:

1.3 MB (1,381,376 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to mx-ll-110.164.128-83.static.3bb.co.th (110.164.128.83:80)

TCP (HTTP):

Connects to mx-ll-110.164.128-82.static.3bb.co.th (110.164.128.82:80)

TCP (HTTP):

Connects to server-52-85-77-170.lax3.r.cloudfront.net (52.85.77.170:80)

TCP (HTTP SSL):

Connects to s19772378.onlinehome-server.info (87.106.18.237:443)

Remove update.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.