uplus.exe

LoadMoneyWebSite

The executable uplus.exe has been detected as malware by 25 anti-virus scanners. While running, it connects to the Internet address cache.google.com on port 80 using the HTTP protocol.
Product:
LoadMoneyWebSite

Version:
1.0.0.0

MD5:
12d8229e91470340ca55c80ba197896c

SHA-1:
edebe16daedd33fa8251c2a2be0ac7712e12a876

SHA-256:
c04a0de4a5024e13b6bdb36cb24a3ddc827a2080ec83417882532edcffd52db3

Scanner detections:
25 / 68

Status:
Malware

Analysis date:
5/29/2020 6:21:15 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.267697
463

AegisLab AV Signature
Troj.Drop.Agent.NFB
2.1.4+

Agnitum Outpost
Trojan.Agent
7.1.1

Avira AntiVirus
TR/ATRAPS.Gen
8.3.2.2

Arcabit
Trojan.Kazy.D415B1
1.0.0.526

avast!
Win32:Dropper-NFB [Drp]
2014.9-151030

AVG
Inject2
2016.0.2941

Baidu Antivirus
Trojan.MSIL.TrojanClicker
4.0.3.151030

Bitdefender
Gen:Variant.Kazy.267697
1.0.20.1515

Comodo Security
UnclassifiedMalware
23226

Emsisoft Anti-Malware
Gen:Variant.Kazy.267697
8.15.10.30.11

ESET NOD32
MSIL/TrojanClicker.NCC (variant)
9.12244

F-Secure
Gen:Variant.Kazy.267697
11.2015-30-10_6

G Data
Gen:Variant.Kazy.267697
15.10.25

IKARUS anti.virus
Trojan.SuspectCRC
t3scan.1.9.5.0

McAfee
Artemis!12D8229E9147
5600.6597

MicroWorld eScan
Gen:Variant.Kazy.267697
16.0.0.909

NANO AntiVirus
Trojan.Win32.ATRAPS.durrrp
0.30.24.3283

Panda Antivirus
Generic Malware
15.10.30.11

Qihoo 360 Security
Win32/Trojan.55b
1.0.0.1015

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_SPNR.32HB13
7.2.303

Trend Micro
TROJ_SPNR.32HB13
10.465.30

VIPRE Antivirus
Trojan.Win32.Clicker
43716

Zillya! Antivirus
Trojan.NCC.Win32.2
2.0.0.2396

File size:
22 KB (22,528 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2013

Original file name:
LoadMoneyWebSite.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\adobe\uplus.exe

File PE Metadata
Compilation timestamp:
6/23/2013 4:40:33 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
384:S7TxTVj3JIPPgom4O4UvqEci0Pm/WUbttKJ0lXDtNY9KTW9tZH/rYyCkb0V0R:ix93JQIj4O4UvVci0PGteKTaTrCkMw

Entry address:
0x6E06

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
20 KB (20,480 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to lb-182-241.above.com  (103.224.182.241:80)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.90:80)

TCP (HTTP):
Connects to cache.google.com  (195.64.213.46:80)

TCP (HTTP):
Connects to vip1.g5.cachefly.net  (205.234.175.175:80)

Remove uplus.exe - Powered by Reason Core Security