home

urr.exe

The application urr.exe has been detected as a potentially unwanted program by 26 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘URR Start’. Accoriding to the detections, this has been classified as a kyelogger which is capable of recoring a user's keystrokes. While running, it connects to the Internet address 23-252-121-155.static.webnx.com on port 21.
MD5:
1d32291ecfd28f36eeb427e5055ab319

SHA-1:
c10b5fbfd0c1672f3cd84fc5c2454e1063c47ebe

SHA-256:
6c62358b47d09da172053b103270eab1a5a5377bac7d8dc95adea61263b9830f

Scanner detections:
26 / 68

Status:
Potentially unwanted

Analysis date:
5/17/2024 6:12:24 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.KeyLogger
2015.11.17

Avira AntiVirus
SPR/Tool.Monitor.Gen
8.3.2.2

Arcabit
Trojan.Mikey.D56B3
1.0.0.597

avast!
Win32:Ardamax-RO [PUP]
2014.9-151123

AVG
Ardamax
2016.0.2917

Baidu Antivirus
Trojan.Win32.Ardamax
4.0.3.151123

Bitdefender
Gen:Variant.Mikey.22195
1.0.20.1635

Comodo Security
TrojWare.Win32.KeyLogger.Ardamax.BA
23605

Dr.Web
Trojan.KeyLogger.28616
9.0.1.0327

Emsisoft Anti-Malware
Gen:Variant.Mikey.22195
8.15.11.23.03

ESET NOD32
Win32/KeyLogger.Ardamax.NBP (variant)
9.12579

Fortinet FortiGate
Riskware/Ardamax
11/23/2015

F-Secure
Gen:Variant.Mikey.22195
11.2015-23-11_2

G Data
Gen:Variant.Mikey.22195
15.11.25

K7 AntiVirus
Password-Stealer
13.212.17877

Kaspersky
not-a-virus:HEUR:Monitor.Win32.Ardamax
14.0.0.1079

McAfee
Artemis!1D32291ECFD2
5600.6573

MicroWorld eScan
Gen:Variant.Mikey.22195
16.0.0.981

NANO AntiVirus
Trojan.Win32.KeyLogger.dysepl
0.30.26.4437

Panda Antivirus
Trj/CI.A
15.11.23.03

Qihoo 360 Security
Win32/Application.Keylog.1e6
1.0.0.1077

Reason Heuristics
Threat.Win.Reputation.IMP
15.11.23.3

Sophos
Generic PUA MB (PUA)
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-KeyLogger
9491

Trend Micro
TROJ_GEN.R01TC0OKH15
10.465.23

VIPRE Antivirus
Ardamax
45252

File size:
2.6 MB (2,753,536 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\urr\urr.exe

File PE Metadata
Compilation timestamp:
11/12/2015 2:23:13 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:0Se8VZ6ci3Fkvi57lriEWXYA69ap/jZcdennpnxq+XT8PitPEKB4ROmYBKU:0MT6cdiZruXYp9aaYNxPXTEr2

Entry address:
0x5643A

Entry point:
E8, 5E, E3, 00, 00, E9, 79, FE, FF, FF, 6A, 0C, 68, C0, 0F, 59, 00, E8, B0, 67, 00, 00, 6A, 0E, E8, AF, 5C, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 7C, AB, 5A, 00, BA, 78, AB, 5A, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A, 04, 50, E8, 64, B1, FF, FF, 59, FF, 76, 04, E8, 5B, B1, FF, FF, 59, 83, 66, 04, 00, C7, 45, FC, FE, FF, FF, FF, E8, 0A, 00, 00, 00, E8, 9F, 67, 00, 00, C3, 8B, D0, EB, C5, 6A, 0E, E8, 7A, 5B, 00, 00, 59, C3, CC, CC, CC, CC, CC, CC...
 
[+]

Entropy:
7.1153

Code size:
1.2 MB (1,247,232 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
URR Start

Command:
C:\ProgramData\urr\urr.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to 200-147-99-132.static.uol.com.br  (200.147.99.132:587)

TCP:
Connects to wb-in-f16.1e100.net  (66.102.1.16:465)

TCP (FTP):
Connects to 23-252-121-155.static.webnx.com  (23.252.121.155:21)

TCP:
Connects to mtaout-a-mtc-c.mx.aol.com  (64.12.91.197:587)

TCP:
Connects to srv23.000webhost.com  (31.170.160.87:47739)

TCP:
Connects to mtaout-a-mtc-b.mx.aol.com  (64.12.88.165:587)

TCP:
Connects to dh-in-f16.1e100.net  (209.85.203.16:465)

Remove urr.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.