home

world_of_metin2.exe

Metin2 Patcher

The application world_of_metin2.exe has been detected as a potentially unwanted program by 12 anti-malware scanners. This is a setup program which is used to install the application. The file is most likely infected with the Neshta virus, a Russian virus that gathers system information and send it to a remote command and cotrol server. The file has been seen being downloaded from download.wom2.org and multiple other hosts. While running, it connects to the Internet address 94.31.29.54.IPYX-077437-ZYO.above.net on port 443.
Product:
Metin2 Patcher

Version:
1.0.44037.1

MD5:
c4a85940a8729bef21809f4a3ecbf0c7

SHA-1:
b3e1f36ea98c10cc37b63c21c0f52e4ddac92dae

SHA-256:
1cc84e929bef3f0d2a0239e6b290dbde20404b09932fcd9db9e90e3852f79b90

Scanner detections:
12 / 68

Status:
Potentially unwanted

Explanation:
Infected with the direct-infection Neshta file infector virus.

Analysis date:
4/25/2024 4:25:00 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win32/Neshta
2015.04.20

AVG
Worm/Delf
2016.0.3036

Baidu Antivirus
Virus.Win32.Neshta.$a
4.0.3.15726

Dr.Web
Adware.Downware.10440
9.0.1.0115

ESET NOD32
Win32/Neshta
9.11497

Fortinet FortiGate
W32/Neshta.A
7/26/2015

G Data
Win32.Neshta
15.7.25

IKARUS anti.virus
Virus.Win32.Neshta
t3scan.1.8.9.0

McAfee
W32/HLLP.41472.e
5600.6692

Microsoft Security Essentials
Virus:Win32/Neshta.A
1.1.11502.0

Panda Antivirus
W32/Neshta.A
15.07.26.10

Qihoo 360 Security
HEUR/QVM05.1.Malware.Gen
1.0.0.1015

File size:
1.7 MB (1,828,578 bytes)

Product version:
1, 0, 0, 1

Copyright:
Copyright (C) 2011

Original file name:
metin2_patcher.exe

File type:
Executable application (Win32 EXE)

Language:
Korean (Korea)

Common path:
C:\Program Files\world of metin2\world_of_metin2.exe

File PE Metadata
Compilation timestamp:
6/26/2014 3:05:15 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:G6xPfXpWuUhhAV3/PXv/JvNy2yxH+Z2PChdbyQ+DK53gf2FEsdvwG7:GuncHIVvPXnZbyUqVQ+6wf2FEIv7

Entry address:
0x3CE280

Entry point:
60, BE, 00, 20, 6B, 00, 8D, BE, 00, F0, D4, FF, C7, 87, 30, A0, 31, 00, 08, 88, FC, 46, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Entropy:
7.8977

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
1.1 MB (1,167,360 bytes)

The file world_of_metin2.exe has been seen being distributed by the following 2 URLs.

http://download.wom2.org/WoM2.exe

http://download.wom2.org/World_of_Metin2.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to 94.31.29.54.IPYX-077437-ZYO.above.net  (94.31.29.54:443)

TCP (HTTP SSL):
Connects to 113-125-232-198.static.unitasglobal.net  (198.232.125.113:443)

TCP (HTTP):
Connects to server-54-230-163-90.jax1.r.cloudfront.net  (54.230.163.90:80)

TCP (HTTP):
Connects to c4.3e.559e.ip4.static.sl-reverse.com  (158.85.62.196:80)

Remove world_of_metin2.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.