» xunlei_329021.exe
Overview
Analysis
File Details
Downloads (2)
Network (2)

xunlei_329021.exe

ToolsHelper

The application xunlei_329021.exe has been detected as a potentially unwanted program by 16 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from www.pf11.com and multiple other hosts. While running, it connects to the Internet address promote.cache-dns.local on port 80 using the HTTP protocol.

File name:

xunlei_329021.exe

Product:

ToolsHelper

Version:

1.00

MD5:

0f55762593fe1164445abfb19360b3f6

SHA-1:

3da5f674983d75af79f900a21d63e9f6cd3b26eb

SHA-256:

c7146a5dc2dcda05cb256ef80fb794ee9dabcd36ea3eb370e5a42133ea0c3c06

Scanner detections:

16 / 68

Status:

Potentially unwanted

Analysis date:

4/27/2024 4:07:35 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Trojan.DownLoader

7.1.1

AhnLab V3 Security

Trojan/Win32.Clicker

2014.09.01

AVG

Inject2

2015.0.3366

Dr.Web

Trojan.DownLoader11.22669

9.0.1.0243

Fortinet FortiGate

W32/Bfr.FT!tr

8/31/2014

K7 AntiVirus

Riskware

13.183.13218

Malwarebytes

Adware.Chad

v2014.08.31.11

McAfee

RDN/Generic.bfr!ft

5600.7022

Norman

Troj_Generic.SLKRB

11.20140831

Panda Antivirus

Trj/Dtcontx.L

14.08.31.11

Sophos

Mal/Generic-S

4.98

Trend Micro House Call

TROJ_GEN.R0CBC0OB714

7.2.243

Trend Micro

TROJ_GEN.R0CBC0OB714

10.465.31

VIPRE Antivirus

Trojan.Win32.Generic

32704

ViRobot

Trojan.Win32.S.Clicker.118784.E

2011.4.7.4223

XVirus List

Win32.Detected

2.8.31

File size:

116 KB (118,784 bytes)

Product version:

1.00

Original file name:

HelperTools.exe

File type:

Executable application (Win32 EXE)

Language:

Chinese

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\xunlei_329021.exe

File PE Metadata

Compilation timestamp:

1/13/2014 6:22:35 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

3072:b73R0B+MaJ3wcH4Qx2olCmChovB0aNJ2HaUout9piF2/:hPRevQLlhPaaP26UoS9ko

Entry address:

0x5D290

Entry point:

60, BE, 00, 80, 44, 00, 8D, BE, 00, 90, FB, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, CE, BB, 05, 00, 57, 83, C3, 04, 53, 68, 8C, 52, 01, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A... 
[+]

Code size:

88 KB (90,112 bytes)

The file xunlei_329021.exe has been seen being distributed by the following 2 URLs.

http://www.pf11.com/xunlei_754680.exe

http://www.xunlei333.com/xunlei_58239.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to promote.cache-dns.local (223.111.153.141:80)

TCP (HTTP):

Connects to ns2.ivanso.net (182.237.3.75:80)

Remove xunlei_329021.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.