3.4.2_38913.exe

µTorrent

BitTorrent Inc.

The application 3.4.2_38913.exe has been detected as a potentially unwanted program by 9 anti-malware scanners. This is a setup program which is used to install the application. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from www.filecroco.com and multiple other hosts. While running, it connects to the Internet address host-41.36.112.208.tedata.net on port 12652.
Publisher:
BitTorrent Inc.

Product:
µTorrent

Version:
3.4.2.38913

MD5:
fc5900c84f96ba23efe9e99dbd238f8d

SHA-1:
0923a2a79103f88f9bac87e7cad9f53f41112fb5

SHA-256:
ec19149a00f14956eb21549a672b56e8600dfe80cb4edef52450b4e5dd9b5e35

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
10/31/2024 10:48:02 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Baidu Antivirus
Adware.Win32.OpenCandy
4.0.3.15124

Dr.Web
Adware.OpenCandy.173
9.0.1.05190

ESET NOD32
Win32/OpenCandy.A potentially unsafe application
7.0.302.0

Fortinet FortiGate
Riskware/OpenCandy
12/4/2015

IKARUS anti.virus
PUA.OpenCandy
t3scan.1.9.5.0

McAfee
Trojan.Artemis!FC5900C84F96
18.0.204.0

NANO AntiVirus
Trojan.Win32.OpenCandy.dmgkvw
0.30.26.5051

VIPRE Antivirus
Threat.4791855
45588

File size:
1.7 MB (1,732,608 bytes)

Product version:
3.4.2.38913

Copyright:
©2015 BitTorrent, Inc. All Rights Reserved.

Original file name:
uTorrent.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\utorrent\updates\3.4.2_38913.exe

File PE Metadata
Compilation timestamp:
2/20/2015 8:19:24 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:HstU4NupZf16eM4h2F8yvYNj83ee2qldvksY4xQZSWGdj7FzTwkloqOG+K7jHxUQ:xZd/M4MvYxCee9lRQAWGdFkj07L7SAv

Entry address:
0x3BC0B0

Entry point:
60, BE, 00, E0, 67, 00, 8D, BE, 00, 30, D8, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, 67, AA, 3B, 00, 57, 83, C3, 04, 53, 68, AA, E0, 13, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Code size:
1.2 MB (1,306,624 bytes)

The file 3.4.2_38913.exe has been seen being distributed by the following 2 URLs.

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to host-41.36.112.208.tedata.net  (41.36.112.208:12652)

TCP:
Connects to host-156.220.244.32-static.tedata.net  (156.220.32.244:16055)

TCP:
Connects to 90-225-248-95-no284.tbcn.telia.com  (90.225.248.95:23890)

TCP:
Connects to 68.dd.a86c.ip4.static.sl-reverse.com  (108.168.221.104:1337)

TCP:
Connects to 57.19.adb8.ip4.static.sl-reverse.com  (184.173.25.87:1337)

TCP:
Connects to host-41.43.95.199.tedata.net  (41.43.95.199:50)

Remove 3.4.2_38913.exe - Powered by Reason Core Security