SmartConnect.exe Malware


SHA-256 — 7c3e2a38dcacc3246409151ecdf283814611a8f9d98ed0e5996fb2615adc2cc2

I pulled the request for malware sample from Malshare for analysis and renamed the file with .exe extension.

Tools I used: Ollydbg, WireShark, PEExplorer,

I downloaded malware sample, opened in PE explorer, and found resource information


Before I start debugginh, I extracted the malware executable file using 7-zip. There were 2 vpn applications KVPN kerio application and openvpn.


On opening settings.ini file from above list, There was license owner information given as www. WebTune . ir


I started debugging of malware executable in ollydbg. It shows the behavior of application, check below image.

exe files

Malware program got installed and location was

C:\Program Files (x86)\P3Filter v2.3714840114\SmartConnection.exe

It also added short cut file in start program menu.


it also installed kerio vpn switch adapter on my virtual machine.


Wireshark packets showed, application is trying to connect to below URL and DNS is resolving to domain mycn .ir

domain — mycn. ir


Please post your suggestions to improve my analysis.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.