1799877.exe

The executable 1799877.exe has been detected as malware by 39 anti-virus scanners. While running, it connects to the Internet address meso.nmsrv.com on port 80 using the HTTP protocol.
MD5:
9d7910f61a75a45eca47a3a18db38d92

SHA-1:
8e87e5569d0d0d1c973a78e460e9e2031526dc62

SHA-256:
e7f3561c77bf616cc28ae995a63e97621d8a240b69f278a7f33bb1f5f93d9358

Scanner detections:
39 / 68

Status:
Malware

Analysis date:
11/22/2017 6:02:29 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1630639
856

Agnitum Outpost
Trojan.Cutwail
7.1.1

AhnLab V3 Security
Spyware/Win32.Zbot
2014.08.20

Avira AntiVirus
TR/Crypt.EPACK.6983
7.11.168.26

Antiy Labs AVL
Trojan/Win32.Cutwail
1.0.0.1

avast!
Win32:Kryptik-NQY [Trj]
2014.9-141001

AVG
Crypt3
2015.0.3334

Baidu Antivirus
Trojan.Win32.Cutwail
4.0.3.14101

Bitdefender
Trojan.GenericKD.1630639
1.0.20.1370

Bkav FE
W32.KryptikArtemis.Trojan
1.3.0.4959

Commtouch SDK
W32/Trojan.VGZV-3767
5.4.1.7

Comodo Security
TrojWare.Win32.Kryptik.~BYVH
19250

Dr.Web
Trojan.Siggen6.12996
9.0.1.0274

Emsisoft Anti-Malware
Trojan.GenericKD.1630639
8.14.10.01.11

ESET NOD32
Win32/Kryptik.BZBJ (variant)
8.10282

Fortinet FortiGate
W32/Cutwail.BYVH!tr
10/1/2014

F-Secure
Trojan.GenericKD.1630639
11.2014-01-10_4

G Data
Trojan.GenericKD.1630639
14.10.24

IKARUS anti.virus
Trojan.SuspectCRC
t3scan.1.7.5.0

K7 AntiVirus
Trojan
13.183.13098

K7 Gateway Antivirus
Trojan
13.183.13098

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.3165

Malwarebytes
Trojan.Agent.US
v2014.10.01.11

McAfee
Downloader-FEK!9D7910F61A75
5600.6990

McAfee Web Gateway
Downloader-FEK!9D7910F61A75
7.6990

Microsoft Security Essentials
TrojanDownloader:Win32/Cutwail.BS
1.10903

MicroWorld eScan
Trojan.GenericKD.1630639
15.0.0.822

NANO AntiVirus
Trojan.Win32.Cutwail.cwbvnb
0.28.2.61721

Norman
Troj_Generic.THJSN
11.20141001

nProtect
Trojan.GenericKD.1630639
14.08.19.01

Panda Antivirus
Trj/Genetic.gen
14.10.01.11

Qihoo 360 Security
Win32/Trojan.cf4
1.0.0.1015

Quick Heal
Trojan.Cutwail.r5
10.14.14.00

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_SPNR.14D814
7.2.274

Trend Micro
TROJ_SPNR.14D814
10.465.01

Vba32 AntiVirus
Trojan.Cutwail
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Cutwail.ad
32366

ViRobot
Trojan.Win32.Agent.57344.UG
2011.4.7.4223

File size:
55 KB (56,320 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\1799877.exe

File PE Metadata
Compilation timestamp:
4/2/2014 5:01:29 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
1536:bBxIDzJjNQlWrauL73ONMdgTD7QaFIo85zw6PgI:bBxGNxQ2gMKTD73azRbo

Entry address:
0x1014

Entry point:
6A, 00, E8, BB, 03, 00, 00, A3, 30, 30, 40, 00, 6A, 00, 6A, 00, 68, 6A, 30, 40, 00, B8, E2, 13, 40, 00, FF, D0, 50, 68, 97, 30, 40, 00, BF, D6, 13, 40, 00, FF, D7, 68, B0, 30, 40, 00, 50, E8, 94, 03, 00, 00, 5F, 68, 75, 30, 40, 00, 90, 83, 04, 24, 0A, 83, 2C, 24, 02, 57, A3, 38, 30, 40, 00, FF, D0, A3, 34, 30, 40, 00, 8D, 3D, 04, 30, 40, 00, B9, 18, 00, 00, 00, 33, C0, FC, F3, AA, 56, 57, E8, 17, 00, 00, 00, 6A, 00, E8, 48, 03, 00, 00, 63, 3A, 5C, 6E, 64, 68, 64, 65, 37, 33, 33, 2E, 62, 78, 64, 00, 55, 8B...
 
[+]

Packer / compiler:
TASM / MASM

Code size:
1024 Bytes (1,024 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to web.alganet.fr  (212.129.21.17:80)

TCP (HTTP):
Connects to users31.heteml.jp  (157.7.188.231:80)

TCP (HTTP):
Connects to static.imatel.es  (91.200.116.222:80)

TCP (HTTP):
Connects to srv30.gepcom.com  (208.66.193.80:80)

TCP (HTTP):
Connects to redirect-v225.secureserver.net  (184.168.47.225:80)

TCP (HTTP):
Connects to emiral1.emiralmedia.ro  (89.35.6.153:80)

TCP (HTTP):
Connects to apache2-igloo.coweta.dreamhost.com  (208.113.187.143:80)

TCP (HTTP):
Connects to 173-13-169-245-sfba.hfc.comcastbusiness.net  (173.13.169.245:80)

TCP (HTTP):
Connects to zetar.brasilwork.com.br  (189.112.7.214:80)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.90:80)

TCP (HTTP):
Connects to server33.extremeserv.net  (180.147.250.18:80)

TCP (HTTP):
Connects to server.serbay.net  (5.250.245.23:80)

TCP (HTTP):
Connects to redirect.sedoparking.com  (91.195.240.135:80)

TCP (HTTP):
Connects to ns344497.ip-178-33-227.eu  (178.33.227.198:80)

TCP (HTTP):
Connects to ns339617.ip-176-31-248.eu  (176.31.248.197:80)

TCP (HTTP):
Connects to ns1.symbiant.net  (212.84.79.16:80)

TCP (HTTP):
Connects to ip-50-63-84-77.ip.secureserver.net  (50.63.84.77:80)

TCP (HTTP):
Connects to ip-50-62-115-20.ip.secureserver.net  (50.62.115.20:80)

TCP (HTTP):
Connects to interchise.com  (209.50.251.101:80)

TCP (HTTP):
Connects to ec2-54-72-9-51.eu-west-1.compute.amazonaws.com  (54.72.9.51:80)

Remove 1799877.exe - Powered by Reason Core Security