42fe.tmp.exe

The executable 42fe.tmp.exe has been detected as malware by 7 anti-virus scanners.
Version:
1.0.0.0

MD5:
78ff5cd66234f2f4e1a6084d21e18776

SHA-1:
42e4ba14be8ca49b98eaeb17dc467d0106545da4

SHA-256:
693d6523456a00f64e13ec1fcb948ec4cb6a0fee524c3d929735efa1a8da8da1

Scanner detections:
7 / 68

Status:
Malware

Analysis date:
2/20/2017 10:37:16 PM UTC  (nine months ago)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/ATRAPS.Gen
8.3.3.4

Baidu Antivirus
Win32.Trojan.WisdomEyes.16070401.9500
4.0.3.17220

CrowdStrike
malicious_confidence_100% (D)
1.0

F-Prot
W32/Trojan.SW.gen
v6.4.7.1.166

Invincea
pws.msil.kelopol.b
6.2.2.24419

Malwarebytes
Trojan.Dropper
v2017.02.20.05

Qihoo 360 Security
HEUR/QVM03.0.0000.Malware.Gen
1.0.0.1120

File size:
16.5 KB (16,896 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2016

Original file name:
svhost.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\42fe.tmp.exe

File PE Metadata
Compilation timestamp:
2/20/2017 10:37:43 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

Entry address:
0x578E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.2881

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
14 KB (14,336 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.projectorlamp.se  (109.74.4.176:80)

TCP (HTTP):
Connects to www.bremer-gewuerzhandel.de  (144.76.114.122:80)

TCP (HTTP):
Connects to webwax.co  (178.62.39.51:80)

TCP (HTTP):
Connects to webmail.allenhan.com  (173.255.209.131:80)

TCP (HTTP):
Connects to webfwd2.zoneedit.com  (198.199.92.59:80)

TCP (HTTP):
Connects to webforwards.extendcp.co.uk  (79.170.40.4:80)

TCP (HTTP):
Connects to web200.extendcp.co.uk  (217.199.187.200:80)

TCP (HTTP):
Connects to vz3019.nu-vps.com  (141.0.165.19:80)

TCP (HTTP):
Connects to vps-83-168-248-12.cust.crystone.se  (83.168.248.12:80)

TCP (HTTP):
Connects to vps2.ezgift.com.br  (64.131.72.126:80)

TCP (HTTP):
Connects to vmh18083.hosting24.com.au  (223.27.22.217:80)

TCP (HTTP):
Connects to vm23.createhosting.co.nz  (103.16.180.156:80)

TCP (HTTP):
Connects to VI-3692.COLO.VI.NET  (31.24.228.79:80)

TCP (HTTP):
Connects to v301.rackspeed-cloud.de  (213.9.20.112:80)

TCP (HTTP):
Connects to v21110.aumanaged.com  (182.160.153.218:80)

TCP (HTTP):
Connects to unassigned-93-191-134-227.public.cloudvps.com  (93.191.134.227:80)

TCP (HTTP):
Connects to tron.premier-gift.ca  (72.142.29.43:80)

TCP (HTTP):
Connects to sv11.net-housting.de  (178.248.244.21:80)

TCP (HTTP):
Connects to static-ip-118-150-142-114.rev.dyxnet.com  (114.142.150.118:80)

TCP (HTTP):
Connects to sp400.rackspeed-cloud.de  (213.9.20.139:80)

Remove 42fe.tmp.exe - Powered by Reason Core Security