» a5456663.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)

a5456663.exe

Yandex.Disk

Yandex

The executable a5456663.exe, “YandexDiskStarter” has been detected as malware by 30 anti-virus scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘a754353’. This trojan will attemp to establish a connection to a remote server through various TCP ports and will use Winlogon to survive reboots. The file has been seen being downloaded from 54.193.9.202.

File name:

a5456663.exe

Publisher:

Yandex

Product:

Yandex.Disk

Description:

YandexDiskStarter

Version:

1.2.3.4532

MD5:

f4c18d870f06306fc205d6f457d555c8

SHA-1:

185d18b5d7e37c61081904ff9e168ebd8f673e7a

Scanner detections:

30 / 68

Status:

Malware

Analysis date:

4/18/2024 5:42:19 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.1732511

856

AhnLab V3 Security

Dropper/Win32.Necurs

2014.07.04

Avira AntiVirus

TR/Crypt.Xpack.73533

7.11.158.80

avast!

Win32:Crypt-RCN [Trj]

2014.9-141002

AVG

Win32/Cryptor

2015.0.3334

Baidu Antivirus

Trojan.Win32.Lethic

4.0.3.14102

Bitdefender

Trojan.GenericKD.1732511

1.0.20.1375

Comodo Security

UnclassifiedMalware

18755

Dr.Web

Trojan.PWS.Multi.76

9.0.1.0275

Emsisoft Anti-Malware

Trojan.GenericKD.1732511

8.14.10.02.07

ESET NOD32

Win32/Lethic.AA

8.10040

Fortinet FortiGate

W32/Lethic.AA!tr

10/2/2014

F-Secure

Trojan.GenericKD.1732511

11.2014-02-10_5

G Data

Trojan.GenericKD.1732511

14.10.24

IKARUS anti.virus

Trojan.Win32.Lethic

t3scan.1.6.1.0

K7 AntiVirus

Riskware

13.180.12612

Kaspersky

Backdoor.Win32.Azbreg

14.0.0.3163

Malwarebytes

Trojan.Agent.ED

v2014.06.26.02

McAfee

Artemis!F4C18D870F06

5600.6990

Microsoft Security Essentials

Trojan:Win32/Lethic.B

1.10701

MicroWorld eScan

Trojan.GenericKD.1732511

15.0.0.825

NANO AntiVirus

Trojan.Win32.NgrBot.dbpwvq

0.28.0.60577

Norman

Kryptik.CDZD

11.20141002

Panda Antivirus

Trj/CI.A

14.10.02.07

Quick Heal

Backdoor.Azbreg.r4

10.14.14.00

Sophos

Troj/Wonton-EF

4.98

Trend Micro House Call

TROJ_FORUCON.BMC

7.2.275

Trend Micro

TROJ_FORUCON.BMC

10.465.02

Vba32 AntiVirus

Malware-Cryptor.Limpopo

3.12.26.3

VIPRE Antivirus

Trojan.Win32.Generic

30922

File size:

88 KB (90,112 bytes)

Product version:

1.2.3.4532

Original file name:

YandexDiskStarter.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

File PE Metadata

Compilation timestamp:

6/26/2014 5:28:43 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

1536:6bzh80MA794oT3Xk2roP+mfPKy/TKOOOOOOO+IN5tFm7S7j2xdVBP:azu0dte+mfCy/9TxsvBP

Entry address:

0x4B2D

Entry point:

E8, FA, 1B, 00, 00, E9, 1E, FE, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, D0, 02, 00, 00, A1, 08, 12, 41, 00, 33, C5, 89, 45, FC, 89, 85, E0, FD, FF, FF, 89, 8D, DC, FD, FF, FF, 89, 95, D8, FD, FF, FF, 89, 9D, D4, FD, FF, FF, 89, B5, D0, FD, FF, FF, 89, BD, CC, FD, FF, FF, 66, 8C, 95, F8, FD, FF, FF, 66, 8C, 8D, EC, FD, FF, FF, 66, 8C, 9D, C8, FD, FF, FF, 66, 8C, 85, C4, FD, FF, FF, 66, 8C, A5, C0, FD, FF, FF, 66, 8C, AD, BC, FD, FF, FF, 9C, 8F, 85, F0, FD, FF, FF, 8B, 45, 04, 89, 85, E8, FD, FF, FF, 8D, 45, 04... 
[+]

Code size:

42 KB (43,008 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

a754353

Command:

C:\recycler\{random}\a5456663.exe

The file a5456663.exe has been seen being distributed by the following URL.

http://54.193.9.202/dqnew.exe

Remove a5456663.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.