» AutoIt3.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

AutoIt3.exe

AutoIt v3 Script

AutoIt Consulting Ltd

The executable AutoIt3.exe has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘AdopeFlash’. While running, it connects to the Internet address geoplugin.net on port 80 using the HTTP protocol.

File name:

AutoIt3.exe

Publisher:

AutoIt Team (signed by AutoIt Consulting Ltd)

Product:

AutoIt v3 Script

Version:

3, 3, 8, 1

MD5:

33e73e21a936a2394ad9707bbf7127db

SHA-1:

c05d822fe6b97c4a69f94e66cdc64660ed8865d6

SHA-256:

44d599b8f3fbd74936835bde7a2794be3e72eb3af0effccd36f41de7596f5cdc

Scanner detections:

3 / 68

Status:

Malware

Analysis date:

4/26/2024 12:06:02 PM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/Floxif.H virus

6.3.12010.0

F-Prot

W32/Floxif.B

4.6.5.141

F-Secure

Win32.Floxif.A

5.16.24

File size:

809.2 KB (828,599 bytes)

Product version:

3, 3, 8, 1

Original file name:

AutoIt3.exe

File type:

Executable application (Win32 EXE)

Language:

English (United Kingdom)

Digital Signature

Signed by:

AutoIt Consulting Ltd

Authority:

GlobalSign nv-sa

Valid from:

5/25/2011 2:43:07 AM

Valid to:

5/25/2014 2:43:05 AM

Subject:

CN=AutoIt Consulting Ltd, O=AutoIt Consulting Ltd, L=Birmingham, S=West Midlands, C=GB

Issuer:

CN=GlobalSign ObjectSign CA, OU=ObjectSign CA, O=GlobalSign nv-sa, C=BE

Serial number:

010000000001302693CB45

File PE Metadata

Compilation timestamp:

1/29/2012 1:32:28 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

Entry address:

0x164E1

Entry point:

E9, C5, 4D, 06, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A0, 01, 00, 00, 81, F9, 80, 00, 00, 00, 72, 1C, 83, 3D, 24, 97, 4A, 00, 00, 74, 13, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 05, E9, DD, 03, 00, 00, F7, C7, 03, 00, 00, 00, 75, 14, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 29, F3, A5, FF, 24, 95, 60, 66, 41, 00, 8B, C7, BA, 03, 00, 00, 00, 83, E9, 04, 72, 0C, 83, E0, 03, 03, C8... 
[+]

Entropy:

6.9441

Packer / compiler:

Xtreme-Protector v1.05

Code size:

513.5 KB (525,824 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

AdopeFlash

Command:

C:\google\autoit3.exe \autoit3executescript C:\google\googleupdate.a3x

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to geoplugin.net (178.237.36.10:80)

Remove AutoIt3.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.