» b849543.exe
Overview
Analysis
File Details
Behaviors (1)

b849543.exe

The executable b849543.exe has been detected as malware by 37 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘a754594623’. This trojan will attemp to establish a connection to a remote server through various TCP ports and will use Winlogon to survive reboots.

File name:

b849543.exe

MD5:

843dd75c643b31988fcf8c1a822470fe

SHA-1:

683af3c76ea560add2b5969122f0d20209b61e57

Scanner detections:

37 / 68

Status:

Malware

Analysis date:

4/24/2024 8:10:38 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Symmi.43711

856

Agnitum Outpost

Trojan.DL.Agent

7.1.1

AhnLab V3 Security

Dropper/Win32.Necurs

2014.09.09

Avira AntiVirus

TR/Crypt.Xpack.73645

7.11.171.78

avast!

Win32:Kryptik-NZA [Trj]

2014.9-141002

Baidu Antivirus

Trojan.Win32.Injector

4.0.3.14102

Bitdefender

Gen:Variant.Symmi.43711

1.0.20.1375

Bkav FE

W32.HfsIemusi

1.3.0.4959

Comodo Security

UnclassifiedMalware

19456

Dr.Web

BackDoor.IRC.NgrBot.449

9.0.1.0275

Emsisoft Anti-Malware

Gen:Variant.Symmi.43711

8.14.10.02.07

ESET NOD32

Win32/Injector.BGQP

8.10384

Fortinet FortiGate

W32/Yakes.FHJN!tr

10/2/2014

F-Prot

W32/Trojan2.OHQY

v6.4.7.1.166

F-Secure

Gen:Variant.Symmi.43711

11.2014-02-10_5

G Data

Gen:Variant.Symmi.43711

14.10.24

IKARUS anti.virus

Trojan-Downloader.Win32.Agent

t3scan.1.7.5.0

K7 AntiVirus

Trojan

13.183.13305

Kaspersky

Trojan-Downloader.Win32.Agent

14.0.0.3163

Malwarebytes

Backdoor.Bot.ED

v2014.10.02.07

McAfee

Generic-FASY!843DD75C643B

5600.6990

Microsoft Security Essentials

Trojan:Win32/Lethic.B

1.10904

MicroWorld eScan

Gen:Variant.Symmi.43711

15.0.0.825

NANO AntiVirus

Trojan.Win32.Agent.dbwfen

0.28.2.61942

Norman

Injector.GVTX

11.20141002

nProtect

Trojan.GenericKD.1732943

14.09.07.01

Panda Antivirus

Trj/CI.A

14.10.02.07

Qihoo 360 Security

HEUR/Malware.QVM10.Gen

1.0.0.1015

Quick Heal

Worm.Gamarue.I3

10.14.14.00

Rising Antivirus

PE:Trojan.Win32.Generic.16F5FD74!385219956

23.00.65.14930

Sophos

Troj/Inject-AYR

4.98

Total Defense

Win32/Lethic.PPfGKU

37.0.11169

Trend Micro House Call

TROJ_SPNR.35GA14

7.2.275

Trend Micro

TROJ_SPNR.35GA14

10.465.02

Vba32 AntiVirus

OScope.Malware-Cryptor.Ngrbot

3.12.26.3

VIPRE Antivirus

Trojan.Win32.Generic!SB.0

32928

Zillya! Antivirus

Downloader.Agent.Win32.198261

2.0.0.1915

File size:

158 KB (161,792 bytes)

File type:

Executable application (Win32 EXE)

File PE Metadata

Compilation timestamp:

6/26/2014 12:14:05 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

3072:LmFoUWZ2LRzzg0Sm7k0oxFbH2cJdX9B/du5BS+:d2LBzgkYp/cG+

Entry address:

0x80E5

Entry point:

E8, B1, 8B, 00, 00, E9, 1E, FE, FF, FF, A1, 80, FC, D0, 31, 56, 6A, 14, 5E, 85, C0, 75, 07, B8, 00, 02, 00, 00, EB, 06, 3B, C6, 7D, 07, 8B, C6, A3, 80, FC, D0, 31, 6A, 04, 50, E8, 15, 31, 00, 00, 59, 59, A3, 78, EC, D0, 31, 85, C0, 75, 1E, 6A, 04, 56, 89, 35, 80, FC, D0, 31, E8, FC, 30, 00, 00, 59, 59, A3, 78, EC, D0, 31, 85, C0, 75, 05, 6A, 1A, 58, 5E, C3, 33, D2, B9, 30, E9, 41, 00, EB, 05, A1, 78, EC, D0, 31, 89, 0C, 02, 83, C1, 20, 83, C2, 04, 81, F9, B0, EB, 41, 00, 7C, EA, 6A, FE, 5E, 33, D2, B9, 40... 
[+]

Code size:

95.5 KB (97,792 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

a754594623

Command:

C:\recycler\{random}\b849543.exe

Remove b849543.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.