home

bycaow.exe

Mesrosifm Visaal Studio 2010

Mesrosifm Corporatien

The executable bycaow.exe, “Mesrosifm Visaal Studie 2010” has been detected as malware by 1 anti-virus scanner. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. While running, it connects to the Internet address float.500.bm-impbus.prod.lax1.adnexus.net on port 80 using the HTTP protocol.
Publisher:
Mesrosifm Corporatien

Product:
Mesrosifm® Visaal Studio® 2010

Description:
Mesrosifm Visaal Studie 2010

Version:
1.8.43074.5121 built by: SP1Rel

MD5:
58683da07f9e8935d43d919d4320b454

SHA-1:
486ead8ba609658be3a5b0af6a573e5954c70fce

SHA-256:
1c9ccb812adc3f2386510292c903a88ea8aa91b8f7fe815e2d2d1516f3861ee2

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
4/19/2024 11:39:19 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Maskiseft.MesrosifmCorporatien.Meta
15.6.14.23

File size:
293.7 KB (300,748 bytes)

Product version:
1.8.43074.5121

Copyright:
© Mesrosifm Corporatien. All rights reserved.

Original file name:
davanr.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\ureqap\bycaow.exe

File PE Metadata
Compilation timestamp:
10/29/2010 8:19:22 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:dD3L/rBR5Xus1nP9X5BunQROXKZscNaN1PjYA9ndSA:Z/funQous9YGdSA

Entry address:
0xC988

Entry point:
55, 8B, EC, 81, EC, DC, 00, 00, 00, 8B, 0D, 48, BA, 42, 00, 6A, B9, 51, 51, 6A, 8D, 51, E8, 1C, 16, 00, 00, 83, C4, 14, 53, 83, C8, 45, 89, 45, FC, 56, B8, D6, 00, 00, 00, 83, F0, 40, 89, 45, FC, 57, BA, 3E, 00, 00, 00, 50, 68, 00, 1E, 0D, 70, 50, 52, E8, F3, 15, 00, 00, 83, C4, 10, 03, C0, 68, 00, 1B, FD, 7E, 6A, A9, 68, 00, 30, 67, B0, 6A, E3, E8, DB, 15, 00, 00, 83, C4, 10, 68, 9B, 00, 00, 00, 68, D9, 00, 00, 00, FF, 15, 74, A2, 42, 00, 89, 45, FC, 89, 45, E8, 83, F8, A1, 75, 2A, 8B, D0, 83, FA, 73, 74...
 
[+]

Entropy:
7.8289

Developed / compiled with:
Microsoft Visual C++

Code size:
136 KB (139,264 bytes)

Scheduled Task
Task name:
Security Center Update - 2800920196

Trigger:
Daily (Runs daily at 4:00 PM)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to pe-in-f95.1e100.net  (74.125.20.95:80)

TCP (HTTP):
Connects to ny1-g013.intellitxt.com  (199.16.172.21:80)

TCP (HTTP):
Connects to mpr1.ngd.vip.gq1.yahoo.com  (216.39.55.12:80)

TCP (HTTP):
Connects to mallet9.wikipolo.com  (46.244.10.228:80)

TCP (HTTP):
Connects to lax02s01-in-f5.1e100.net  (74.125.224.165:80)

TCP (HTTP):
Connects to lax02s01-in-f4.1e100.net  (74.125.224.164:80)

TCP (HTTP):
Connects to lax02s01-in-f28.1e100.net  (74.125.224.188:80)

TCP (HTTP):
Connects to lax02s01-in-f26.1e100.net  (74.125.224.186:80)

TCP (HTTP):
Connects to float.500.bm-impbus.prod.lax1.adnexus.net  (68.67.128.127:80)

TCP (HTTP):
Connects to float.493.bm-impbus.prod.lax1.adnexus.net  (68.67.128.56:80)

TCP (HTTP):
Connects to float.488.bm-impbus.prod.lax1.adnexus.net  (68.67.128.58:80)

TCP (HTTP):
Connects to float.1421.bm-impbus.prod.lax1.adnexus.net  (68.67.128.24:80)

TCP (HTTP):
Connects to ec2-54-84-145-193.compute-1.amazonaws.com  (54.84.145.193:80)

TCP (HTTP):
Connects to ec2-54-84-115-222.compute-1.amazonaws.com  (54.84.115.222:80)

TCP (HTTP):
Connects to ec2-54-243-253-201.compute-1.amazonaws.com  (54.243.253.201:80)

TCP (HTTP):
Connects to ec2-54-209-41-227.compute-1.amazonaws.com  (54.209.41.227:80)

TCP (HTTP):
Connects to ec2-50-18-55-208.us-west-1.compute.amazonaws.com  (50.18.55.208:80)

TCP (HTTP):
Connects to ec2-50-18-52-21.us-west-1.compute.amazonaws.com  (50.18.52.21:80)

TCP (HTTP):
Connects to cdn-68-142-123-254.dal.llnw.net  (68.142.123.254:80)

TCP (HTTP):
Connects to a172-233-55-123.deploy.static.akamaitechnologies.com  (172.233.55.123:80)

Remove bycaow.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.