» cuddiwegtocu.exe
Overview
Analysis
File Details
Behaviors (1)
Network (42)

cuddiwegtocu.exe

The executable cuddiwegtocu.exe has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘cuddiwegtocu’. While running, it connects to the Internet address 140.ip-198-134-28.wolfpaw.net on port 80 using the HTTP protocol.

File name:

cuddiwegtocu.exe

MD5:

ab5f1bf8ac97feaf19c006e23abb930c

SHA-1:

82f9c190d4226ea432758da4b454090eaa1e69ec

SHA-256:

92f65cf1bfb5ca656b998679a4451ace434b22d6032849ed1485fbcc305e8ee5

Scanner detections:

3 / 68

Status:

Malware

Analysis date:

4/29/2024 3:55:22 AM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Trojan.DownLoad.64914

9.0.1.05190

ESET NOD32

Win32/Kryptik.CLMX trojan

6.3.12010.0

F-Secure

Variant.Zusy.108028

5.15.154

File size:

115 KB (117,760 bytes)

File type:

Executable application (Win32 EXE)

Language:

Greek (Greece)

Common path:

C:\users\administrator\cuddiwegtocu.exe

File PE Metadata

Compilation timestamp:

9/18/2014 4:42:49 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

7.0

Entry address:

0x4A1A

Entry point:

E8, 5A, 0A, 00, 00, E9, 28, F0, 00, 00, 55, 8B, EC, 83, EC, 20, A1, 88, C1, 41, 00, 33, C5, 89, 45, FC, 53, 8B, 5D, 0C, 56, 8B, 75, 08, 57, E8, A8, F8, 00, 00, 8B, F8, 33, F6, 3B, FE, 89, 7D, 08, 75, 0E, 8B, C3, E8, B7, F6, 00, 00, 33, C0, E9, 65, 01, 00, 00, 89, 75, E4, 33, C0, 39, B8, A0, BF, 41, 00, 74, 67, FF, 45, E4, 83, C0, 30, 3D, F0, 00, 00, 00, 72, EB, 8D, 45, E8, 50, 57, FF, 15, 30, 61, 41, 00, 85, C0, 0F, 84, 29, 01, 00, 00, 68, 01, 01, 00, 00, 8D, 43, 1C, 56, 50, E8, D9, FD, 00, 00, 33, D2, 42... 
[+]

Entropy:

6.4729

Code size:

82.5 KB (84,480 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

cuddiwegtocu

Command:

C:\users\administrator\cuddiwegtocu.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to timetec.ru (92.63.110.230:80)

TCP (HTTP):

Connects to pcg.com (70.32.76.86:80)

TCP (HTTP):

Connects to 147.62.236.23.bc.googleusercontent.com (23.236.62.147:80)

TCP (HTTP):

Connects to p3nw8shg500.shr.prod.phx3.secureserver.net (45.40.164.130:80)

TCP (HTTP):

Connects to cargoro.com (211.206.123.37:80)

TCP (HTTP):

Connects to bossinst.indiehosting.org (198.211.98.85:80)

TCP (HTTP):

Connects to bh-41.webhostbox.net (204.11.58.28:80)

TCP (HTTP):

Connects to generic114.mxout.managed.com (70.34.33.191:80)

TCP (HTTP):

Connects to fd.52.564a.ip4.static.sl-reverse.com (74.86.82.253:80)

TCP (HTTP):

Connects to ip-132-148-80-235.ip.secureserver.net (132.148.80.235:80)

TCP (HTTP):

Connects to hostedc45.carrierzone.com (216.55.149.9:80)

TCP (HTTP):

Connects to 115.208-92-208.reverse.enterhost.com (208.92.208.115:80)

TCP (HTTP):

Connects to www410.sakura.ne.jp (59.106.13.40:80)

TCP (HTTP):

Connects to winmail01.sx-it.com (195.230.181.117:80)

TCP (HTTP):

Connects to n-a-m.ru (185.4.74.63:80)

TCP (HTTP):

Connects to li1098-117.members.linode.com (213.219.39.117:80)

TCP (HTTP):

Connects to ip158.ip-5-39-12.eu (5.39.12.158:80)

TCP (HTTP):

Connects to hostings.com (45.79.143.139:80)

TCP (HTTP):

Connects to hosting.marketingpro-server1.com (207.58.182.49:80)

TCP (HTTP):

Connects to host33.arit.cz (77.78.106.223:80)

Remove cuddiwegtocu.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.