folkanjekyrw.exe

Aqeare

The executable folkanjekyrw.exe has been detected as malware by 43 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘folkanjekyrw’. While running, it connects to the Internet address ip-184-168-221-11.ip.secureserver.net on port 80 using the HTTP protocol.
Publisher:
Aqeare  (signed and verified)

MD5:
6ab2c594497a0d6fba627ee7dbcbb92e

SHA-1:
51c15e7a972b26b644330139329bf3e68563f368

SHA-256:
cf50530874fb941bcdf67415ecbc7dc43f689f5239769216668e69c9f60680c0

Scanner detections:
43 / 68

Status:
Malware

Analysis date:
9/22/2017 12:41:19 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.KDV.744533
361

Agnitum Outpost
Trojan.Wigon
7.1.1

AhnLab V3 Security
Win-Trojan/Pushdo.35768
2015.07.28

Avira AntiVirus
TR/Small.A.42
8.3.1.6

Antiy Labs AVL
Trojan[Backdoor]/Win32.Pushdo
1.0.0.1

Arcabit
Trojan.Generic.KDV.DB5C55
1.0.0.425

avast!
Win32:Downloader-QSF [Trj]
2014.9-160208

AVG
Dropper.Generic6
2017.0.2839

Baidu Antivirus
Backdoor.Win32.Pushdo
4.0.3.1628

Bitdefender
Trojan.Generic.KDV.744533
1.0.20.195

Comodo Security
UnclassifiedMalware
22874

Dr.Web
Trojan.DownLoader6.62576
9.0.1.039

ESET NOD32
Win32/Wigon.PB
10.12000

Fortinet FortiGate
W32/Pushdo.P!tr.bdr
2/8/2016

F-Prot
W32/Trojan2.NTQJ
v6.4.7.1.166

F-Secure
Trojan.Generic.KDV.744533
11.2016-08-02_2

G Data
Trojan.Generic.KDV.744533
16.2.25

IKARUS anti.virus
Backdoor.Win32.Pushdo
t3scan.1.9.5.0

Jiangmin
Backdoor/Pushdo.m
KV160208

K7 AntiVirus
Trojan
13.207.16692

K7 Gateway Antivirus
Trojan
13.207.16693

Kaspersky
Backdoor.Win32.Pushdo
14.0.0.692

Kingsoft AntiVirus
Win32.Malware.Generic.a.(kcloud)
331020.49267

Malwarebytes
Trojan.Ransom.Gen
v2016.02.08.01

McAfee
PWS-Zbot.gen.apy
5600.6495

McAfee Web Gateway
PWS-Zbot.gen.apy
7.6495

Microsoft Security Essentials
TrojanDownloader:Win32/Cutwail.BV
1.1.11903.0

MicroWorld eScan
Trojan.Generic.KDV.744533
17.0.0.117

NANO AntiVirus
Trojan.Win32.Wigon.yqsxh
0.30.24.2668

nProtect
Trojan/W32.Small.35768
15.07.27.01

Panda Antivirus
Trj/OCJ.A
16.02.08.01

Qihoo 360 Security
HEUR/Malware.QVM20.Gen
1.0.0.1015

Quick Heal
Trojan.Small.rw5
2.16.14.00

Rising Antivirus
PE:Trojan.Win32.Generic.1330280B!321923083
23.00.65.16206

Sophos
Mal/Generic-L
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Malfem
9336

The Hacker
Trojan/Wigon.pb
6.8.0.5.596

Total Defense
Win32/Tnega.AQOQ
37.1.62.1

Trend Micro House Call
TROJ_SPNR.0BJ212
7.2.39

Trend Micro
TROJ_SPNR.0BJ212
10.465.08

Vba32 AntiVirus
Backdoor.Pushdo
3.12.26.4

VIPRE Antivirus
Trojan-Downloader.Win32.Cutwail.bx
42376

ViRobot
Backdoor.Win32.A.Pushdo.35768[h]
2014.3.20.0

File size:
34.9 KB (35,768 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\user\folkanjekyrw.exe

Digital Signature
Signed by:

Authority:
Aqeare

Valid from:
12/31/2010 3:00:00 PM

Valid to:
12/31/2039 5:59:59 PM

Subject:
CN=Aqeare

Issuer:
CN=Aqeare

Serial number:
EB2DC79B7906D3B2404850553DA08396

File PE Metadata
Compilation timestamp:
2/26/2008 1:59:09 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:omNv3ZMQQR816OOPxxtOv3EhJ8/+qLJYPVXXA:RppMQQn5xHJ8Gq1YPRQ

Entry address:
0x24D4

Entry point:
E8, 49, 00, 00, 00, A3, BE, 42, 00, 0A, 6A, 00, E8, 43, 00, 00, 00, A3, 6C, 40, 00, 0A, E8, 2D, 00, 00, 00, A3, BA, 42, 00, 0A, 6A, 0A, FF, 35, BA, 42, 00, 0A, 6A, 00, FF, 35, 6C, 40, 00, 0A, E8, 42, FA, FF, FF, CC, FF, 25, 24, 30, 00, 0A, FF, 25, 20, 30, 00, 0A, FF, 25, 1C, 30, 00, 0A, FF, 25, 10, 30, 00, 0A, FF, 25, 00, 30, 00, 0A, FF, 25, 14, 30, 00, 0A, FF, 25, 0C, 30, 00, 0A, FF, 25, 08, 30, 00, 0A, FF, 25, 04, 30, 00, 0A, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.4790

Code size:
5.5 KB (5,632 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
folkanjekyrw

Command:
C:\users\user\folkanjekyrw.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to manage.embarq.synacor.com  (69.168.97.85:80)

TCP (SMTP):
Connects to ip-50-63-202-56.ip.secureserver.net  (50.63.202.56:25)

TCP (SMTP):
Connects to www.terra.com  (208.70.188.57:25)

TCP (HTTP):
Connects to www.nettally.com  (199.44.82.1:80)

TCP (HTTP):
Connects to web-portal-cdn.terra.com.br  (208.84.244.116:80)

TCP (HTTP):
Connects to w2.src.vip.ir2.yahoo.com  (77.238.184.150:80)

TCP (HTTP):
Connects to spool.lnh.mail.rcn.net  (207.172.157.181:80)

TCP (HTTP):
Connects to phx1-sha-redirect-lb.cnet.com  (64.30.224.118:80)

TCP (HTTP):
Connects to mytmobile.info  (206.29.177.12:80)

TCP (HTTP):
Connects to mail.vail.net  (65.38.128.10:80)

TCP (HTTP):
Connects to ip-184-168-221-11.ip.secureserver.net  (184.168.221.11:80)

TCP (HTTP):
Connects to freedomfordinc.com  (67.192.6.123:80)

TCP (HTTP):
Connects to ec2-23-23-169-30.compute-1.amazonaws.com  (23.23.169.30:80)

TCP (HTTP):
Connects to cloud8.nccn.net  (162.242.144.102:80)

TCP (HTTP):
Connects to ash.parking.local  (69.64.147.249:80)

TCP (HTTP):
Connects to 206.192.6.200.intelnet.net.gt  (200.6.192.206:80)

TCP (HTTP):
Connects to mtsdatacentres.com  (199.27.222.110:80)

Remove folkanjekyrw.exe - Powered by Reason Core Security