home

for you.exe

The executable for you.exe has been detected as malware by 15 anti-virus scanners. The file has been seen being downloaded from dl-mail.ymail.com and multiple other hosts.
MD5:
38ca55c7c695e14bc80cfa46c80d64b3

SHA-1:
86d38ad2070e5f1eefa040a2a3aabc21eb2e5a14

SHA-256:
1b889e649c17ab62571ca14a436878772367b8554dcc4dfd86c2734dffa2e463

Scanner detections:
15 / 68

Status:
Malware

Analysis date:
4/27/2024 1:53:41 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.Clod1cf.Trojan
1.3.0.4959

ESET NOD32
Win32/Joke.ScreenRoses
8.9791

Fortinet FortiGate
Riskware/ScreenRoses
5/14/2014

F-Prot
W32/Joke.OA
v6.4.7.1.166

IKARUS anti.virus
Joke.Win32.ScreenRoses
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.177.12041

Malwarebytes
Backdoor.Hupigon
v2014.05.14.03

Microsoft Security Essentials
Joke:Win32/ScreenRoses
1.10502

NANO AntiVirus
Trojan.Win32.Gaobot.iawc
0.28.0.59826

Norman
Suspicious_Gen2.ADGOQ
11.20140514

Sophos
Screen Roses Joke
4.98

Trend Micro House Call
JOKE_ROSES
7.2.134

Trend Micro
JOKE_ROSES
10.465.14

VIPRE Antivirus
Backdoor.Graybird
29154

Zillya! Antivirus
Backdoor.Bifrose.Win32.79671
2.0.0.1786

File size:
895 KB (916,480 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\for you.exe

File PE Metadata
Compilation timestamp:
6/27/2022 7:08:36 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
6144:GpxFJOSCU0uEzItyXGcIfVG3P0Sz8tnhnTn8ZOQ5lyR:GFMZTMt3ccG3PV8tn1DQ5lq

Entry address:
0x1000

Entry point:
A1, 5A, 80, 40, 00, C1, E0, 02, A3, 5E, 80, 40, 00, 57, 51, 33, C0, BF, 38, 95, 40, 00, B9, 5C, C8, 40, 00, 3B, CF, 76, 05, 2B, CF, FC, F3, AA, 59, 5F, 64, 67, 8B, 16, 04, 00, 89, 15, 6E, 80, 40, 00, 8B, 42, F8, A3, 66, 80, 40, 00, 8B, 42, FC, A3, 6A, 80, 40, 00, 83, EA, 04, 89, 15, 94, 95, 40, 00, 83, EA, 04, 3B, D4, 73, 02, 8B, E2, 6A, 00, E8, 2F, 27, 00, 00, 59, 68, 2C, 80, 40, 00, 6A, 00, E8, EB, 64, 00, 00, A3, 62, 80, 40, 00, 6A, 00, E9, BC, 5A, 00, 00, E9, F3, 27, 00, 00, 00, 00, 00, 55, 8B, EC, 83...
 
[+]

Entropy:
3.8968

Code size:
26 KB (26,624 bytes)

The file for you.exe has been seen being distributed by the following 3 URLs.

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-2CkbOjMbG5MfHO1kbHx-yIU5_YwNxBJ6_DwC4iFb7QQPWEnZYGDy8gaYkaAXla48/messages/@.id==ADNuUtQAAIB0Tyqingpm4gsZdQw/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBYD7l07nKjo05NKB--z0l3sswoYs4DB-apoDxx6WuOxDQ&error=https://pl-mg42.mail.yahoo.com/.../iframemsg?id=48b4054d-951b-a6ab-a548-19fc5fc08078&ymreqid=ad6de1e8-ccdf-4090-0118-d70014010000

http://win.attachmail.ru/.../att_zip?file=Surprise.EXE&rid=37681710942174313553817934879158385927&mode=attachment-zip&id=13311126490000000622;0;1

https://mail.mums.ac.ir/.../attachment.ashx?attach=1&id=RgAAAAAomdoacVXOR4jzr36V293bBwAIjgxYoSoDSKJe7Yxql4yfAACHd4DwAABZz6Y6W RnSYlsLE8PGTzPAJu39qCrAAAJ&attid0=EADmz374gs3NRoyVfa0YgD8u&attcnt=1

Remove for you.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.