home

gerwahr.exe

The executable gerwahr.exe has been detected as malware by 1 anti-virus scanner. It runs as a windows Service named “dzcbgxh”. While running, it connects to the Internet address smtp.vgs.netzero.com on port 587.
MD5:
85bc351be92dde1a0194cdc1a72baf98

SHA-1:
c18cc9cbc6d4c21b2ea882759fa7e794474409d0

SHA-256:
c5ff41884d0d184f4b11f653ebd19c276d94bbc31429e936498bb314a6b698f3

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
4/29/2024 2:05:05 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Delf
17.2.8.20

File size:
436 KB (446,464 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\gerwahr.exe

File PE Metadata
Compilation timestamp:
4/9/2002 12:26:48 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0x5AF73

Entry point:
8B, D1, 11, C2, F6, D1, 19, CA, 87, CA, 86, EA, 4A, B9, 8D, C1, 33, DF, FE, C6, 8D, 10, 68, 50, 69, 00, 00, F8, 58, 87, D2, 86, EA, 86, E9, 87, C9, E9, F1, FE, FF, FF, 00, EA, 84, 00, 27, 54, 6C, 67, 9E, 00, 2E, 3D, 1D, 81, AF, 00, F1, 67, 00, 7B, C0, 11, 39, 70, 67, 00, E1, A8, 00, B3, 5E, 67, 36, 7B, 42, EE, 58, 00, 47, 30, 00, 08, 00, 6D, DB, 1B, 00, 3E, 00, 31, C2, D4, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.4875

Code size:
356.5 KB (365,056 bytes)

Service
Display name:
dzcbgxh

Service name:
doxpohslgh

Type:
Win32OwnProcess, InteractiveProcess


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to smtpauth.wanadoo.fr  (193.252.22.86:587)

TCP (SMTP):
Connects to smtp.free.fr  (212.27.48.4:25)

TCP (SMTP):
Connects to mx.poczta.onet.pl  (213.180.147.146:25)

TCP (SMTP):
Connects to emig-v2.freenet.de  (195.4.92.217:25)

TCP (SMTP):
Connects to mx-ha02.web.de  (212.227.17.8:25)

TCP:
Connects to poczta.o2.pl  (193.17.41.99:465)

TCP (SMTP):
Connects to mx1.hotmail.com  (65.55.33.119:25)

TCP (SMTP):
Connects to mbr14.mynet.com  (212.101.98.165:25)

TCP (HTTP):
Connects to yt95for-storage.uferas.com  (95.211.125.236:80)

TCP:
Connects to smtp.vgs.netzero.com  (64.136.52.50:587)

TCP:
Connects to smtp.laposte.net  (194.117.213.7:465)

TCP (HTTP):
Connects to scp18.hosting.reg.ru  (37.140.192.127:80)

TCP (SMTP):
Connects to pinpoint-mx1.synaq.com  (196.37.40.69:25)

TCP (SMTP):
Connects to m14-164.188.com  (220.181.14.164:25)

TCP (HTTP):
Connects to zeus2.travelsoft.ru  (217.29.51.172:80)

TCP (SMTP):
Connects to tsemx.telenor.se  (195.54.108.94:25)

TCP:
Connects to smtp.vgs.juno.com  (64.136.52.45:465)

TCP (SMTP):
Connects to smtp.talktalk.net  (62.24.202.43:25)

TCP:
Connects to smtp.poczta.onet.pl  (213.180.147.145:587)

TCP:
Connects to smtp.mail.com  (74.208.5.15:587)

Remove gerwahr.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.