Havij.exe

Havij

ITSecTeam

The executable Havij.exe, “Advanced SQL Injection Tool” has been detected as malware by 10 anti-virus scanners. While running, it connects to the Internet address p3nlhg750c1750.shr.prod.phx3.secureserver.net on port 80 using the HTTP protocol.
Publisher:
ITSecTeam

Product:
Havij

Description:
Advanced SQL Injection Tool

Version:
1.16

MD5:
a9985fd7ba9b20f84f65d924656e8d52

SHA-1:
f79c9e82de92ae8271961ca455ca450b5d166d1f

SHA-256:
e9ddb4f8036a3885a32f7ca720079d038bb97b2fbc30e1cf3e4dfe079fb3d7d3

Scanner detections:
10 / 68

Status:
Malware

Analysis date:
6/19/2018 3:23:47 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Luhe.Fiha.A
2014.0.3616

Bkav FE
W32.HfsAutoA
1.3.0.4613

Comodo Security
UnclassifiedMalware
17460

Dr.Web
Tool.Siggen.9903
9.0.1.0357

Kingsoft AntiVirus
Win32.Troj.Undef.(kcloud)
331020.49267

McAfee Web Gateway
Heuristic.LooksLike.Win32.SuspiciousPE.N!87
7.7272

Norman
Suspicious_Gen4.ANWIS
11.20131223

Reason Heuristics
Unnamed.Threat.14
14.3.3.12

VIPRE Antivirus
Trojan.Win32.Generic
24494

XVirus List
Win.Detected
2.3.31

File size:
3.1 MB (3,268,608 bytes)

Product version:
1.16

Copyright:
Copyright © 2009-2012

Trademarks:
ITSecTeam

Original file name:
Havij.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Windows\System32\havijpro\havij.exe

File PE Metadata
Compilation timestamp:
6/7/2012 5:35:36 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:24j+2v3lqrveF1ftxpbBpmeAaDnwEv80:24rN4i/FpFDnwEv

Entry address:
0x50F40B

Entry point:
E8, 89, 14, 00, 00, F9, BA, 63, 4C, 16, FC, 9A, C1, 39, CC, 0E, 00, F8, 93, 1B, BD, E0, 84, B6, AE, 94, BE, EF, 72, D0, 90, 9F, 4B, 74, F5, FB, FD, 04, 60, C3, 71, 7C, 52, 2C, 77, 4B, 1D, 59, 2C, 6E, 06, 58, C0, 02, 2C, 8F, 79, C9, F6, 07, 17, 7F, DD, 90, E6, A1, 2F, C4, 37, 23, 0C, 2C, D2, 8B, 9B, 15, 1D, B7, 87, D5, 01, DF, AC, 42, B1, A5, 8A, A6, 50, 78, 54, 0B, 9B, 1F, D6, 2D, 5B, 20, 65, 4A, 0B, 16, DE, 69, 69, F1, 63, C2, 89, AF, 0A, 59, 12, E0, DD, B7, 1B, FC, DD, B8, 03, AC, 18, 80, D0, 71, 75, 8D...
 
[+]

Code size:
1.8 MB (1,843,200 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to linux317.grserver.gr  (185.4.133.4:80)

TCP (HTTP):
Connects to cp285.ezyreg.com  (27.121.66.85:80)

TCP (HTTP):
Connects to static.215.37.201.138.clients.your-server.de  (138.201.37.215:80)

TCP (HTTP):
Connects to stroncij.avalon.hr  (185.58.73.29:80)

TCP (HTTP):
Connects to pleskcl0153.hospedagemdesites.ws  (186.202.126.213:80)

TCP (HTTP):
Connects to p9pn-i.geo.vip.bf1.yahoo.com  (98.139.135.129:80)

TCP (HTTP):
Connects to p3nlhg750c1750.shr.prod.phx3.secureserver.net  (50.62.127.1:80)

TCP (HTTP):
Connects to p3nlhg1012c2012.shr.prod.phx3.secureserver.net  (50.62.242.1:80)

TCP (HTTP):
Connects to ip-107-180-41-94.ip.secureserver.net  (107.180.41.94:80)

TCP (HTTP):
Connects to host.getdomainnow.com  (67.225.252.161:80)

TCP (HTTP):
Connects to ec2-54-201-8-54.us-west-2.compute.amazonaws.com  (54.201.8.54:80)

TCP (HTTP):
Connects to apache2-pat.miller.dreamhost.com  (208.113.197.210:80)

TCP (HTTP):
Connects to 203-69-42-167.hihosting.hinet.net  (203.69.42.167:80)

TCP (HTTP):
Connects to 196.136.196.104.bc.googleusercontent.com  (104.196.136.196:80)

TCP (HTTP):
Connects to 190-202-51-110.genericrev.cantv.net  (190.202.51.110:80)

Remove Havij.exe - Powered by Reason Core Security