Havij.exe

Havij

ITSecTeam

The executable Havij.exe, “Advanced SQL Injection Tool” has been detected as malware by 8 anti-virus scanners. While running, it connects to the Internet address p3nlhg750c1750.shr.prod.phx3.secureserver.net on port 80 using the HTTP protocol.
Publisher:
ITSecTeam

Product:
Havij

Description:
Advanced SQL Injection Tool

Version:
1.16

MD5:
a9985fd7ba9b20f84f65d924656e8d52

SHA-1:
f79c9e82de92ae8271961ca455ca450b5d166d1f

SHA-256:
e9ddb4f8036a3885a32f7ca720079d038bb97b2fbc30e1cf3e4dfe079fb3d7d3

Scanner detections:
8 / 68

Status:
Malware

Analysis date:
10/21/2018 6:12:46 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Luhe.Fiha.A
2014.0.3616

Bkav FE
W32.HfsAutoA
1.3.0.4613

Comodo Security
UnclassifiedMalware
17460

Dr.Web
Tool.Siggen.9903
9.0.1.0357

Norman
Suspicious_Gen4.ANWIS
11.20131223

Reason Heuristics
Unnamed.Threat.14
14.3.3.12

VIPRE Antivirus
Trojan.Win32.Generic
24494

XVirus List
Win.Detected
2.3.31

File size:
3.1 MB (3,268,608 bytes)

Product version:
1.16

Copyright:
Copyright © 2009-2012

Trademarks:
ITSecTeam

Original file name:
Havij.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Windows\System32\havijpro\havij.exe

File PE Metadata
Compilation timestamp:
6/7/2012 5:35:36 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:24j+2v3lqrveF1ftxpbBpmeAaDnwEv80:24rN4i/FpFDnwEv

Entry address:
0x50F40B

Entry point:
E8, 89, 14, 00, 00, F9, BA, 63, 4C, 16, FC, 9A, C1, 39, CC, 0E, 00, F8, 93, 1B, BD, E0, 84, B6, AE, 94, BE, EF, 72, D0, 90, 9F, 4B, 74, F5, FB, FD, 04, 60, C3, 71, 7C, 52, 2C, 77, 4B, 1D, 59, 2C, 6E, 06, 58, C0, 02, 2C, 8F, 79, C9, F6, 07, 17, 7F, DD, 90, E6, A1, 2F, C4, 37, 23, 0C, 2C, D2, 8B, 9B, 15, 1D, B7, 87, D5, 01, DF, AC, 42, B1, A5, 8A, A6, 50, 78, 54, 0B, 9B, 1F, D6, 2D, 5B, 20, 65, 4A, 0B, 16, DE, 69, 69, F1, 63, C2, 89, AF, 0A, 59, 12, E0, DD, B7, 1B, FC, DD, B8, 03, AC, 18, 80, D0, 71, 75, 8D...
 
[+]

Code size:
1.8 MB (1,843,200 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to linux317.grserver.gr  (185.4.133.4:80)

TCP (HTTP):
Connects to cp285.ezyreg.com  (27.121.66.85:80)

TCP (HTTP):
Connects to static.215.37.201.138.clients.your-server.de  (138.201.37.215:80)

TCP (HTTP):
Connects to stroncij.avalon.hr  (185.58.73.29:80)

TCP (HTTP):
Connects to pleskcl0153.hospedagemdesites.ws  (186.202.126.213:80)

TCP (HTTP):
Connects to p9pn-i.geo.vip.bf1.yahoo.com  (98.139.135.129:80)

TCP (HTTP):
Connects to p3nlhg750c1750.shr.prod.phx3.secureserver.net  (50.62.127.1:80)

TCP (HTTP):
Connects to p3nlhg1012c2012.shr.prod.phx3.secureserver.net  (50.62.242.1:80)

TCP (HTTP):
Connects to ip-107-180-41-94.ip.secureserver.net  (107.180.41.94:80)

TCP (HTTP):
Connects to host.getdomainnow.com  (67.225.252.161:80)

TCP (HTTP):
Connects to ec2-54-201-8-54.us-west-2.compute.amazonaws.com  (54.201.8.54:80)

TCP (HTTP):
Connects to apache2-pat.miller.dreamhost.com  (208.113.197.210:80)

TCP (HTTP):
Connects to 203-69-42-167.hihosting.hinet.net  (203.69.42.167:80)

TCP (HTTP):
Connects to 196.136.196.104.bc.googleusercontent.com  (104.196.136.196:80)

TCP (HTTP):
Connects to 190-202-51-110.genericrev.cantv.net  (190.202.51.110:80)

Remove Havij.exe - Powered by Reason Core Security