home

IMG.exe

EZXmONwjiGgQZLgcV

Max Programming, S.L.

The executable IMG.exe, “7oPTB4GUeeiLNOyRI” has been detected as malware by 20 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Update’.
Publisher:
3PJ7NUgBO5H4Tp46H  (signed by Max Programming, S.L.)

Product:
EZXmONwjiGgQZLgcV

Description:
7oPTB4GUeeiLNOyRI

Version:
32.90.39.71

MD5:
ca1c0c0918a086c19992024eb34a8143

SHA-1:
ad338df1fd703aaa7e2e4d2ad57c3ce186aea30b

SHA-256:
b025c89ecd258f607f24ade8eccc943b8f16ef4da74624f35f45b46b1425a504

Scanner detections:
20 / 68

Status:
Malware

Analysis date:
4/26/2024 4:36:42 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Razy.139595
-23

AegisLab AV Signature
Troj.W32.DarkSoda.mfYH
2.1.4+

AhnLab V3 Security
Trojan/Win32.Kryptik.C1384949
3.8.3.16

Avira AntiVirus
TR/Dropper.MSIL.wkuwl
8.3.3.4

Arcabit
Trojan.Razy.D2214B
1.0.0.795

avast!
Win32:Malware-gen
2014.9-170227

AVG
Atros5
2018.0.2455

Baidu Antivirus
Win32.Trojan.WisdomEyes.16070401.9500
4.0.3.17227

Bitdefender
Gen:Variant.Razy.139595
1.0.20.290

Dr.Web
Trojan.Inject2.38733
9.0.1.058

ESET NOD32
MSIL/GenKryptik.VSA (variant)
11.15002

Fortinet FortiGate
MSIL/GenKryptik.VPA!tr
2/27/2017

F-Secure
Gen:Variant.Razy.139595
11.2017-27-02_2

G Data
Win32.Trojan.Agent.AQIKGP
17.2.25

IKARUS anti.virus
Win32.SuspectCrc
0.2.1.2

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.-1231

McAfee
Packed-KA!CA1C0C0918A0
5600.6111

MicroWorld eScan
Gen:Variant.Razy.139595
18.0.0.174

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_GEN.R0E9H0DBQ17
7.2.58

File size:
1.7 MB (1,738,432 bytes)

Product version:
32.90.39.71

Copyright:
zBYicXGKK2qvrdQOK

Original file name:
IMG.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\img.exe

Digital Signature
Signed by:
Max Programming, S.L.

Authority:
COMODO CA Limited

Valid from:
2/20/2012 3:00:00 AM

Valid to:
2/20/2017 2:59:59 AM

Subject:
CN="Max Programming, S.L.", O="Max Programming, S.L.", STREET="C/La Mar, 4", L=Denia, S=Alicante, PostalCode=03700, C=ES

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00FAFEFEA51201FA249373E0FA2EAED4C9

File PE Metadata
Compilation timestamp:
2/26/2017 11:01:43 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

Entry address:
0xB3D2E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9682

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
711.5 KB (728,576 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Update

Command:
C:\users\{user}\appdata\roaming\app.exe


Remove IMG.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.