home

kb799693963.exe

The executable kb799693963.exe has been detected as malware by 7 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘xibmimuzorxi’. While running, it connects to the Internet address www754.sakura.ne.jp on port 80 using the HTTP protocol.
Description:
test Microsoft

Version:
1, 0, 0, 1

MD5:
2820a89aa266b6498f1b9fb5de635ed7

SHA-1:
8cd5aaf52b26dfa8048ae2c97a2b1c5f6fd58228

SHA-256:
1436e336a19581ddab2e20cbef4711e42f4881dde380d55a5f20459104902e98

Scanner detections:
7 / 68

Status:
Malware

Analysis date:
4/27/2024 10:12:14 AM UTC  (today)

Scan engine
Detection
Engine version

AegisLab AV Signature
Heur.Advml.Gen!c
2.1.4+

Baidu Antivirus
Win32.Trojan.WisdomEyes.16070401.9500
4.0.3.1714

ESET NOD32
Win32/Wigon.PH trojan
6.3.12010.0

Kaspersky
Trojan.Win32.Cutwail
15.0.2.529

McAfee
Artemis!2820A89AA266
5600.6164

Qihoo 360 Security
HEUR/QVM20.1.0000.Malware.Gen
1.0.0.1120

Rising Antivirus
Malware.Generic!zPKV9CKHuK@4 (thunder)
23.00.65.17102

File size:
183.6 KB (188,002 bytes)

Copyright:
(C) 2007

File type:
Executable application (Win32 EXE)

Language:
Greek (Greece)

Common path:
C:\users\{user}\appdata\local\temp\kb799693963.exe

File PE Metadata
Compilation timestamp:
12/22/2016 10:21:50 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
20.0

Entry address:
0x775D

Entry point:
55, 8B, EC, 68, 98, 8B, 40, 00, 6A, FF, 68, E4, 78, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, B8, 83, 40, 00, 59, 83, 0D, 9C, A1, 40, 00, FF, 83, 0D, A0, A1, 40, 00, FF, FF, 15, BC, 83, 40, 00, 8B, 0D, 90, A1, 40, 00, 89, 08, FF, 15, C0, 83, 40, 00, 8B, 0D, 8C, A1, 40, 00, 89, 08, A1, C4, 83, 40, 00, 8B, 00, A3, 98, A1, 40, 00, E8, 17, 01, 00, 00, 39, 1D, B0, A0, 40, 00, 75, 0C, 68, E0, 78, 40, 00, FF, 15, B4, 83...
 
[+]

Entropy:
7.2636

Developed / compiled with:
Microsoft Visual C++

Code size:
28 KB (28,672 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
xibmimuzorxi

Command:
C:\users\asus\xibmimuzorxi.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to sinkhole-01.sinkhole.tech  (95.211.174.92:80)

TCP (HTTP):
Connects to redirect-v225.secureserver.net  (184.168.47.225:80)

TCP (HTTP):
Connects to www754.sakura.ne.jp  (59.106.19.204:80)

TCP (HTTP):
Connects to cluster006.ovh.net  (213.186.33.17:80)

TCP (HTTP):
Connects to 62-210-140-158.rev.poneytelecom.eu  (62.210.140.158:80)

TCP (HTTP):
Connects to xaicom.net  (85.214.214.113:80)

TCP (HTTP):
Connects to ec2-54-236-195-15.compute-1.amazonaws.com  (54.236.195.15:80)

TCP (HTTP):
Connects to www52.pixabit.de  (37.59.218.52:80)

TCP (HTTP):
Connects to www2.nitrosell.com  (72.3.177.104:80)

TCP (HTTP):
Connects to www1.nitrosell.com  (72.3.177.107:80)

TCP (HTTP):
Connects to web2.connext.net  (96.91.204.114:80)

TCP (HTTP):
Connects to server.farmhouseserver.com  (198.57.196.166:80)

TCP (HTTP):
Connects to satin.smoothhost.com  (50.97.65.91:80)

TCP (HTTP):
Connects to rs101.nsresponse.com  (204.93.177.101:80)

TCP (HTTP):
Connects to perfora.net  (74.208.215.199:80)

TCP (HTTP):
Connects to ostego.snhdns.com  (198.38.77.142:80)

TCP (HTTP):
Connects to ora.ecnet.jp  (118.23.162.86:80)

TCP (HTTP):
Connects to ns69.kreativmedia.ch  (80.74.154.6:80)

TCP (HTTP):
Connects to myhost.net.pl  (195.149.225.101:80)

TCP (HTTP):
Connects to h-f.net  (92.222.129.136:80)

Remove kb799693963.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.