» layer.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

layer.exe

The executable layer.exe has been detected as malware by 25 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘LEANDRO’. While running, it connects to the Internet address domains.eu5.hosting.free on port 80 using the HTTP protocol.

File name:

layer.exe

Version:

1.0.7.1

MD5:

13ec8e23aa1bd2447bcd4b1cbef11788

SHA-1:

60c9c4916dcff242ee032273afcb9ebea4b03f51

SHA-256:

bb7aea2e76fda8233d6f076117443240806aa961740b552c7650b6c2043dca42

Scanner detections:

25 / 68

Status:

Malware

Explanation:

The software cotains keystroke monitoring/logging capablities which may or may not be installed without the user's knowledge.

Analysis date:

4/23/2024 7:22:16 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Kazy.469823

832

Agnitum Outpost

Trojan.DR.Dapato

7.1.1

Avira AntiVirus

TR/Symmi.18328.70

7.11.177.204

avast!

Win32:Malware-gen

2014.9-141025

Baidu Antivirus

Trojan.Win32.CoinMiner

4.0.3.141025

Bitdefender

Gen:Variant.Kazy.469823

1.0.20.1490

Bkav FE

HW32.Keylogger

1.3.0.4959

Emsisoft Anti-Malware

Gen:Variant.Kazy.469823

8.14.10.25.08

ESET NOD32

Win32/CoinMiner.CW

8.10550

Fortinet FortiGate

W32/CoinMiner.CW!tr

10/25/2014

F-Secure

Gen:Variant.Kazy.469823

11.2014-25-10_7

G Data

Gen:Variant.Kazy.469823

14.10.24

IKARUS anti.virus

Trojan.Win32.CoinMiner

t3scan.1.7.8.0

K7 AntiVirus

Trojan

13.183.13642

Kaspersky

Trojan-Dropper.Win32.Dapato

14.0.0.3046

McAfee

Artemis!13EC8E23AA1B

5600.6966

MicroWorld eScan

Gen:Variant.Kazy.469823

15.0.0.894

NANO AntiVirus

Trojan.Win32.Dapato.dgjzyq

0.28.2.62483

Norman

Suspicious_Gen5.AWUJR

11.20141025

Panda Antivirus

Trj/Chgt.H

14.10.25.08

Qihoo 360 Security

Win32/Trojan.b32

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.10.25.20

Sophos

Mal/Generic-S

4.98

Trend Micro House Call

TROJ_GEN.R08NH09J614

7.2.298

Zillya! Antivirus

Dropper.Dapato.Win32.21445

2.0.0.1952

File size:

2.2 MB (2,342,292 bytes)

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\layer.exe

File PE Metadata

Compilation timestamp:

6/5/2014 4:26:34 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

49152:/GZ5XUtk+MDazfjJeLvuUpu+wfYjRPnVqJSn8JiCRkJd:WXOkbDaz7JeLvug/wfYjRv8JSn8w0i

Entry address:

0x50741

Entry point:

E8, D9, 7F, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 98, 76, 47, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 9C, 76, 47, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, E5, 0E, 00, 00, 85, C0, 75, 06, B8, 00, 78, 47, 00, C3, 83, C0, 08, C3, E8, D2, 0E, 00, 00, 85, C0, 75, 06, B8, 04, 78, 47, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08... 
[+]

Code size:

369.5 KB (378,368 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

LEANDRO

Command:

C:\users\{user}\appdata\roaming\layer.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to domains.eu5.hosting.free (5.9.126.141:80)

Remove layer.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.