home

remwepqixynn.exe

The executable remwepqixynn.exe has been detected as malware by 36 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘remwepqixynn’. According to AVG, this software downloads additional adware offers during setup. While running, it connects to the Internet address duluth.com on port 25.
MD5:
adb2144bf4609f36ac6baf5fd0a661c2

SHA-1:
8f0b7f3b22b61ad5d2c2303246ab3cbf6f8974f9

SHA-256:
b940b33822f31e6ed0ca336fb1d76a44b7e19bdb684a7e4a2298a8e7e9584063

Scanner detections:
36 / 68

Status:
Malware

Analysis date:
4/27/2024 8:50:48 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.9384116
174

Agnitum Outpost
Trojan.PWS.Tepfer
7.1.1

AhnLab V3 Security
Trojan/Win32.Zbot
16.08.14

Avira AntiVirus
TR/Agent.114688.86
7.11.151.204

avast!
Win32:Injector-BGC [Trj]
2014.9-160814

AVG
Downloader.Small
2017.0.2652

Baidu Antivirus
Trojan.Win32.InfoStealer
4.0.3.16814

Bitdefender
Trojan.Generic.9384116
1.0.20.1135

Bkav FE
W32.FakepdfLTT.Trojan
1.3.0.4959

Comodo Security
TrojWare.Win32.Injector.AKLC
18347

Dr.Web
Trojan.Inject2.23
9.0.1.0227

Emsisoft Anti-Malware
Trojan.Generic.9384116
8.16.08.14.02

ESET NOD32
Win32/Injector.AJXZ (variant)
10.9857

F-Secure
Trojan.Generic.9384116
11.2016-14-08_1

G Data
Trojan.Generic.9384116
16.8.24

IKARUS anti.virus
Trojan-Downloader.Small
t3scan.1.6.1.0

K7 AntiVirus
Riskware
13.178.12212

Kaspersky
Trojan-PSW.Win32.Tepfer
14.0.0.-246

Malwarebytes
Trojan.Inject
v2016.08.14.02

McAfee
Generic-FANR!ADB2144BF460
5600.6308

Microsoft Security Essentials
TrojanDownloader:Win32/Cutwail.BS
1.10600

MicroWorld eScan
Trojan.Generic.9384116
17.0.0.681

NANO AntiVirus
Trojan.Win32.Tepfer.cbfhqj
0.28.0.59921

Norman
Troj_Generic.NWUAR
11.20160814

nProtect
Trojan.Generic.9384116
14.05.27.01

Panda Antivirus
Trj/Genetic.gen
16.08.14.02

Qihoo 360 Security
Win32/Trojan.PSW.303
1.0.0.1015

Rising Antivirus
PE:Trojan.Injector!1.9DEE
23.00.65.16812

Sophos
Troj/Zbot-FTB
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Dropper
8961

Total Defense
Win32/Cutwail.BIGWWND
37.0.10963

Trend Micro House Call
TROJ_CUTWAIL.OB
7.2.227

Trend Micro
TROJ_CUTWAIL.OB
10.465.14

VIPRE Antivirus
TrojanPWS.Win32.Fareit.aa
29676

ViRobot
Trojan.Win32.S.Zbot.110714
2011.4.7.4223

Zillya! Antivirus
Trojan.Tepfer.Win32.56704
2.0.0.1803

File size:
108.1 KB (110,714 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\usuario\remwepqixynn.exe

File PE Metadata
Compilation timestamp:
7/16/2013 3:14:48 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.50

CTPH (ssdeep):
3072:1uPUlO9c6NLA2fUSF8kTfJQzFKiAb26imF243MMJe6:1cUlEAUvTaZiZJP

Entry address:
0x24C20

Entry point:
60, BE, 15, 70, 41, 00, 8D, BE, EB, 9F, FE, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB...
 
[+]

Entropy:
7.9346

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
56 KB (57,344 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
remwepqixynn

Command:
C:\users\usuario\remwepqixynn.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to my.earthlink.net  (209.86.62.64:80)

TCP (HTTP):
Connects to conferencing.Level3.com  (4.68.80.110:80)

TCP (SMTP):
Connects to www.terra.cl  (208.70.188.13:25)

TCP (HTTP):
Connects to urlforward.topdns.com  (46.166.189.98:80)

TCP (HTTP):
Connects to spool.lnh.mail.rcn.net  (207.172.157.181:80)

TCP (HTTP):
Connects to odin.hostservices.biz  (148.251.131.251:80)

TCP (HTTP):
Connects to my.dca.juno.com  (64.136.45.46:80)

TCP (SMTP):
Connects to duluth.com  (69.163.218.127:25)

TCP (SMTP):
Connects to bap.web.de  (82.165.230.17:25)

TCP (SMTP):
Connects to *.claimsxten.com  (143.112.128.124:25)

TCP (SMTP):
Connects to www.mweb.co.za  (196.2.63.110:25)

TCP (SMTP):
Connects to www.infoseek.co.jp  (133.237.60.109:25)

TCP (HTTP):
Connects to www.compcams.com  (216.37.76.2:80)

TCP (SMTP):
Connects to www.arcor-online.net  (151.189.21.100:25)

TCP (SMTP):
Connects to www.alice-dsl.de  (85.183.254.1:25)

TCP (SMTP):
Connects to vip-redirect-generique.m1.fti.net  (81.52.142.217:25)

TCP (SMTP):
Connects to pop06.earthlink.net  (209.86.93.207:25)

TCP (HTTP):
Connects to manage.embarq.synacor.com  (69.168.97.85:80)

TCP (SMTP):
Connects to mail.desktopmasters.com  (12.167.51.51:25)

TCP (SMTP):
Connects to ip-184-168-81-139.ip.secureserver.net  (184.168.81.139:25)

Remove remwepqixynn.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.