home

rfm32.exe

Valuva5

CPUID

The executable rfm32.exe has been detected as malware by 22 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘rfm32.exe’.
Publisher:
Pegasian  (signed by CPUID)

Product:
Valuva5

Description:
Andreev0

Version:
6.06.0003

MD5:
65cad0d1572ab8af2d5523ea259e1ed7

SHA-1:
45d87872dda81d8b680d24f246293241fda3a829

SHA-256:
81733567fee2aca96cbf819c7802a8dd210bdca01088ba8560d35e68ee8a6806

Scanner detections:
22 / 68

Status:
Malware

Analysis date:
4/24/2024 5:34:44 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2039158
364

Agnitum Outpost
Trojan.Injector
7.1.1

avast!
Win32:Malware-gen
2014.9-160205

AVG
Win32/VBCrypt
2017.0.2842

Baidu Antivirus
Trojan.Win32.Injector
4.0.3.1625

Bitdefender
Trojan.GenericKD.2039158
1.0.20.180

Bkav FE
HW32.Packed
1.3.0.6267

Emsisoft Anti-Malware
Trojan.GenericKD.2039158
8.16.02.05.03

ESET NOD32
Win32/Injector.BRPX (variant)
10.10942

Fortinet FortiGate
W32/BRPX!tr
2/5/2016

F-Secure
Trojan.GenericKD.2039158
11.2016-05-02_6

G Data
Trojan.GenericKD.2039158
16.2.24

IKARUS anti.virus
Win32.VBCrypt
t3scan.1.8.5.0

K7 AntiVirus
Trojan
13.188.14484

Kaspersky
Trojan.Win32.VBKryjetor
14.0.0.707

McAfee
RDN/Generic.dx!dhs
5600.6498

MicroWorld eScan
Trojan.GenericKD.2039158
17.0.0.108

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Rising Antivirus
PE:Malware.XPACK-HIE/Heur!1.9C48
23.00.65.16203

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
Suspicious_GEN.F47V1219
7.2.36

VIPRE Antivirus
Trojan.Win32.Generic
36204

File size:
550.5 KB (563,688 bytes)

Product version:
6.06.0003

Copyright:
wamrmeit

Trademarks:
Maidhood

Original file name:
plutoniom.exe

File type:
Executable application (Win32 EXE)

Language:
Ukrainisch (Ukraine)

Common path:
C:\users\{user}\appdata\local\temp\rfm32.exe

Digital Signature
Signed by:
CPUID

Authority:
VeriSign, Inc.

Valid from:
2/2/2009 1:00:00 AM

Valid to:
2/8/2012 12:59:59 AM

Subject:
CN=CPUID, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=CPUID, L=DUNKERQUE, S=NORD, C=FR

Issuer:
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
29F25A23906DE1BBFA2C46067EBA0DDD

File PE Metadata
Compilation timestamp:
12/17/2014 11:45:06 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:gCeLO7EW8jIknmoneV8PRzr9vDbbxIZ2LTfrEle:0LOY8m/nDzr9Lvk2LTfYle

Entry address:
0x1208

Entry point:
68, 0C, 07, 48, 00, E8, F0, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 47, 75, 47, 23, CE, 77, B1, 4E, B6, 22, FD, 33, 73, 0F, 15, 2D, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 31, 42, 2D, 41, 46, 43, 70, 65, 6E, 74, 72, 65, 6D, 69, 74, 65, 73, 00, 41, 37, 7D, 23, 00, 00, 00, 00, FF, CC, 31, 00, 05, 00, 18, 91, 54, 0F, CF, DC, 48, 82, 86, 71, 0D, B6, 90, FC, 75, 23, 71, 33, 77, 82, 56, 53, 4C, 92, 5A, D7, CE, 2C, 31, 72, A9, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00...
 
[+]

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
532 KB (544,768 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
rfm32.exe

Command:
C:\users\{user}\appdata\local\temp\rfm32.exe


Remove rfm32.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.