home

run.exe

qwe

m

The executable run.exe has been detected as malware by 25 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘cfhack’.
Publisher:
m

Product:
qwe

Description:
m

Version:
1.00.0369

MD5:
4ab8e0f5d27edba1bd8052cc9074bbe0

SHA-1:
fdda9a8fbb18d3aa0cd143ae324f9c1c5334bd98

SHA-256:
af567421f24dd16a193528d2b2cde33087fa93e3447474da82a51898826bc6f4

Scanner detections:
25 / 68

Status:
Malware

Analysis date:
4/18/2024 5:32:27 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Symmi.15632
838

Avira AntiVirus
TR/Symmi.15632.4
7.11.179.22

avast!
Win32:Malware-gen
2014.9-141019

AVG
Small
2015.0.3316

Baidu Antivirus
Trojan.Win32.VB
4.0.3.141019

Bitdefender
Gen:Variant.Symmi.15632
1.0.20.1460

Bkav FE
HW32.Packed
1.3.0.4959

Emsisoft Anti-Malware
Gen:Variant.Symmi.15632
8.14.10.19.09

ESET NOD32
Win32/Qhost.PGZ (variant)
8.10578

Fortinet FortiGate
W32/Magania.IDPJ!tr
10/19/2014

F-Prot
W32/A-5e0fec9b
v6.4.7.1.166

F-Secure
Gen:Variant.Symmi.15632
11.2014-19-10_1

G Data
Gen:Variant.Symmi.15632
14.10.24

IKARUS anti.virus
Trojan.Win32.Scar
t3scan.1.7.8.0

Kaspersky
Trojan-Spy.Win32.VB
14.0.0.3075

Malwarebytes
Trojan.Agent.CF
v2014.10.19.09

McAfee
Artemis!4AB8E0F5D27E
5600.6972

MicroWorld eScan
Gen:Variant.Symmi.15632
15.0.0.876

NANO AntiVirus
Trojan.Win32.VB.dgsiwz
0.28.2.62671

Norman
Vbot.C
11.20141019

Qihoo 360 Security
Win32/Trojan.f57
1.0.0.1015

Rising Antivirus
PE:Trojan.Win32.Generic.176B55A5!392910245
23.00.65.141017

Sophos
Mal/Emogen-H
4.98

Trend Micro House Call
TROJ_GEN.R0C1C0RJB14
7.2.292

Trend Micro
TROJ_GEN.R0C1C0RJB14
10.465.19

File size:
35.5 KB (36,352 bytes)

Product version:
1.00.0369

Copyright:
weq

Trademarks:
wqewqq

Original file name:
run.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\run.exe

File PE Metadata
Compilation timestamp:
10/10/2014 3:05:19 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
768:noVQ6KQjpt1zO5sAptwW6FylA3jeVIQWfanU12W3sMxAt:nZityx6Eu2IQWSniri

Entry address:
0x1C34

Entry point:
B8, 4C, B0, 41, 00, 50, 64, FF, 35, 00, 00, 00, 00, 64, 89, 25, 00, 00, 00, 00, 33, C0, 89, 08, 50, 45, 43, 6F, 6D, 70, 61, 63, 74, 32, 00, 9C, 33, AE, A6, 74, 1B, 57, 5A, 2B, 3C, 8E, D1, 9F, 9B, 55, 7F, 7E, 9E, 58, 23, 21, 65, EF, 85, 89, A8, DF, 5C, D5, ED, AC, 39, 07, 94, 50, E3, 3C, 96, 32, 35, AE, C1, 8C, 31, 2F, 92, 47, 99, 39, 62, 3A, 60, ED, 83, 39, CB, 49, 3C, D6, EC, 1C, D8, 4A, A5, 34, 4C, 03, 5C, BB, 07, BC, 6E, E3, 21, 74, 6E, CF, 8B, B3, 0A, 89, EE, 03, 6A, 23, 08, 78, FD, BB, 68, 32, 91, 04...
 
[+]

Entropy:
7.5455

Packer / compiler:
PECompact v2

Code size:
72 KB (73,728 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
cfhack

Command:
C:\windows\run.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to hkg07s02-in-f129.1e100.net  (216.58.221.129:80)

Remove run.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.