home

server.exe

The executable server.exe has been detected as malware by 31 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘HKCU’. While running, it connects to the Internet address advancedsearch.virginmedia.com on port 82.
Version:
1.0.0.0

MD5:
060e306d93731515b4b1eab799169638

SHA-1:
d0a2dabc55b892a6c67069e8e87de1411c485899

SHA-256:
2655fef2a1d089e435590a4b7ab02828572339cf3263305c5d3089b41ebb2ca6

Scanner detections:
31 / 68

Status:
Malware

Analysis date:
4/26/2024 5:35:24 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Trojan.DR.Agent2
7.1.1

AhnLab V3 Security
Win-Trojan/Lmirhack.599164
2013.08.11

Avira AntiVirus
TR/Dropper.Gen
7.11.96.74

avast!
Win32:Malware-gen
2014.9-160308

AVG
Dropper.Generic2
2017.0.2810

Bitdefender
Gen:Heur.MSIL.Krypt.2
1.0.20.340

Comodo Security
UnclassifiedMalware
16743

Dr.Web
BackDoor.Bifrost.19762
9.0.1.068

Emsisoft Anti-Malware
Gen:Heur.MSIL.Krypt
8.16.03.08.08

ESET NOD32
MSIL/Injector.HJ (variant)
10.8673

Fortinet FortiGate
MSIL/StubRC.AVB!tr
3/8/2016

F-Prot
W32/MSIL_Troj.C.gen
v6.4.7.1.166

F-Secure
Gen:Heur.MSIL.Krypt.2
11.2016-08-03_3

G Data
Gen:Heur.MSIL.Krypt
16.3.22

IKARUS anti.virus
Trojan-PWS.MSIL
t3scan.2.0.127

K7 AntiVirus
Riskware
13.170.9241

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.546

Malwarebytes
Spyware.Passwords.Gen
v2016.03.08.08

McAfee
Artemis!060E306D9373
5600.6466

Microsoft Security Essentials
VirTool:MSIL/Injector.gen!A
1.163.1557.0

MicroWorld eScan
Gen:Heur.MSIL.Krypt.2
17.0.0.204

NANO AntiVirus
Trojan.Win32.Bifrost.bcyoew
0.26.0.53954

Norman
Suspicious_Gen2.BJBIL
11.20160308

nProtect
Trojan/W32.Agent.599164
13.08.09.03

Panda Antivirus
Generic Malware
16.03.08.08

SUPERAntiSpyware
Trojan.Agent/Gen-Falofn[Cont]
9277

Total Defense
Win32/DotNetInject.F!generic
37.0.10498

Trend Micro House Call
TROJ_SPNR.03DQ11
7.2.68

Trend Micro
TROJ_SPNR.03DQ11
10.465.08

Vba32 AntiVirus
Backdoor.DarkKomet
3.12.22.3

VIPRE Antivirus
Trojan.Win32.Generic
20370

File size:
585.1 KB (599,164 bytes)

Product version:
999.0.0.999

Original file name:
C:\Documents and Settings\nathu\Desktop\sadiouxzcpoiuasd.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\install\server.exe

File PE Metadata
Compilation timestamp:
4/24/2010 8:50:06 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:IhkI+zXjNKHovXkUy2Foxy3fVLZVTcZuu6RjU3MnMxRg+kyAcI6s:EaXjBfy2FeyPVLZNgupFU3qMoyAjN

Entry address:
0x311C2

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 10, 03, 00, 0C, 00, 00, 00, C4, 31, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.7447

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
188.5 KB (193,024 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
HKCU

Command:
C:\users\{user}\appdata\roaming\install\server.exe


The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to advancedsearch.virginmedia.com  (81.200.64.50:82)

Remove server.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.