sexymligofpe.exe

The executable sexymligofpe.exe has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘sexymligofpe’. While running, it connects to the Internet address m.disneyworld.go.com on port 80 using the HTTP protocol.
MD5:
24fef39706cbc96c883a5052bcc9123d

SHA-1:
c05af878831d49150c7f222ff7df910bb5763d9d

SHA-256:
1d5351691b1570493885fa7cc71660d45c355eceb9c43a7db7e6974df2bf7784

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
12/13/2017 6:53:15 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Evo-gen [Susp]
160905-0

Dr.Web
BackDoor.Bulknet.893
9.0.1.05190

ESET NOD32
Win32/Kryptik.BMDG trojan
6.3.12010.0

File size:
38.5 KB (39,424 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\ania\sexymligofpe.exe

File PE Metadata
Compilation timestamp:
3/24/2007 2:02:34 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:pcqYj2vE49Df6e8SOHc9M1uNT5y4HRQByXDHs:WqRvd1uHcC0hxQB8DHs

Entry address:
0x15E5

Entry point:
85, C0, 33, C0, 50, 68, CE, 12, 10, 08, 50, 68, F0, 57, 00, 00, 50, 68, 59, 14, 10, 08, E8, 1A, 00, 00, 00, 68, BE, 12, 10, 08, 50, E8, 0B, FC, FF, FF, FF, D0, CC, FF, 25, 10, 20, 10, 08, FF, 25, 0C, 20, 10, 08, FF, 25, 04, 20, 10, 08, FF, 25, 00, 20, 10, 08, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Code size:
2 KB (2,048 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
sexymligofpe

Command:
C:\users\ania\sexymligofpe.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to freedomfordinc.com  (67.192.6.123:80)

TCP (HTTP):
Connects to ec2-52-72-247-91.compute-1.amazonaws.com  (52.72.247.91:80)

TCP (HTTP):
Connects to manage.embarq.synacor.com  (69.168.97.85:80)

TCP (HTTP):
Connects to iprimus.ad.internal  (202.136.40.35:80)

TCP (HTTP):
Connects to www.mweb.co.za  (196.2.63.110:80)

TCP (HTTP):
Connects to mail.cableweb3.ca  (50.21.229.37:80)

TCP (HTTP):
Connects to m.disneyworld.go.com  (199.181.132.250:80)

TCP (HTTP):
Connects to ec2-52-48-121-111.eu-west-1.compute.amazonaws.com  (52.48.121.111:80)

TCP (SMTP):
Connects to www2.windstream.net  (162.39.145.20:25)

TCP (HTTP):
Connects to www.nettally.com  (199.44.82.1:80)

TCP (HTTP):
Connects to www.ncable.net.au  (203.208.88.59:80)

TCP (HTTP):
Connects to w2.src.vip.gq1.yahoo.com  (98.137.236.150:80)

TCP (SMTP):
Connects to uplink-pop1.mindspring.com  (207.69.200.195:25)

TCP (SMTP):
Connects to smtpsvc2.mindspring.com  (207.69.189.22:25)

TCP (HTTP):
Connects to s-hostheader-mtc-a.evip.aol.com  (64.12.249.135:80)

TCP (HTTP):
Connects to ec2-52-31-224-138.eu-west-1.compute.amazonaws.com  (52.31.224.138:80)

TCP (SMTP):
Connects to ec2-52-209-86-124.eu-west-1.compute.amazonaws.com  (52.209.86.124:25)

TCP (HTTP):
Connects to ec2-35-165-97-85.us-west-2.compute.amazonaws.com  (35.165.97.85:80)

TCP (HTTP):
Connects to bassettweb.beacontec.com  (216.54.174.228:80)

TCP (HTTP):
Connects to american.edu  (147.9.4.186:80)

Remove sexymligofpe.exe - Powered by Reason Core Security