» sink to receive asynchronous callbacks for wmi client application.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

sink to receive asynchronous callbacks for wmi client application.exe

The executable sink to receive asynchronous callbacks for wmi client application.exe has been detected as malware by 7 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘af4b9f88b59ef32ed0bf6703f2ceb86f’. While running, it connects to the Internet address advancedsearch.virginmedia.com on port 2222.

File name:

MD5:

e925cf147dff486cb7153706aaf28662

SHA-1:

fc33a40c4c88808b0bb605b4856a834dadef3665

SHA-256:

2195387915d3d530323bef7a5d7e3bb3879e673e90b50fa66367cd55a7828573

Scanner detections:

7 / 68

Status:

Malware

Analysis date:

4/24/2024 1:25:01 AM UTC (today)

Scan engine

Detection

Engine version

avast!

MSIL:Agent-BXF [Trj]

160518-2

Emsisoft Anti-Malware

Gen:Variant.MSIL.Bladabindi

11.5.0.6191

ESET NOD32

MSIL/Bladabindi.AS trojan

8.0.319.0

F-Prot

W32/MSIL_Bladabindi.A2.gen

4.6.5.141

F-Secure

Generic.MSIL.Bladabindi.26CCC848

5.15.96

Microsoft Security Essentials

Threat.Undefined

1.225.405.0

Norman

Gen:Variant.MSIL.Bladabindi.2

22.05.2016 07:18:28

File size:

29 KB (29,696 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\sink to receive asynchronous callbacks for wmi client application.exe

File PE Metadata

Compilation timestamp:

7/3/2016 9:50:40 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

384:Gb8Zl73NDeUI4tYK+9U5rkGISmqDLhV/etqGBsbh0w4wlAokw9OhgOL1vYRGOZzM:/7dDI4tmmqGKqhV/ebBKh0p29SgRFW

Entry address:

0x8BAE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00, 00, 00, 00, 01, 00, 18, 00, 00, 00, 18, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 30, 00... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

27 KB (27,648 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

af4b9f88b59ef32ed0bf6703f2ceb86f

Command:

"C:\users\{user}\appdata\local\temp\sink to receive asynchronous callbacks for wmi client application.exe"..

The executing file has been seen to make the following network communication in live environments.

TCP:

Connects to advancedsearch.virginmedia.com (81.200.64.50:2222)

Remove sink to receive asynchronous callbacks for wmi client application.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.