» spynet.exe
Overview
Analysis
File Details
Behaviors (1)
Network (32)

spynet.exe

The executable spynet.exe has been detected as malware by 38 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler. While running, it connects to the Internet address apricot.pi.activeminds.net on port 80 using the HTTP protocol.

File name:

spynet.exe

MD5:

98de7bcad1ba2caf74007bd97bc2b505

SHA-1:

8a79d06159a339313b810f23835b8417429dd356

SHA-256:

e4b3b3e72bd3bf4052a3136cb811ea54923bc2d7807709992e0345743d49ced8

Scanner detections:

38 / 68

Status:

Malware

Analysis date:

4/25/2024 7:55:36 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.KDV.649701

1102

Agnitum Outpost

Trojan.DR.Decay

7.1.1

AhnLab V3 Security

Dropper/Win32.Decay

2014.01.23

Avira AntiVirus

TR/Kazy.117949.1

7.11.126.140

avast!

Win32:Malware-gen

2014.9-140129

AVG

Worm/Generic

2015.0.3580

Baidu Antivirus

Malware.Win32.HackTool

4.0.3.14129

Bitdefender

Trojan.Generic.KDV.649701

1.0.20.145

Bkav FE

W32.Cloda75.Trojan

1.3.0.4923

Comodo Security

TrojWare.Win32.TrojanDropper.Decay.ghv

17657

Dr.Web

BackDoor.Cybergate.1

9.0.1.029

Emsisoft Anti-Malware

Trojan.Generic.KDV.649701

8.14.01.29.08

ESET NOD32

Win32/Spatet (variant)

8.9325

Fortinet FortiGate

W32/Decay.BYS!tr

1/29/2014

F-Prot

W32/Dropper.AVMY

v6.4.7.1.166

F-Secure

Trojan.Generic.KDV.649701

11.2014-29-01_4

G Data

Trojan.Generic.KDV.649701

14.1.24

IKARUS anti.virus

Worm.Win32.Braim

t3scan.2.2.29

K7 AntiVirus

Trojan

13.175.10926

Kaspersky

Trojan-Dropper.Win32.Decay

14.0.0.4393

Malwarebytes

Trojan.Agent

v2014.01.29.08

McAfee

Artemis!98DE7BCAD1BA

5600.7236

Microsoft Security Essentials

Worm:Win32/Braim.A

1.165.247.01

MicroWorld eScan

Trojan.Generic.KDV.649701

15.0.0.87

NANO AntiVirus

Trojan.Win32.Bybz.dbxrn

0.28.0.57380

Norman

Suspicious_Gen2.AINUV

11.20140129

nProtect

Trojan-Dropper/W32.Decay.2132992

14.01.22.03

Panda Antivirus

Trj/Genetic.gen

14.01.29.08

Qihoo 360 Security

Win32/Trojan.b98

1.0.0.1015

Quick Heal

TrojanDropper.Decay.bys

1.14.12.00

Rising Antivirus

PE:Trojan.Win32.Generic.11EE63F5!300835829

23.00.65.14127

Sophos

Troj/Trufip-A

4.97

Total Defense

Win32/Spyrat.A!generic

37.0.10498

Trend Micro House Call

TSPY_INFOSTE.III

7.2.29

Trend Micro

TSPY_INFOSTE.III

10.465.29

Vba32 AntiVirus

Worm.Bybz

3.12.24.3

VIPRE Antivirus

Trojan.Win32.Generic.pak!cobra

25696

ViRobot

Dropper.S.Decay.2132992

2011.4.7.4223

File size:

2 MB (2,132,992 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\spynet.exe

File PE Metadata

Compilation timestamp:

6/20/1992 12:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

49152:GhwHJZqdp7orGOA0jhE6wSZCTIzY7wXSxQ5E+X6Oftn/Z9s0K:GhwHJZUp7orG90NE6KIM7wXr5EI6OR/7

Entry address:

0x531EA0

Entry point:

60, BE, 00, D0, 74, 00, 8D, BE, 00, 40, CB, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89... 
[+]

Packer / compiler:

UPX 2.90LZMA]

Code size:

1.9 MB (1,990,656 bytes)

Scheduled Task

Task name:

{4478D11F-1D16-4792-BACE-2363190CCE1F}

Trigger:

Registration (Runs on registration)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to apricot.pi.activeminds.net (69.64.56.244:80)

TCP:

Connects to IP-177-72-196-34.reciclanet.com.br (177.72.196.34:54955)

TCP:

Connects to bbb4b081.virtua.com.br (187.180.176.129:14781)

TCP:

Connects to 2.139.220.177.static.copel.net (177.220.139.2:53658)

TCP:

Connects to 177-84-80-82.speedyonline.net.br (177.84.80.82:59881)

TCP:

Connects to bd3714ec.virtua.com.br (189.55.20.236:56119)

TCP:

Connects to 46.111.84.177.toledoinfo.com.br (177.84.111.46:49462)

TCP:

Connects to 191-209-23-196.user.vivozap.com.br (191.209.23.196:28985)

TCP:

Connects to 186.212.119.53.static.host.gvt.net.br (186.212.119.53:37471)

TCP:

Connects to www.no-ip.com (8.23.224.110:49300)

TCP:

Connects to mrs02s05-in-f26.1e100.net (173.194.35.122:1110)

TCP:

Connects to b120e7a4.virtua.com.br (177.32.231.164:52674)

TCP:

Connects to 189-92-211-81.3g.claro.net.br (189.92.211.81:42000)

TCP:

Connects to 189.115.149.161.static.host.gvt.net.br (189.115.149.161:58270)

TCP:

Connects to 152-250-58-118.user.vivozap.com.br (152.250.58.118:59105)

TCP:

Connects to 138-255-146-16.cliente-sumicity.net.br (138.255.146.16:18907)

Remove spynet.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.