tulrotzugitu.exe

The executable tulrotzugitu.exe has been detected as malware by 31 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘tulrotzugitu’. While running, it connects to the Internet address v29098.hosted-by-vdsina.ru on port 80 using the HTTP protocol.
MD5:
253719f1fd7ee1d882ad618155216ab0

SHA-1:
adca72a181e41cce6c065b44879c30948b44f3d6

SHA-256:
c0ed156097ffa34d14f73a5e7a4108ff633fd477d685635e158c948d58f17314

Scanner detections:
31 / 68

Status:
Malware

Analysis date:
7/20/2018 3:46:19 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2713259
504

Agnitum Outpost
Trojan.Cutwail
7.1.1

AhnLab V3 Security
Trojan/Win32.Agent
2015.09.17

Avira AntiVirus
TR/Dldr.Waski.106496.3
8.3.2.2

Antiy Labs AVL
Trojan/Win32.Cutwail
1.0.0.1

Arcabit
Trojan.Generic.D2966AB
1.0.0.541

avast!
Win32:Dropper-gen [Drp]
2014.9-150919

AVG
Inject3
2016.0.2982

Baidu Antivirus
Trojan.Win32.Cutwail
4.0.3.15919

Bitdefender
Trojan.GenericKD.2713259
1.0.20.1310

Dr.Web
Trojan.DownLoad.64914
9.0.1.0262

Emsisoft Anti-Malware
Trojan.GenericKD.2713259
8.15.09.19.12

ESET NOD32
Generik.BQGTGCQ (variant)
9.12266

F-Secure
Trojan.GenericKD.2713259
11.2015-19-09_7

G Data
Trojan.GenericKD.2713259
15.9.25

IKARUS anti.virus
Trojan.SuspectCRC
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.210.17240

K7 Gateway Antivirus
Trojan
13.210.17242

Kaspersky
Trojan.Win32.Cutwail
14.0.0.1405

McAfee
Artemis!253719F1FD7E
5600.6638

McAfee Web Gateway
Artemis!Trojan
7.6638

Microsoft Security Essentials
TrojanDropper:Win32/Cutwail
1.1.12101.0

MicroWorld eScan
Trojan.GenericKD.2713259
16.0.0.786

NANO AntiVirus
Trojan.Win32.Cutwail.dwuuva
0.30.24.3283

nProtect
Trojan.GenericKD.2713259
15.09.16.01

Panda Antivirus
Trj/Agent.LPG
15.09.19.12

Qihoo 360 Security
HEUR/QVM08.0.Malware.Gen
1.0.0.1015

Rising Antivirus
PE:Malware.RDM.33!5.27[F1]
23.00.65.15917

Sophos
Mal/Generic-S
4.98

Trend Micro
TROJ_GEN.R047C0DIB15
10.465.19

VIPRE Antivirus
Trojan.Win32.Generic
43824

File size:
104 KB (106,496 bytes)

File type:
Executable application (Win32 EXE)

Language:
Slovenian (Slovenia)

Common path:
C:\users\ruby\tulrotzugitu.exe

File PE Metadata
Compilation timestamp:
9/8/2015 7:07:54 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
1536:NzCTDfsjy/glpfi1kLu2MC0W9xQXRDjYRbmKQjtbtaDoDyIImWrqGBamIYnp8A8p:jpj3u6QBrgNjpQkwVUPJ6+0dBpgQ

Entry address:
0x854D

Entry point:
6A, 60, 68, 10, 43, 41, 00, E8, C3, 77, 00, 00, BF, 94, 00, 00, 00, 8B, C7, E8, 0B, 78, 00, 00, 89, 65, E8, 8B, F4, 89, 3E, 56, FF, 15, 7C, 30, 41, 00, 8B, 4E, 10, 89, 0D, 9C, 84, 41, 00, 8B, 46, 04, A3, A8, 84, 41, 00, 8B, 56, 08, 89, 15, AC, 84, 41, 00, 8B, 76, 0C, 81, E6, FF, 7F, 00, 00, 89, 35, A0, 84, 41, 00, 83, F9, 02, 74, 0C, 81, CE, 00, 80, 00, 00, 89, 35, A0, 84, 41, 00, C1, E0, 08, 03, C2, A3, A4, 84, 41, 00, 33, F6, 56, 8B, 3D, 74, 30, 41, 00, FF, D7, 66, 81, 38, 4D, 5A, 75, 1F, 8B, 48, 3C, 03...
 
[+]

Entropy:
6.1981

Developed / compiled with:
Microsoft Visual C++ v7.0

Code size:
72 KB (73,728 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
tulrotzugitu

Command:
C:\users\ruby\tulrotzugitu.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www410.sakura.ne.jp  (59.106.13.40:80)

TCP (HTTP):
Connects to www1155.sakura.ne.jp  (219.94.129.195:80)

TCP (HTTP):
Connects to www.cargoro.com  (211.206.123.37:80)

TCP (HTTP):
Connects to winmail01.sx-it.com  (195.230.181.117:80)

TCP (HTTP):
Connects to webbox47.server-home.org  (78.138.91.55:80)

TCP (HTTP):
Connects to w1.cyberfuel.com  (190.0.226.9:80)

TCP (HTTP):
Connects to v29098.hosted-by-vdsina.ru  (94.103.80.78:80)

TCP (HTTP):
Connects to uls-dc.org  (216.104.182.58:80)

TCP (HTTP):
Connects to static.101.66.9.5.clients.your-server.de  (5.9.66.101:80)

TCP (HTTP):
Connects to shops.shopify.com  (23.227.38.71:80)

TCP (HTTP):
Connects to server.cloudhost5.pshift.com  (174.136.15.175:80)

TCP (HTTP):
Connects to pcg.com  (70.32.76.86:80)

TCP (HTTP):
Connects to p3nw8sh323.shr.prod.phx3.secureserver.net  (184.168.192.40:80)

TCP (HTTP):
Connects to ns9.kulonuwun.com  (103.5.51.106:80)

TCP (HTTP):
Connects to named15.baremetal.com  (67.223.102.174:80)

TCP (HTTP):
Connects to md-in-5.webhostbox.net  (103.21.58.244:80)

TCP (HTTP):
Connects to ip-50-63-202-104.ip.secureserver.net  (50.63.202.104:80)

TCP (HTTP):
Connects to ip158.ip-5-39-12.eu  (5.39.12.158:80)

TCP (HTTP):
Connects to hosting.marketingpro-server1.com  (207.58.182.49:80)

TCP (HTTP):
Connects to host33.arit.cz  (77.78.106.223:80)

Remove tulrotzugitu.exe - Powered by Reason Core Security