home

VisualWget.exe

VisualWget

Khomsan Phongphisansakun

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘VisualWget’. The file has been seen being downloaded from doc-00-9c-docsviewer.googleusercontent.com and multiple other hosts.
Publisher:
Khomsan Phongphisansakun

Product:
VisualWget

Description:
VisualWget Download Manager

Version:
2.5.2.0

MD5:
c668e386af15985ba573f6d29edf6b83

SHA-1:
b021330f271ca03d43158831c4e1d3abbb442922

SHA-256:
195a5d6ae1597686e5ac41f372aa5971cdff10f086ecfad04fd712ad93306371

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)

Analysis date:
4/24/2024 11:42:25 PM UTC  (a few moments ago)

File size:
217.5 KB (222,720 bytes)

Product version:
2.5.2.0

Copyright:
© 2010 Khomsan Phongphisansakun

Original file name:
VisualWget.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\visualwget\vwget-2.5a2-wget-1.11.4-bin\visualwget.exe

File PE Metadata
Compilation timestamp:
11/26/2010 9:13:35 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
3072:Sy3PI57lNsN0jYynQtytLYZDymialxbDxESGMnTNPOz8l7C2ddyXY46eaU+gF4Sd:SyfI57lNanzDymEMnC8l7C2dEo46L8h

Entry address:
0x33FCE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 03, 00, 00, 00, 30, 00, 00, 80, 0E, 00, 00, 00, 58, 00, 00, 80, 10, 00, 00, 00, 70, 00, 00, 80, 18, 00, 00, 00, 88, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 03, 00, 02, 00, 00, 00, A0, 00, 00, 80, 03, 00, 00, 00, B8, 00...
 
[+]

Entropy:
5.7027

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
200 KB (204,800 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
VisualWget

Command:
"C:\users\{user}\downloads\visualwget\vwget-2.5a2-wget-1.11.4-bin\visualwget.exe" --start-in-tray


The file VisualWget.exe has been seen being distributed by the following 3 URLs.

https://doc-00-9c-docsviewer.googleusercontent.com/viewer/securedownload/ftvfte78gvr3lk395v3iq11g9sunoqcb/kom11sa1rotqqlsjvlpfj1n5ujdh6btv/1384735500000/c2l0ZXM=/.../WkdWbVlYVnNkR1J2YldGcGJueDJhWE4xWVd4M1oyVjBmR2Q0T2pJeU9USTJPR0U0WWpVNFlqYzJNbUU=?sec=AHSqidbT2nOKoCgWqEpulq9gRfoFTcyxwlIVJ58GY8Zs19dpXQZS347AYQP9gxMUDQ0C1i150m1P&a=dl&filename=vwget-2.5a2-wget-1.11.4-bin.zip&rel=zip;z11;VisualWget.exe&nonce=j06fh40u3ic0a&user=AGZ5hq-eoUbR9hv59gJQz0ne3Oi6&hash=t3hf5j43n6ia48nn5jemvn4gabkirpll

https://docs.google.com/viewer/noncesigner?nonce=j06fh40u3ic0a&continue=https://doc-00-9c-docsviewer.googleusercontent.com/viewer/securedownload/ftvfte78gvr3lk395v3iq11g9sunoqcb/kom11sa1rotqqlsjvlpfj1n5ujdh6btv/1384735500000/c2l0ZXM=/.../WkdWbVlYVnNkR1J2YldGcGJueDJhWE4xWVd4M1oyVjBmR2Q0T2pJeU9USTJPR0U0WWpVNFlqYzJNbUU=?sec=AHSqidbT2nOKoCgWqEpulq9gRfoFTcyxwlIVJ58GY8Zs19dpXQZS347AYQP9gxMUDQ0C1i150m1P&a=dl&filename=vwget-2.5a2-wget-1.11.4-bin.zip&rel=zip;z11;VisualWget.exe&hash=kif96joogfrccb1c12tq1l0cqe9um0n2

https://doc-00-9c-docsviewer.googleusercontent.com/viewer/securedownload/ftvfte78gvr3lk395v3iq11g9sunoqcb/kom11sa1rotqqlsjvlpfj1n5ujdh6btv/1384735500000/c2l0ZXM=/.../WkdWbVlYVnNkR1J2YldGcGJueDJhWE4xWVd4M1oyVjBmR2Q0T2pJeU9USTJPR0U0WWpVNFlqYzJNbUU=?a=dl&filename=vwget-2.5a2-wget-1.11.4-bin.zip&sec=AHSqidbT2nOKoCgWqEpulq9gRfoFTcyxwlIVJ58GY8Zs19dpXQZS347AYQP9gxMUDQ0C1i150m1P&rel=zip;z11;VisualWget.exe

Scan VisualWget.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.