w.exe

The executable w.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Microsoft Windows Service’. While running, it connects to the Internet address 125.235.4.59.adsl.viettel.vn on port 5050.
MD5:
346f8625c335fb9d2089ac569c68f582

SHA-1:
c03e743bd6901d7ae35eb9db9184c1ea86c3092f

SHA-256:
ec91cc88366075ba311b97a4a37ab10eeae2377789a5a4def25be838ecf7fbe0

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
3/11/2017 3:54:34 AM UTC  (nine months ago)

Scan engine
Detection
Engine version

Dr.Web
probably DLOADER.IRC.Trojan
9.0.1.05190

ESET NOD32
Win32/AutoRun.IRCBot.JD worm
6.3.12010.0

File size:
39.5 KB (40,448 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\w.exe

File PE Metadata
Compilation timestamp:
3/11/2017 12:45:38 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x7400

Entry point:
55, 8B, EC, 6A, FF, 68, 80, 97, 40, 00, 68, 80, 75, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, CC, 80, 40, 00, 59, 83, 0D, 14, CA, 40, 00, FF, 83, 0D, 18, CA, 40, 00, FF, FF, 15, D0, 80, 40, 00, 8B, 0D, 10, CA, 40, 00, 89, 08, FF, 15, D4, 80, 40, 00, 8B, 0D, 0C, CA, 40, 00, 89, 08, A1, D8, 80, 40, 00, 8B, 00, A3, 1C, CA, 40, 00, E8, 10, 01, 00, 00, 39, 1D, 50, B5, 40, 00, 75, 0C, 68, 7C, 75, 40, 00, FF, 15, E0, 80...
 
[+]

Entropy:
6.3058

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
25.5 KB (26,112 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Microsoft Windows Service

Command:
C:\users\gh\m-505060868748648695949980\winsvc.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to 162-144-70-81.unifiedlayer.com  (162.144.70.81:5050)

TCP (HTTP):
Connects to hosted-with.grabweb.net  (131.153.1.166:80)

TCP (SMTP):
Connects to yome.todo.ne.jp  (203.174.74.40:25)

TCP (SMTP):
Connects to www879.sakura.ne.jp  (219.94.128.89:25)

TCP (SMTP):
Connects to www2694.sakura.ne.jp  (49.212.180.104:25)

TCP (SMTP):
Connects to www1426.sakura.ne.jp  (219.94.163.36:25)

TCP (SMTP):
Connects to us5-4.rumahweb.com  (147.185.115.9:25)

TCP (SMTP):
Connects to transparent.outcomes.com  (208.111.39.225:25)

TCP (SMTP):
Connects to s1.eschbachit.com  (193.238.60.23:25)

TCP (SMTP):
Connects to rs23.naid.jp  (153.126.176.230:25)

TCP (SMTP):
Connects to ran4u.com  (122.155.17.236:25)

TCP (SMTP):
Connects to o4041-220.kagoya.net  (133.18.64.131:25)

TCP (SMTP):
Connects to mizwa.net  (114.147.35.251:25)

TCP (SMTP):
Connects to mail.bioac.com  (164.46.191.17:25)

TCP (SMTP):
Connects to mail.art-electro.com  (195.210.172.202:25)

TCP (SMTP):
Connects to host-185-59-31-149.ttnetdc.com  (185.59.31.149:25)

TCP (SMTP):
Connects to cp.itemvirtual.com  (213.239.192.238:25)

TCP:
Connects to 5en.com  (64.130.52.10:587)

TCP (SMTP):
Connects to 228.160.189.93.wavetelecom.com  (93.189.160.228:25)

TCP:
Connects to 125.235.4.59.adsl.viettel.vn  (125.235.4.59:5050)

Remove w.exe - Powered by Reason Core Security