w2.exe

The executable w2.exe has been detected as malware by 19 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘w2’. While running, it connects to the Internet address ip-184-168-221-34.ip.secureserver.net on port 80 using the HTTP protocol.
Description:
w

Version:
5.5.3.5

MD5:
b0b783bbdd56b92dd7205f6b029c4f6d

SHA-1:
1f9bfd2b8efd154502baac733076d96901cd72bf

SHA-256:
09a8751fa3d3a2c219b018912156452d2f1eec9014e32205b77dd0c68487cf53

Scanner detections:
19 / 68

Status:
Malware

Analysis date:
11/21/2018 9:27:16 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Worm.Generic.554590
361

Avira AntiVirus
TR/Special.80896.1
7.11.212.104

avast!
Win32:Dropper-gen [Drp]
2014.9-160208

AVG
MSIL7
2017.0.2839

Baidu Antivirus
Worm.MSIL.Agent
4.0.3.1628

Bitdefender
Worm.Generic.554590
1.0.20.195

Emsisoft Anti-Malware
Worm.Generic.554590
8.16.02.08.06

ESET NOD32
MSIL/Agent.JD (variant)
10.11229

Fortinet FortiGate
MSIL/Agent.JD!worm
2/8/2016

F-Secure
Worm.Generic.554590
11.2016-08-02_2

G Data
Worm.Generic.554590
16.2.25

IKARUS anti.virus
Worm.MSIL.Agent
t3scan.1.8.6.0

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.691

McAfee
Artemis!B0B783BBDD56
5600.6495

MicroWorld eScan
Worm.Generic.554590
17.0.0.117

nProtect
Worm.Generic.554590
15.02.25.01

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Trend Micro House Call
Suspicious_GEN.F47V0218
7.2.39

VIPRE Antivirus
Trojan.Win32.Generic
37880

File size:
79 KB (80,896 bytes)

Product version:
5.5.3.5

Copyright:
2015

Original file name:
wb.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

File PE Metadata
Compilation timestamp:
2/17/2015 3:06:37 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
1536:0BYS9puqJK5CpEsZgoyymaXRHXmVarc6oL:02iuqJK5/oZh3mwc6oL

Entry address:
0x11B86

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 10, 01, 00, 0C, 00...
 
[+]

Entropy:
5.7342

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
63 KB (64,512 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
w2

Command:
"C:\configration\w2.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-184-168-221-34.ip.secureserver.net  (184.168.221.34:80)

TCP (HTTP):
Connects to 41.220.75.117.mtnnigeria.net  (41.220.75.117:80)

TCP (HTTP):
Connects to 41.220.75.101.mtnnigeria.net  (41.220.75.101:80)

TCP (HTTP):
Connects to host-213.158.189.23.tedata.net  (213.158.189.23:80)

TCP (HTTP):
Connects to host-213.158.163.240.tedata.net  (213.158.163.240:80)

TCP (HTTP):
Connects to 41.220.75.121.mtnnigeria.net  (41.220.75.121:80)

TCP (HTTP):
Connects to host-213.158.163.244.tedata.net  (213.158.163.244:80)

TCP (HTTP):
Connects to host-213.158.163.242.tedata.net  (213.158.163.242:80)

TCP (HTTP):
Connects to cache.google.com  (197.220.0.20:80)

TCP (HTTP):
Connects to 41.220.75.95.mtnnigeria.net  (41.220.75.95:80)

TCP (HTTP):
Connects to 41.220.75.123.mtnnigeria.net  (41.220.75.123:80)

TCP (HTTP):
Connects to 41.220.75.112.mtnnigeria.net  (41.220.75.112:80)

TCP (HTTP):
Connects to 41.220.75.110.mtnnigeria.net  (41.220.75.110:80)

TCP (HTTP):
Connects to wk-in-f94.1e100.net  (74.125.206.94:80)

TCP (HTTP):
Connects to wk-in-f103.1e100.net  (74.125.206.103:80)

TCP (HTTP):
Connects to par10s29-in-f3.1e100.net  (216.58.209.227:80)

TCP (HTTP):
Connects to par10s29-in-f228.1e100.net  (216.58.209.228:80)

TCP (HTTP SSL):
Connects to mil04s22-in-f14.1e100.net  (172.217.23.78:443)

TCP (HTTP):
Connects to lhr35s06-in-f14.1e100.net  (216.58.212.110:80)

TCP (HTTP):
Connects to lhr26s04-in-f4.1e100.net  (216.58.198.228:80)

Remove w2.exe - Powered by Reason Core Security