www.exe

The executable www.exe has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Microsoft Windows Service’. While running, it connects to the Internet address hosted-with.grabweb.net on port 80 using the HTTP protocol.
MD5:
75784f72ca9d13d8604591985d371b86

SHA-1:
1cb491accb9b85f2bb1b455472000d0a60805370

SHA-256:
e63276867996063e137f042b756ed246153df1dae9b43a88986aabc0293eaf98

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
3/2/2017 4:21:10 PM UTC  (eight months ago)

Scan engine
Detection
Engine version

Dr.Web
probably DLOADER.IRC.Trojan
9.0.1.05190

ESET NOD32
Win32/AutoRun.IRCBot.JD worm
6.3.12010.0

F-Secure
Generic.Malware.SM!YBddld.36912B02
5.16.24

File size:
39.5 KB (40,448 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Local settings\temporary internet files\content.ie5\{random}\www.exe

File PE Metadata
Compilation timestamp:
3/2/2017 11:49:37 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x73F0

Entry point:
55, 8B, EC, 6A, FF, 68, 80, 97, 40, 00, 68, 70, 75, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, CC, 80, 40, 00, 59, 83, 0D, 14, CA, 40, 00, FF, 83, 0D, 18, CA, 40, 00, FF, FF, 15, D0, 80, 40, 00, 8B, 0D, 10, CA, 40, 00, 89, 08, FF, 15, D4, 80, 40, 00, 8B, 0D, 0C, CA, 40, 00, 89, 08, A1, D8, 80, 40, 00, 8B, 00, A3, 1C, CA, 40, 00, E8, 10, 01, 00, 00, 39, 1D, 50, B5, 40, 00, 75, 0C, 68, 6C, 75, 40, 00, FF, 15, E0, 80...
 
[+]

Entropy:
6.3072

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
25.5 KB (26,112 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Microsoft Windows Service

Command:
C:\users\azan\m-505025977559245030139752030\winsvc.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to 162-144-70-81.unifiedlayer.com  (162.144.70.81:5050)

TCP (HTTP):
Connects to host52-228-177-94.static.arubacloud.de  (94.177.228.52:80)

TCP:
Connects to ec2-54-85-127-70.compute-1.amazonaws.com  (54.85.127.70:587)

TCP:

TCP (SMTP):
Connects to www.xactware.com  (207.14.128.110:25)

TCP:
Connects to www.kittlesmusicstore.com  (63.135.96.141:587)

TCP (SMTP):
Connects to www.bfw-online.de  (62.245.186.165:25)

TCP (SMTP):
Connects to wp172.webpack.hosteurope.de  (80.237.132.179:25)

TCP:
Connects to wf.networksolutions.com  (205.178.189.131:587)

TCP (SMTP):
Connects to w2.src.vip.ir2.yahoo.com  (77.238.184.150:25)

TCP:
Connects to verifymywhois.com  (64.29.151.209:587)

TCP (SMTP):
Connects to underconstruction.networksolutions.com  (205.178.189.129:25)

TCP (SMTP):
Connects to texmail.us  (216.146.219.18:25)

TCP (SMTP):
Connects to server300.hostgo.com  (23.89.204.140:25)

TCP (SMTP):
Connects to s60.goserver.host  (37.17.224.60:25)

TCP (SMTP):
Connects to s104.web-hosting.com  (68.65.122.238:25)

TCP (SMTP):
Connects to redirect.server9.firstfind.nl  (5.157.84.20:25)

TCP (SMTP):
Connects to redirect.ovh.net  (213.186.33.5:25)

TCP (SMTP):
Connects to rack2.excelwebsolutions.com  (89.234.61.218:25)

TCP (SMTP):
Connects to puls.metanet.ch  (80.74.159.159:25)

Remove www.exe - Powered by Reason Core Security