home

yhemgr32.exe

The executable yhemgr32.exe has been detected as malware by 35 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘yhemgr32.exe’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
MD5:
c1e1d9e53f14abe4ace828c89142a81c

SHA-1:
3473211d0a91741fa384e3c85edffed79f8dbd61

SHA-256:
0f677307198368fc03bb67b98355cd040067549dfa45bcae58098d67aaf68184

Scanner detections:
35 / 68

Status:
Malware

Analysis date:
4/24/2024 9:02:36 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1732755
856

Agnitum Outpost
Trojan.Emotet
7.1.1

AhnLab V3 Security
Win-Trojan/Emotet.147456
2014.08.08

Avira AntiVirus
TR/SpluseLoader.A.46
7.11.165.246

avast!
Win32:Downloader-VMF [Trj]
2014.9-141002

AVG
Generic_s
2015.0.3334

Baidu Antivirus
Trojan.Win32.Emotet
4.0.3.14102

Bitdefender
Trojan.GenericKD.1732755
1.0.20.1375

Comodo Security
UnclassifiedMalware
19117

Dr.Web
Trojan.Emotet.34
9.0.1.0275

Emsisoft Anti-Malware
Trojan.Win32.Emotet
8.14.10.02.04

ESET NOD32
Win32/Emotet.AA
8.10220

Fortinet FortiGate
W32/Emotet.AA!tr
10/2/2014

F-Prot
W32/Emotet.J
v6.4.7.1.166

F-Secure
Trojan.GenericKD.1732755
11.2014-02-10_5

G Data
Trojan.GenericKD.1732755
14.10.24

IKARUS anti.virus
Trojan-Ransom.Win32.Foreign
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.183.12981

Kaspersky
Trojan-Ransom.Win32.Foreign
14.0.0.3164

Malwarebytes
Trojan.Agent.ED
v2014.10.02.04

McAfee
RDN/Generic.bfr!hk
5600.6990

Microsoft Security Essentials
Trojan:Win32/Emotet.B
1.10802

MicroWorld eScan
Trojan.GenericKD.1732755
15.0.0.825

NANO AntiVirus
Trojan.Win32.Foreign.dbtquv
0.28.2.61349

nProtect
Trojan.GenericKD.1732755
14.08.07.01

Panda Antivirus
Trj/CI.A
14.10.02.04

Qihoo 360 Security
HEUR/Malware.QVM20.Gen
1.0.0.1015

Quick Heal
TrojanRansom.Foreign.r4
10.14.14.00

Rising Antivirus
PE:Trojan.Win32.Generic.16E5F34C!384168780
23.00.65.14930

Sophos
Troj/Emotet-C
4.98

Total Defense
Win32/Tnega.CUVIReB
37.0.11105

Trend Micro House Call
TROJ_EMOTET.AX
7.2.275

Trend Micro
TROJ_EMOTET.AX
10.465.02

VIPRE Antivirus
Trojan.Win32.Generic.pak!cobra
32020

ViRobot
Trojan.Win32.Zbot.142848.B
2011.4.7.4223

File size:
144 KB (147,456 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Application data\microsoft\yhemgr32.exe

File PE Metadata
Compilation timestamp:
4/25/2014 1:45:48 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:5B8yjdggZgh/DnvwgBJIYLGsvHubZrsDzNubh:5WyR/ZghUxYPvHubKpubh

Entry address:
0x21287

Entry point:
55, 8B, EC, 83, EC, 30, 57, 56, 53, 2B, DB, E8, 0E, 01, 00, 00, EB, 19, 58, 8B, D0, 8B, 3D, 3F, EC, 41, 00, 2B, D7, 52, A3, 8B, EB, 41, 00, FF, 15, 8B, EB, 41, 00, EB, 4F, 83, 3D, A7, EB, 41, 00, 01, 74, 46, 68, 6F, EC, 41, 00, 8B, DD, 03, 1D, 63, EC, 41, 00, 89, 1D, 53, EC, 41, 00, FF, 35, 53, EC, 41, 00, FF, 75, CC, 8B, 4D, C8, 51, FF, 75, C4, 68, 4F, EC, 41, 00, 68, 5F, EC, 41, 00, 8B, 1D, BF, EB, 41, 00, 89, 1D, 3F, EC, 41, 00, 50, 68, 3F, EC, 41, 00, E8, DD, 00, 00, 00, EB, 98, 2B, C0, 5B, 5E, 5F, 8B...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
1.5 KB (1,536 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
yhemgr32.exe

Command:
C:\Documents and Settings\{user}\Application data\microsoft\yhemgr32.exe


Remove yhemgr32.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.