home

0kvsaydztly2.exe

Amigo@Mail.Ru

LLC Mail.Ru

The executable 0kvsaydztly2.exe has been detected as malware by 1 anti-virus scanner. This is a setup program which is used to install the application. The file has been seen being downloaded from amigobin.cdnmail.ru and multiple other hosts. While running, it connects to the Internet address moscow.cdnmail.ru on port 80 using the HTTP protocol.
Publisher:
Mail.Ru  (signed by LLC Mail.Ru)

Product:
Amigo@Mail.Ru

Version:
2.0.0.150

MD5:
a2712c2ac2801b7d8f12ea7aca0e9fad

SHA-1:
7167649eb03569c2643bcf2c2f2164ea0d803a8d

SHA-256:
63151c8459dea187cf75f2d68e6d9ba80d3071a7218f39b4ba77f92d96679da5

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/26/2024 1:37:01 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Win32.Generic
17.1.30.16

File size:
390 KB (399,336 bytes)

Product version:
2.0.0.150

Copyright:
Copyright 2015

Original file name:
Amigo@Mail.Ru

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\0kvsaydztly2.exe

Digital Signature
Signed by:
LLC Mail.Ru

Authority:
thawte, Inc.

Valid from:
12/27/2016 3:00:00 AM

Valid to:
12/28/2018 2:59:59 AM

Subject:
CN=LLC Mail.Ru, OU=LLC Mail.Ru, O=LLC Mail.Ru, L=Moscow, S=Moscow, C=RU

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
73AE78A2E7488B911CC4BA3AD48388D3

File PE Metadata
Compilation timestamp:
10/11/2016 1:16:23 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

Entry address:
0xF92C

Entry point:
E8, 54, 06, 00, 00, E9, 8E, FE, FF, FF, FF, 25, D0, F3, 42, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, 6B, F6, FF, FF, F2, E9, DA, FF, FF, FF, 8B, 4D, EC, 33, CD, F2, E8, 5A, F6, FF, FF, F2, E9, C9, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, 10, 44, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00...
 
[+]

Code size:
180.5 KB (184,832 bytes)

The file 0kvsaydztly2.exe has been seen being distributed by the following 2 URLs.

https://amigobin.cdnmail.ru/AmigoDistrib.exe

http://amigobin.cdnmail.ru/AmigoDistrib.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mrds.mail.ru  (217.69.139.245:80)

TCP (HTTP):
Connects to moscow.cdnmail.ru  (94.100.180.110:80)

TCP (HTTP):
Connects to static.vnpt.vn  (113.171.224.211:80)

TCP (HTTP):
Connects to mailru-po10.c7600.optibit.ru  (185.25.62.163:80)

TCP (HTTP):
Connects to ip-172-26-136-19.ec2.internal  (172.26.136.19:80)

TCP (HTTP):
Connects to ip-46-19-97-98.gnc.net  (46.19.97.98:80)

Remove 0kvsaydztly2.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.