home

20.exe

The executable 20.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘853bd5b21c2ce58249d74eae6362d0f9’. The file has been seen being downloaded from www.exeupp.com.
MD5:
c731d337c8a67269269db42712c96d9c

SHA-1:
720e5541266f833151f9987eb708ee237358697c

SHA-256:
20d8b9878ec80bcebcdf5c0c70ef31357b48809b9375ecfd37f017c56760f942

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
11/27/2024 8:47:54 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.DownLoader18.23009
9.0.1.05190

ESET NOD32
MSIL/Kryptik.EWR trojan
8.0.319.0

File size:
108 KB (110,592 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\20.exe

File PE Metadata
Compilation timestamp:
1/16/2016 10:42:55 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
3072:i7wWeCIsaap2S5hSwwnYlAti6NehA0cwn:i7DIshL5hSPX8A0cw

Entry address:
0x19A7E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.0245

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
96 KB (98,304 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
853bd5b21c2ce58249d74eae6362d0f9

Command:
"C:\users\{user}\appdata\local\temp\3m f.exe"..


The file 20.exe has been seen being distributed by the following URL.

https://www.exeupp.com/.../20.exe

Remove 20.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.