home

72hgmojs2ldp5ywpfsqbbgywqqf2wekj..exe

The executable 72hgmojs2ldp5ywpfsqbbgywqqf2wekj..exe has been detected as malware by 6 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘javaw’. While running, it connects to the Internet address lord.vivawebhost.com on port 80 using the HTTP protocol.
Version:
0.0.0.0

MD5:
bd11e6ffea4880e513d66ff320bb80c1

SHA-1:
219d9595b4cbd8bad582caea983f73f81ab43881

SHA-256:
60c1d2556bc717288f996975650120b10e9cdefa9603fffd8db5517f2b0504bf

Scanner detections:
6 / 68

Status:
Malware

Analysis date:
11/18/2024 5:00:10 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Agent-AOBX [Trj]
160805-0

AVG
ILCrypt
2013.0.4447

Clam AntiVirus
Win.Trojan.Chabava-1
0.98/22036

Dr.Web
Trojan.DownLoader11.27577
9.0.1.05190

ESET NOD32
MSIL/Agent.HD trojan
6.3

F-Secure
Variant.Barys.50424
5.15.96

File size:
22 KB (22,528 bytes)

Product version:
0.0.0.0

Original file name:
a.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\72hgmojs2ldp5ywpfsqbbgywqqf2wekj..exe

File PE Metadata
Compilation timestamp:
8/3/2016 4:21:32 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
384:Ezcb4upgQJoz2NXiJgV1JloCkynMKK9PaifzKrYoROBsjhIvMTDaS:EMUpJMblLk7CKohWMTDaS

Entry address:
0x6E7E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.2180

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
20 KB (20,480 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
javaw

Command:
C:\users\{user}\appdata\roaming\javaw.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to lord.vivawebhost.com  (173.237.190.2:80)

Remove 72hgmojs2ldp5ywpfsqbbgywqqf2wekj..exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.