home

##90c4130.exe

CrystalDiskInfo

Crystal Dew World

The executable ##90c4130.exe has been detected as malware by 31 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘##90c4130.exe’. The file has been seen being downloaded from s.dropcanvas.com.
Publisher:
Crystal Dew World

Product:
CrystalDiskInfo

Version:
6.2.2.2014

MD5:
02df033bf90127387e067c05c7e7b686

SHA-1:
cc5ae7c3fd67b2e2fb509cdbc9c69f687d583e2a

SHA-256:
268eacb1446e0e2ef62d152a35096c3eac66dcf1fc63599329f4351e83ed1c9e

Scanner detections:
31 / 68

Status:
Malware

Analysis date:
1/13/2025 8:49:35 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2389413
389

Agnitum Outpost
Trojan.IRCBot
7.1.1

AhnLab V3 Security
Trojan/Win32.Fareit
2015.10.27

Avira AntiVirus
TR/Crypt.ZPACK.150485
8.3.2.2

Arcabit
Trojan.Generic.D2475A5
1.0.0.585

avast!
Win32:Malware-gen
2014.9-160112

AVG
BackDoor.Ircbot
2017.0.2867

Baidu Antivirus
Trojan.Win32.IRCBot
4.0.3.16112

Bitdefender
Trojan.GenericKD.2389413
1.0.20.60

Comodo Security
UnclassifiedMalware
23478

Dr.Web
BackDoor.IRC.Bot.2828
9.0.1.012

Emsisoft Anti-Malware
Trojan.GenericKD.2389413
8.16.01.12.04

ESET NOD32
Win32/IRCBot.ASG
10.12467

Fortinet FortiGate
W32/IRCBot.ASG!tr
1/12/2016

F-Secure
Trojan.GenericKD.2389413
11.2016-12-01_3

G Data
Trojan.GenericKD.2389413
16.1.25

IKARUS anti.virus
Trojan.Win32.IRCBot
t3scan.1.9.5.0

K7 AntiVirus
Backdoor
13.212.17655

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.829

Malwarebytes
Trojan.Pseudo
v2016.01.12.04

McAfee
RDN/Sdbot.worm!ce
5600.6523

Microsoft Security Essentials
Backdoor:Win32/Wecoym.A
1.1.12205.0

MicroWorld eScan
Trojan.GenericKD.2389413
17.0.0.36

nProtect
Trojan.GenericKD.2389413
15.10.26.01

Panda Antivirus
Trj/Genetic.gen
16.01.12.04

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Quick Heal
Trojan.Generic.B4
1.16.14.00

Sophos
Mal/Generic-S
4.98

Trend Micro
TROJ_GEN.R0EBC0CEF15
10.465.12

VIPRE Antivirus
Trojan.Win32.Generic
44830

Zillya! Antivirus
Trojan.IRCBot.Win32.7472
2.0.0.2476

File size:
160 KB (163,840 bytes)

Product version:
6.2.2.2014

Copyright:
Copyright (C) 2008-2014 hiyohiyo. All rights reserved.

Original file name:
DiskInfo.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\##90c413\##90c4130.exe

File PE Metadata
Compilation timestamp:
5/8/2015 8:44:38 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:yQGXMePaS5LH4ypgRnTkqpaRFEGrkcEpeJuv8t4:uceyeLH4ysT9sE6kcFJT4

Entry address:
0x32F1

Entry point:
E8, 83, 48, 00, 00, E9, 89, FE, FF, FF, C7, 01, 60, 56, 41, 00, E9, CB, 49, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, F1, C7, 06, 60, 56, 41, 00, E8, B8, 49, 00, 00, F6, 45, 08, 01, 74, 07, 56, E8, B4, 0C, 00, 00, 59, 8B, C6, 5E, 5D, C2, 04, 00, 8B, FF, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, C6, 49, 00, 00, C7, 06, 60, 56, 41, 00, 8B, C6, 5E, 5D, C2, 04, 00, 8B, FF, 55, 8B, EC, 83, EC, 10, EB, 0D, FF, 75, 08, E8, A9, 4B, 00, 00, 59, 85, C0, 74, 0F, FF, 75, 08, E8, F9, 4A, 00, 00, 59, 85, C0, 74, E6, C9, C3, F6...
 
[+]

Entropy:
7.1258

Code size:
55.5 KB (56,832 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
##90c4130.exe

Command:
"C:\users\{user}\appdata\roaming\##90c413\##90c4130.exe"


The file ##90c4130.exe has been seen being distributed by the following URL.

http://s.dropcanvas.com/1000000/489000/.../kkj.exe

Remove ##90c4130.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.