bfxuez.exe

sshfyvPm

The executable bfxuez.exe has been detected as malware by 4 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘bfxuez’. While running, it connects to the Internet address box361.bluehost.com on port 80 using the HTTP protocol.
Publisher:
Microsoft*  (Invalid match)

Product:
sshfyvPm

Version:
5.86

MD5:
1ab8c16a1f81556b02f5b3da32180d21

SHA-1:
36e777f0b2a906c95292628b506411c1876513dc

SHA-256:
02f9ec04c39a966e5ab3557b66830ec7d92865fb5a00a16f07c28ab2590838b4

Scanner detections:
4 / 68

Status:
Malware

Analysis date:
11/23/2024 12:14:37 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Worm/VB.8.AW
2013.0.4756

Clam AntiVirus
Html.Trojan.VBChinky-1
0.98/23175

Dr.Web
Trojan.Fakealert.14606
9.0.1.05190

Kaspersky
Trojan.Win32.Vobfus
15.0.2.529

File size:
152 KB (155,648 bytes)

Product version:
5.86

Original file name:
sshfyvPm.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\administrator\bfxuez.exe

File PE Metadata
Compilation timestamp:
4/1/2010 4:06:31 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x11A0

Entry point:
0F, BF, C5, 88, DD, 2A, FB, 69, E8, A5, FE, 22, 0C, 0F, B6, DB, 80, EB, E6, 89, F2, 01, D2, 3D, 34, 22, 87, FD, 0F, BE, F7, E8, 00, 00, 00, 00, 87, C2, 85, E9, 69, EE, FB, 3F, 6A, 21, 80, E0, AA, B7, 3D, 8D, 05, 45, EA, 04, A6, 81, C6, 9D, 17, 00, 00, 00, D1, 81, C6, 59, 0A, 00, 00, 59, FE, CF, 0B, DA, B8, 77, 05, ED, 45, 68, 85, 34, 70, 00, BD, F7, A8, 70, FA, 4A, 89, FD, 87, E8, B3, 0C, 81, FE, A6, 4F, 00, 00, 77, 02, 84, E4, 02, FF, 81, C7, 2A, 28, 00, 00, 0F, AF, DD, 81, C7, 93, 0C, 00, 00, 8B, F3, B2...
 
[+]

Entropy:
6.7037

Code size:
72 KB (73,728 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
bfxuez

Command:
C:\users\administrator\bfxuez.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to box361.bluehost.com  (69.89.31.161:80)

TCP (HTTP):
Connects to box383.bluehost.com  (69.89.31.183:80)

TCP (HTTP):
Connects to 217-160-0-4.elastic-ssl.ui-r.com  (217.160.0.4:80)

TCP (HTTP):
Connects to 217-160-0-39.elastic-ssl.ui-r.com  (217.160.0.39:80)

Remove bfxuez.exe - Powered by Reason Core Security