bvycd.exe

Xplayer

Zaid Markabi

The executable bvycd.exe has been detected as malware by 6 anti-virus scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘WindowsApp.exe’. The file has been seen being downloaded from ddl3.data.hu.
Publisher:
Zaid Markabi

Product:
Xplayer

Version:
1.00

MD5:
2461c5c6594f3f2a46fb0b52f1f498a8

SHA-1:
8410c343658d9b8df989c8251d09c8b2e5e5b68c

SHA-256:
f1711cce9ff826ab87332492a2ff16ec4a3bea6baa05b8fe713de51fccae8266

Scanner detections:
6 / 68

Status:
Malware

Analysis date:
11/24/2024 9:33:53 PM UTC  (today)

Scan engine
Detection
Engine version

AegisLab AV Signature
Troj.W32.Gen
2.1.4+

Baidu Antivirus
Win32.Trojan.WisdomEyes.151026.9950
4.0.3.16324

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.468

Panda Antivirus
Generic Suspicious
16.03.24.10

Qihoo 360 Security
QVM03.0.Malware.Gen
1.0.0.1120

Rising Antivirus
PE:Malware.RDM.35!5.29 [F]
23.00.65.16322

File size:
543.5 KB (556,581 bytes)

Product version:
1.00

Original file name:
chofkata.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\bvycd.exe

File PE Metadata
Compilation timestamp:
3/20/2016 7:20:37 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:z6GNu3SvZCDrugeQQfzAqybguOQcqtctJd7G:z6GNu3SxCOgeQQfrybguObISv6

Entry address:
0x18A4

Entry point:
68, E8, 19, 40, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 38, 00, 00, 00, 00, 00, 00, 00, 7F, A6, 9F, 87, 7C, E0, 3C, 48, A7, 50, 4A, 26, 36, 80, 49, 54, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 87, 7A, 00, 00, 00, 80, 58, 70, 6C, 61, 79, 65, 72, 00, 00, 00, 00, 00, FF, CC, 31, 00, 00, CC, 3A, CA, 37, 5D, 92, CB, 45, B2, 88, 42, 9A, 90, 01, C6, 87, 36, B9, AE, 32, B9, B5, 46, 41, B4, 76, BE, BA, 49, A6, 4B, 28, 72, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00, AA, 00, 60, D3, 93, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual Basic v5.0/v6.0

Code size:
136 KB (139,264 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WindowsApp.exe

Command:
C:\users\{user}\appdata\roaming\windowsapp\windowsapp.exe


The file bvycd.exe has been seen being distributed by the following URL.

Remove bvycd.exe - Powered by Reason Core Security