cfuwxqqr.exe

The executable cfuwxqqr.exe has been detected as malware by 2 anti-virus scanners. It runs as a windows Service named “Cache Accounts Framework”. While running, it connects to the Internet address redirect.ovh.net on port 80 using the HTTP protocol.
MD5:
4740c75d9fe526966836ed0da53beb07

SHA-1:
6c43a24be9c5b9d08bc0fa34055946991ccc70d0

SHA-256:
55a86cf015071c009d9f844cb7dc4514644f613d481cdb3abedd491ff9403866

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
12/24/2024 4:00:28 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Bayrob.BL trojan
6.3.12010.0

Reason Heuristics
Trojan.Bayrob.ET (M)
16.11.17.9

File size:
1 MB (1,073,152 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\cfuwxqqr.exe

File PE Metadata
Compilation timestamp:
8/16/2013 7:12:12 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:cUkWf0fnCbrNR/j/pZvdCvLBr7Ov9m37RxuFwYILuR55:cUkQ0CbrNifOv9mVxuFw4R

Entry address:
0xCAFAE

Entry point:
E8, BA, 9E, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 28, F0, 4E, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 2C, F0, 4E, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, 8E, 0E, 00, 00, 85, C0, 75, 06, B8, 90, F1, 4E, 00, C3, 83, C0, 08, C3, E8, 7B, 0E, 00, 00, 85, C0, 75, 06, B8, 94, F1, 4E, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08...
 
[+]

Entropy:
7.0160

Code size:
914.5 KB (936,448 bytes)

Service
Display name:
Cache Accounts Framework

Type:
Win32OwnProcess, InteractiveProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www425b.sakura.ne.jp  (219.94.155.215:80)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.90:80)

TCP:
Connects to static-191-98-226-199.alfanumeric.com.ni  (191.98.226.199:43162)

TCP (HTTP):
Connects to redirect.ovh.net  (213.186.33.5:80)

TCP:
Connects to 108-191-215-119.biz.bhn.net  (108.191.215.119:25714)

Remove cfuwxqqr.exe - Powered by Reason Core Security