Cheba.exe

Cheba

The executable Cheba.exe has been detected as malware by 7 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Cheba’. While running, it connects to the Internet address blob.am5prdstr07a.store.core.windows.net on port 443.
Publisher:
Cheba

Version:
1.0.1.0

MD5:
8fe1d01cc90faf9a608ee80e04433b75

SHA-1:
250d0d9d55ecaf155f40d7e9716aeb539011cc7b

SHA-256:
41b5003d48ff9e17335762a1fc1c498eaf5a5b01b9010b9d1448d1ea4c0d8016

Scanner detections:
7 / 68

Status:
Malware

Analysis date:
12/24/2024 4:36:56 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.570346
697

avast!
Win32:Evo-gen [Susp]
150101-1

Bitdefender
Gen:Variant.Kazy.570346
1.0.20.340

Emsisoft Anti-Malware
Gen:Variant.Kazy.570346
8.15.03.09.01

F-Secure
Gen:Variant.Kazy.570346
5.13.68

G Data
Gen:Variant.Kazy.570346
15.3.25

MicroWorld eScan
Gen:Variant.Kazy.570346
16.0.0.204

File size:
112.5 KB (115,200 bytes)

Product version:
1.0.1.0

Original file name:
Cheba.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\cheba\cheba.exe

File PE Metadata
Compilation timestamp:
3/8/2015 1:03:01 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
1536:uwhyrMvWUxVdp6mq7lOI+WBFs7JfvGLQL3nkWNJf7YQJh6kqrjh/M8rdJDG:ph7pdp4xDa7NGU3kWnf7YpBhk8fDG

Entry address:
0x1CCEA

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
107.5 KB (110,080 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Cheba

Command:
C:\users\{user}\appdata\local\cheba\cheba.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP SSL):
Connects to blob.am5prdstr07a.store.core.windows.net  (13.95.96.184:443)

Remove Cheba.exe - Powered by Reason Core Security