home

checkver.exe

National Tax Service

The executable checkver.exe has been detected as malware by 5 anti-virus scanners. The file has been seen being downloaded from download.hometax.go.kr.krweb.nefficient.com.
Publisher:
National Tax Service  (signed and verified)

Version:
1.0.8.0

MD5:
b6989d53bc9a7d917f7530bb60b5e7d2

SHA-1:
1377af5447915ea74941f1a96e0b0187c514b1f8

SHA-256:
fb643a6fa8d5b49692cfa722d10b6bb2f65ee70d3e180ee264351b79bf846d0c

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
11/23/2024 8:06:18 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
unknown virus Win32/DH
2015.0.3489

F-Secure
Gen:Trojan.Downloader.OGY@ayzj0pnO
11.2014-30-04_4

MicroWorld eScan
Gen:Trojan.Downloader.OGY@ayzj0pnO
15.0.0.360

Trend Micro House Call
TROJ_GEN.F47V0403
7.2.120

VIPRE Antivirus
Trojan.Win32.Generic
16890

File size:
4.5 MB (4,705,184 bytes)

Product version:
1.0.8.0

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\checkver.exe

Digital Signature
Signed by:
National Tax Service

Authority:
Thawte, Inc.

Valid from:
1/24/2013 9:00:00 AM

Valid to:
3/26/2014 8:59:59 AM

Subject:
CN=National Tax Service, OU=IT Team, O=National Tax Service, L=Yeongdeungpo-gu, S=SEOUL, C=KR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
1C346812662DF6AFA5F7B2D477A4112F

File PE Metadata
Compilation timestamp:
6/20/1992 7:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
49152:pZDcSiF12uLlrSiF12uLlqrnM3198JUM49Wq3vJwseFC0uLlt:pdc9vNpr9vNpqTcqJ/TqRNpt

Entry address:
0x40D00

Entry point:
55, 8B, EC, 83, C4, F4, B8, A8, 0B, 44, 00, E8, B4, 51, FC, FF, A1, 38, 1C, 44, 00, 8B, 00, E8, CC, D1, FF, FF, 8B, 0D, C4, 1A, 44, 00, A1, 38, 1C, 44, 00, 8B, 00, 8B, 15, 4C, 03, 44, 00, E8, CC, D1, FF, FF, A1, 38, 1C, 44, 00, 8B, 00, E8, 40, D2, FF, FF, E8, 37, 2A, FC, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.4036

Developed / compiled with:
Microsoft Visual C++

Code size:
255.5 KB (261,632 bytes)

The file checkver.exe has been seen being distributed by the following URL.

http://download.hometax.go.kr.krweb.nefficient.com/hts1/wmagic/.../checkver.exe

Remove checkver.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.