cobrance_boleto_05_fev_pdf1175847543.exe

The executable cobrance_boleto_05_fev_pdf1175847543.exe has been detected as malware by 4 anti-virus scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from vxov6u5ufbbnu1dumsbamcgmb5xmgcso.cobrance.ru and multiple other hosts.
Version:
0.0.0.0

MD5:
2ac6ed92ea69c94c4a3be810d085eec7

SHA-1:
90d6672f0865c5f0c5e1be3657977492d591314b

SHA-256:
ff071f05ead56f42b5ac513ab587732b6ad71c1ff99e7719b469b320a1ad5c3d

Scanner detections:
4 / 68

Status:
Malware

Analysis date:
12/27/2024 3:19:02 AM UTC  (today)

Scan engine
Detection
Engine version

Emsisoft Anti-Malware
Gen:Variant.Kazy.780508
10.0.0.5366

ESET NOD32
MSIL/TrojanDownloader.Agent.BMO trojan
7.0.302.0

F-Secure
Variant.Kazy.780508
5.15.21

Norman
Gen:Variant.Kazy.780508
03.12.2014 13:20:04

File size:
348 KB (356,352 bytes)

Product version:
0.0.0.0

Original file name:
Loader-DWTYGUMERX.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\cobrance_boleto_05_fev_pdf1175847543.exe

File PE Metadata
Compilation timestamp:
2/2/2016 11:05:38 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:YXwozwP1SK+AGGjGkGjrNGGRTGSGgGm0GGoGGe/oRRfGGTGG8GkmIioqGGsGG/Gi:D2Gz+7ugRujBz

Entry address:
0x55D12

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
336 KB (344,064 bytes)

The file cobrance_boleto_05_fev_pdf1175847543.exe has been seen being distributed by the following 3 URLs.

http://vxov6u5ufbbnu1dumsbamcgmb5xmgcso.cobrance.ru/emissao.php?id=DECIOMG

Remove cobrance_boleto_05_fev_pdf1175847543.exe - Powered by Reason Core Security