crossfirer2016.exe

The executable crossfirer2016.exe has been detected as malware by 6 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘aef09d23e859fde7c572aa5a9efdb0eb’. The file has been seen being downloaded from dc316.4shared.com.
MD5:
e3da238c6b7cd8a630bde41c1c73f3c3

SHA-1:
7d140be22af4d2887a6276370abb69214339525c

SHA-256:
45dfafc78081daf71cad7c8bfc5efa40bf0d4f659b02e96a41eb0ba3d8eb0b1f

Scanner detections:
6 / 68

Status:
Malware

Analysis date:
11/5/2024 5:45:41 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
MSIL:GenMalicious-BVR [Trj]
160327-1

Emsisoft Anti-Malware
Gen:Variant.Barys.51435
11.5.0.6191

ESET NOD32
MSIL/Bladabindi.CF trojan
7.0.302.0

F-Secure
Variant.Barys.51435
5.15.96

Norman
Gen:Variant.Barys.51435
10.04.2016 15:29:17

Sophos
Virus 'Troj/Bbindi-W'
5.23

File size:
1 MB (1,090,560 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\crossfirer2016.exe

File PE Metadata
Compilation timestamp:
3/21/2016 11:11:34 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:lxwgTGEu9YTTcmBa6Ahlm7aWZd6LVK/P:HPTcm+maWTL/

Entry address:
0x10BB65

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.6248

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
1 MB (1,088,512 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
aef09d23e859fde7c572aa5a9efdb0eb

Command:
"C:\ProgramData\crossfirer2016.exe"..


The file crossfirer2016.exe has been seen being distributed by the following URL.

Remove crossfirer2016.exe - Powered by Reason Core Security