cv2vr.exe

Stpll

Plonet Pline

The executable cv2vr.exe has been detected as malware by 3 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered by a time event. The file has been seen being downloaded from www.kafiridovishness.site.
Publisher:
Plonet Pline

Product:
Stpll

Description:
-----

Version:
219.167.153.250

MD5:
1b1fc565b8b33243ab27ee24839c8a02

SHA-1:
16e68d815a0ee88e485c70071364196bac931316

SHA-256:
e469d8c7db1b9a5d89be8f98094e46f1877d6462b025eae56313ab06718c7525

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
12/25/2024 4:32:04 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Evo-gen [Susp]
160327-1

F-Secure
Variant.Strictor.105364
5.15.21

Norman
Gen:Variant.Strictor.105364
02.04.2016 17:35:19

File size:
610 KB (624,640 bytes)

Product version:
219.167.153.250

Copyright:
Rights 2000

Trademarks:
US CAPS

Original file name:
osetup.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\cv2vr.exe

File PE Metadata
Compilation timestamp:
5/17/2016 6:50:38 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:EBNsp/nDAs6m66VM6Znag/9DKSWENTSJd3zDRRKy4yf+:E27p63kNFDKjENTSbjDRR5m

Entry address:
0xFCE7

Entry point:
E8, 2F, 3B, 00, 00, E9, 39, FE, FF, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 6C, 3D, 43, 00, FF, 15, E4, 70, 42, 00, 85, C0, 75, 18, 56, E8, 7A, 2C, 00, 00, 8B, F0, FF, 15, 4C, 70, 42, 00, 50, E8, C5, 2C, 00, 00, 59, 89, 06, 5E, 5D, C3, CC, CC, CC, CC, CC, CC, CC, 80, F9, 40, 73, 15, 80, F9, 20, 73, 06, 0F, AD, D0, D3, EA, C3, 8B, C2, 33, D2, 80, E1, 1F, D3, E8, C3, 33, C0, 33, D2, C3, 55, 8B, EC, 53, 8B, 5D, 10, 57, 33, FF, 85, DB, 75, 14, E8, 2D, 2C, 00, 00, C7, 00, 16, 00, 00...
 
[+]

Entropy:
7.3725

Code size:
151.5 KB (155,136 bytes)

Scheduled Task
Task name:
{AF03B44E-4D4A-49B1-B351-938158BC6BC6}

Trigger:
Time


The file cv2vr.exe has been seen being distributed by the following URL.

Remove cv2vr.exe - Powered by Reason Core Security