cykimhegigka.exe

The executable cykimhegigka.exe has been detected as malware by 38 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘cykimhegigka’. While running, it connects to the Internet address www65.totaalholding.nl on port 80 using the HTTP protocol.
MD5:
00cc5e35eff0f94d2753e9f8924eb980

SHA-1:
2b7d4ba3e748f915ce57ec80b3f4687ed33d4f4f

SHA-256:
15b00fcece6364c7d2ea088317a56fe3fbdcb1117439fcbe4f2027ab971527c8

Scanner detections:
38 / 68

Status:
Malware

Analysis date:
11/23/2024 1:40:22 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Encpk.Gen.1
264

Agnitum Outpost
Trojan.PornoAsset
7.1.1

AhnLab V3 Security
Spyware/Win32.Zbot
2015.08.28

Avira AntiVirus
BDS/Androm.vmba
8.3.2.2

Arcabit
Trojan.Encpk.Gen.1
1.0.0.425

avast!
Win32:Injector-BLD [Trj]
2014.9-160515

AVG
Generic9_c
2017.0.2742

Baidu Antivirus
Trojan.Win32.Ransom
4.0.3.16515

Bitdefender
Trojan.Encpk.Gen.1
1.0.20.680

Bkav FE
W32.FavenoLTB.Trojan
1.3.0.7133

Comodo Security
TrojWare.Win32.Ransom.Blocker.CMMB
23101

Dr.Web
BackDoor.Bulknet.1150
9.0.1.0136

Emsisoft Anti-Malware
Trojan.Encpk.Gen
8.16.05.15.06

ESET NOD32
Win32/Injector.ANVB (variant)
10.12163

Fortinet FortiGate
W32/Tepfer.AAX!tr.pws
5/15/2016

F-Prot
W32/S-10f90067
v6.4.7.1.166

F-Secure
Trojan.Encpk.Gen.1
11.2016-15-05_1

G Data
Trojan.Encpk.Gen
16.5.25

IKARUS anti.virus
Trojan-PWS.Win32.Fareit
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.2017031

Kaspersky
Trojan-Ransom.Win32.PornoAsset
14.0.0.206

Malwarebytes
Trojan.ModifiedUPX
v2016.05.15.06

McAfee
Generic-FANR!00CC5E35EFF0
5600.6398

Microsoft Security Essentials
TrojanDownloader:Win32/Cutwail
1.1.12002.0

MicroWorld eScan
Trojan.Encpk.Gen.1
17.0.0.408

NANO AntiVirus
Trojan.Win32.WPCracker.ctwflv
0.30.24.3283

nProtect
Trojan.Encpk.Gen.1
15.08.27.01

Panda Antivirus
Trj/CI.A
16.05.15.06

Qihoo 360 Security
HEUR/Malware.QVM18.Gen
1.0.0.1015

Quick Heal
TrojanRansom.PornoAsset.r3
5.16.14.00

Rising Antivirus
PE:Trojan.Crypto!1.9C6D[F1]
23.00.65.16513

Sophos
Troj/Agent-ADBJ
4.98

Total Defense
Win32/Inject.C2!generic
37.1.62.1

Trend Micro House Call
TROJ_SPNR.35KD13
7.2.136

Trend Micro
TROJ_SPNR.35KD13
10.465.15

Vba32 AntiVirus
BScope.Malware-Cryptor.Hlux
3.12.26.4

VIPRE Antivirus
TrojanPWS.Win32.Fareit.aa
43266

Zillya! Antivirus
Trojan.PornoAsset.Win32.16078
2.0.0.2374

File size:
65.1 KB (66,688 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\user\cykimhegigka.exe

File PE Metadata
Compilation timestamp:
10/3/2013 11:18:37 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.50

CTPH (ssdeep):
1536:nQ/n+nouy8e65pEDbuaTtEBzSdGNphALWnqb0dJvqwTwfN:keoute65pEDbmpTQaJvTa

Entry address:
0xAC80

Entry point:
60, BE, 15, 90, 40, 00, 8D, BE, EB, 7F, FF, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, A0, 83, 00, 00, 57, 83, C3, 04, 53, 68, 65, 1C, 00, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Entropy:
7.7917  (probably packed)

Code size:
12 KB (12,288 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
cykimhegigka

Command:
C:\users\user\cykimhegigka.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www65.totaalholding.nl  (185.56.145.59:80)

TCP (HTTP):
Connects to interchise.com  (209.50.251.101:80)

TCP (HTTP):
Connects to 94-73-145-120.cizgi.net.tr  (94.73.145.120:80)

TCP (HTTP):
Connects to 217-160-0-224.elastic-ssl.ui-r.com  (217.160.0.224:80)

TCP (HTTP):
Connects to ns344497.ip-178-33-227.eu  (178.33.227.198:80)

TCP (HTTP):
Connects to cluster003.ovh.net  (213.186.33.4:80)

TCP (HTTP):
Connects to ip-50-63-202-8.ip.secureserver.net  (50.63.202.8:80)

TCP (HTTP):
Connects to wp208071.dreamhost.com  (208.113.145.77:80)

TCP (HTTP):
Connects to webcluster43.webpod5-cph3.one.com  (46.30.215.42:80)

TCP (HTTP):
Connects to server33.extremeserv.net  (180.147.250.18:80)

TCP (HTTP):
Connects to host187.40.62.200.ifxnetworks.com  (200.91.238.187:80)

TCP (HTTP):
Connects to dns110198.phdns6.es  (185.68.110.198:80)

TCP (HTTP):
Connects to www3469.sakura.ne.jp  (49.212.235.209:80)

TCP (HTTP):
Connects to srv30.gepcom.com  (208.66.193.80:80)

TCP (HTTP):
Connects to redireccion.configbox.com  (80.93.92.146:80)

TCP (HTTP):
Connects to meso.nmsrv.com  (208.70.247.105:80)

TCP (HTTP):
Connects to li963-234.members.linode.com  (45.33.9.234:80)

TCP (HTTP):
Connects to h2306615.stratoserver.net  (85.214.37.62:80)

TCP (HTTP):
Connects to ec2-54-172-83-63.compute-1.amazonaws.com  (54.172.83.63:80)

TCP (HTTP):
Connects to apache2-linus.mcmenamins.dreamhost.com  (75.119.205.155:80)

Remove cykimhegigka.exe - Powered by Reason Core Security