cyrvrh.exe

The executable cyrvrh.exe has been detected as malware by 31 anti-virus scanners. This trojon will perform a number of actions that will compromise a PC including changing protected system registry values, hiding in protected operating system locations and downloading and installing additional malware.
MD5:
8598fafc94ca3dbf3e319c768d63f982

SHA-1:
06ddd0fd48756b2b9e5cabd84a99355ca4e044e1

Scanner detections:
31 / 68

Status:
Malware

Analysis date:
12/23/2024 10:23:14 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Trojan.DL.Agent
7.1.1

AhnLab V3 Security
Win-Trojan/Daws.105984
2013.01.25

Avira AntiVirus
TR/Kazy.28977
7.11.58.140

avast!
Win32:Dropper-gen [Drp]
2014.9-161101

AVG
Dropper.Generic7
2017.0.2573

Bitdefender
Gen:Variant.Kazy.28977
1.0.20.1530

Comodo Security
TrojWare.Win32.Trojan.Agent.Gen
15031

Dr.Web
Trojan.DownLoader7.33777
9.0.1.0306

Emsisoft Anti-Malware
Gen:Variant.Kazy.28977
8.16.11.01.09

ESET NOD32
Win32/TrojanDownloader.Agent.RNJ
10.7929

Fortinet FortiGate
W32/Daws.AZVE!tr
11/1/2016

F-Secure
Gen:Variant.Kazy.28977
11.2016-01-11_3

G Data
Gen:Variant.Kazy.28977
16.11.22

IKARUS anti.virus
Trojan-Dropper.Win32.Daws
t3scan.1.3.5.0

K7 AntiVirus
Trojan
13.158.8151

Kaspersky
Trojan-Dropper.Win32.Daws
14.0.0.-642

McAfee
Artemis!8598FAFC94CA
5600.6229

Microsoft Security Essentials
Trojan:Win32/Malagent
1.163.1557.0

MicroWorld eScan
Gen:Variant.Kazy.28977
17.0.0.918

Norman
Troj_Generic.FSVTV
11.20161101

nProtect
Trojan-Dropper/W32.Daws.105984
13.01.24.01

Panda Antivirus
Trj/Multidropper.BRZ
16.11.01.09

Quick Heal
TrojanDropper.Daws.azve
11.16.12.00

Rising Antivirus
Suspicious
23.00.65.161030

Sophos
Mal/EncPk-CK
4.85

SUPERAntiSpyware
Trojan.Agent/Gen-Malagent
8802

Trend Micro House Call
TROJ_ADCLICK.TNH
7.2.306

Trend Micro
TROJ_ADCLICK.TNH
10.465.01

Vba32 AntiVirus
Trojan-Dropper.Daws.azve
3.12.18.5

VIPRE Antivirus
Trojan.Win32.Generic
15196

ViRobot
Dropper.A.Daws.105984
2011.4.7.4223

File size:
103.5 KB (105,984 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Application data\microsoft\cyrvrh.exe

File PE Metadata
Compilation timestamp:
11/30/2012 12:03:23 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:MPVleYajWO5cVN2+X8TRsTvpyXyxW8uh:oLO57ce4yXeW8u

Entry address:
0x297E2

Entry point:
68, 11, B3, E6, 67, E8, D8, A1, 00, 00, 68, 8F, 1C, E7, 67, E8, 9E, AD, 00, 00, 37, 9F, E2, 4B, 68, 47, 6D, E6, 67, E8, 90, AD, 00, 00, 59, 9C, 96, 2A, CA, 66, 0F, BA, E6, 01, 3D, 7F, 00, 00, 00, 60, E8, 71, 48, 00, 00, 28, C0, 14, 36, 29, FB, 0F, 90, C0, 66, 0F, BD, FE, 01, E3, 66, F7, D7, 68, EC, 38, 09, E5, 89, DF, 2C, D9, F5, B0, 2E, 57, 3C, 8A, F2, AE, E8, 8A, 76, 00, 00, 89, 74, 24, 20, 56, 66, 81, E6, 6F, 81, 89, 7C, 24, 20, 66, D3, C7, 66, D3, C7, 8D, B3, D7, 22, 3E, C2, 66, D3, DE, 89, 5C, 24, 1C...
 
[+]

Code size:
206.5 KB (211,456 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to phx1-sha-redirect-lb.cnet.com  (64.30.224.118:80)

TCP (HTTP):
Connects to phx1-rb-gtm2-tron-xw-lb.cnet.com  (64.30.224.58:80)

TCP (HTTP):
Connects to a23-76-178-108.deploy.static.akamaitechnologies.com  (23.76.178.108:80)

TCP (HTTP):
Connects to a23-62-109-144.deploy.static.akamaitechnologies.com  (23.62.109.144:80)

TCP (HTTP):
Connects to hpemea.com  (15.240.60.238:80)

TCP (HTTP):
Connects to g4t5236.houston.hp.com  (15.201.49.156:80)

TCP (HTTP):
Connects to s-hostheader-mtc-b.evip.aol.com  (149.174.149.73:80)

TCP (HTTP):
Connects to hpcommerce.com  (15.216.241.18:80)

TCP (HTTP):
Connects to a23-62-109-143.deploy.static.akamaitechnologies.com  (23.62.109.143:80)

TCP (HTTP):
Connects to g1t4195.austin.hp.com  (15.216.111.25:80)

TCP (HTTP):
Connects to builtbygirls.com  (207.200.74.55:80)

TCP (HTTP):
Connects to a23-62-109-135.deploy.static.akamaitechnologies.com  (23.62.109.135:80)

TCP (HTTP):
Connects to s-hostheader-shared-a-atc.evip.aol.com  (149.174.107.100:80)

TCP (HTTP):
Connects to s-hostheader-mtc-a.evip.aol.com  (64.12.249.135:80)

TCP (HTTP):
Connects to g2t3072.austin.hp.com  (15.217.49.151:80)

TCP (HTTP):
Connects to bbc-vip045.cwwtf.bbc.co.uk  (212.58.246.54:80)

Remove cyrvrh.exe - Powered by Reason Core Security