EFupdater.exe

The executable EFupdater.exe has been detected as malware by 11 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. While running, it connects to the Internet address mail.smile-files.com on port 80 using the HTTP protocol.
Version:
1, 0, 0, 6

MD5:
d79643bc1ea43d6393b8c6f6e0bbb28a

SHA-1:
802ac9323c8911b25b7ff102bbc8fc6c4b228fd8

SHA-256:
3f4a56d74fd8bc81b2d99da954b55dd2610d384060fa5e99f6436c285ef26da0

Scanner detections:
11 / 68

Status:
Malware

Analysis date:
12/27/2024 7:49:04 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
2014.9-131222

Baidu Antivirus
Trojan.Win32.Agent
4.0.3.131222

Bkav FE
W32.HfsAutoA
1.3.0.4613

ESET NOD32
Win32/YourFileDownloader (variant)
7.9161

Fortinet FortiGate
W32/YourFileDownloader.B
12/22/2013

K7 AntiVirus
Trojan
13.174.10484

McAfee
RDN/Generic Downloader.x!iq
5600.7274

Quick Heal
(Suspicious) - DNAScan
12.13.12.00

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.131220

Sophos
Mal/Generic-S
4.95

VIPRE Antivirus
Trojan.Win32.Generic
24258

File size:
1005 KB (1,029,120 bytes)

Product version:
1,0,0,0

Original file name:
EFupdater.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\Program Files\expressfiles\efupdater.exe

File PE Metadata
Compilation timestamp:
7/16/2013 5:12:48 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:hHPvrJ6XASJybE8cQ4JDAvPjJ13FeJL/G2UEU:9rJ6XvJybP46nNdFeJC2UE

Entry address:
0x1C48C9

Entry point:
9C, E9, D3, 58, FF, FF, 15, F3, C1, 5F, 53, E0, 1C, 35, B3, CA, 3D, 49, 63, 21, 78, 86, C3, 3C, 30, CD, DE, 28, 81, F9, 8B, F2, 15, 6E, 42, 41, 7C, 08, 77, 92, A1, 2E, 8D, CC, 9F, 5E, A7, 2B, 4C, B8, 87, 04, 02, 05, 11, 57, DA, B3, D9, 87, 89, D9, 5F, AA, 5C, 22, BE, 73, FB, 1C, 68, D7, B2, B8, D5, 19, C2, A4, 6F, 8F, 07, 22, 63, F4, FB, 4D, 04, 32, 87, 02, 68, B5, 52, AF, 9B, E7, 5F, 39, FD, 40, 30, 5E, 6D, 5E, 62, 6A, B6, 95, 1C, 69, E9, 26, 24, 00, 44, 8A, D4, 52, 33, 7F, 06, 34, 05, 4D, C4, D2, 2F, A7...
 
[+]

Entropy:
7.7288  (probably packed)

Code size:
53 KB (54,272 bytes)

Scheduled Task
Task name:
Express FilesUpdate

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mail.smile-files.com  (46.23.68.149:80)

TCP (HTTP):
Connects to 199.195.196.180.static.midphase.com  (199.195.196.180:80)

Remove EFupdater.exe - Powered by Reason Core Security