home

explorer.exe

The executable explorer.exe has been detected as malware by 10 anti-virus scanners. Although this file uses the name explorer.exe, this is NOT the File Explorer program distributed with the Windows OS that is found in C:\Windows. The file has been seen being downloaded from fs01n5.sendspace.com and multiple other hosts.
Description:
Window Explorer

Version:
1.0.0.0

MD5:
6132b2e968acc5d6bbb043ee1407e5e1

SHA-1:
ca2b2ed159ae1accbd89f2e040db78c0b2427d36

SHA-256:
c81a3823cdd8815e3485117f3a1c7cf3c4a4844ac1e2cef8e05ea5074a6fbeab

Scanner detections:
10 / 68

Status:
Malware

Analysis date:
11/15/2024 9:33:18 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
MSIL:KeyLogger-AB [Spy]
160327-1

Dr.Web
Trojan.Siggen3.14508
9.0.1.05190

Emsisoft Anti-Malware
Gen:Heur.MSIL.Krypt
11.5.0.6191

ESET NOD32
MSIL/Spy.Agent.BP trojan
8.0.319.0

F-Prot
W32/MSIL_Troj.F.gen
4.6.5.141

F-Secure
Heur.MSIL.Krypt.3
5.15.96

McAfee
Trojan.PWS-Zbot.gen.yg
18.0.204.0

Microsoft Security Essentials
Threat.Undefined
1.219.1082.0

Norman
Gen:Heur.MSIL.Krypt.3
02.04.2016 17:35:19

Sophos
Virus 'Mal/MSIL-BA'
5.23

File size:
37 KB (37,888 bytes)

Product version:
1.0.0.0

Original file name:
Mye User and Pass.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\explorer.exe

File PE Metadata
Compilation timestamp:
3/1/2016 2:40:14 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
768:uCrJrkmmBmj3BChte1Zl8Qf0pxdnHHsdp5BBGFnCiFJzut6rwA:JkmmBmjx4twZ+i05HQp5BQFnCiFo6rd

Entry address:
0xAB9E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00, 00, 00, 00, 01, 00, 10, 00, 00, 00, 18, 00, 00, 80, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.6579

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
35 KB (35,840 bytes)

The file explorer.exe has been seen being distributed by the following 2 URLs.

https://fs01n5.sendspace.com/dl/5807fb3bee72823dcef1afe420ba3ca1/56ff51ee52c04111/.../Mye User and Pass.exe

https://fs01n4.sendspace.com/dl/71271d0404a31a47d3f1559a4806b28e/5715b98a238535f3/.../Mye User and Pass.exe

Remove explorer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.