gzguide.exe

sex

The application gzguide.exe has been detected as a potentially unwanted program by 24 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘5cd8f17f4086744065eb0992a09e05a2’. The file has been seen being downloaded from download967.mediafire.com.
Product:
sex

Version:
1.0.0.0

MD5:
21f00304286480abddb4ab74423afbc1

SHA-1:
6c2829c10ca0dcdb8b420b7cb03e914acd9cf6eb

SHA-256:
4ac161c94113f05898345034aa9d5c5bbe9d9564c0376952d2eda2483739b9e7

Scanner detections:
24 / 68

Status:
Potentially unwanted

Analysis date:
11/4/2024 5:13:55 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2907627
305

Avira AntiVirus
TR/Krypt.70144.13
8.3.2.4

Arcabit
Trojan.Generic.D2C5DEB
1.0.0.629

avast!
Win32:Malware-gen
2014.9-160405

AVG
Atros2
2017.0.2783

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.1645

Bitdefender
Trojan.GenericKD.2907627
1.0.20.480

Emsisoft Anti-Malware
Trojan.GenericKD.2907627
8.16.04.05.07

ESET NOD32
MSIL/Kryptik.EKC (variant)
10.12702

Fortinet FortiGate
MSIL/Kryptik.EKC!tr
4/5/2016

F-Secure
Trojan.GenericKD.2907627
11.2016-05-04_3

G Data
Trojan.GenericKD.2907627
16.4.25

IKARUS anti.virus
Trojan.MSIL.Crypt
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.212.18074

Kaspersky
Trojan.MSIL.Disfa
14.0.0.409

McAfee
RDN/Generic.dx
5600.6439

Microsoft Security Essentials
Backdoor:MSIL/Bladabindi!rfn
1.1.12300.0

MicroWorld eScan
Trojan.GenericKD.2907627
17.0.0.288

nProtect
Trojan.GenericKD.2907627
15.12.10.01

Panda Antivirus
Trj/GdSda.A
16.04.05.07

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1077

Sophos
Mal/Generic-S
4.98

Trend Micro
TROJ_GEN.R047C0DL615
10.465.05

VIPRE Antivirus
Trojan.Win32.Generic
45742

File size:
68.5 KB (70,144 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2015

Original file name:
sex.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\gzguide.exe

File PE Metadata
Compilation timestamp:
11/29/2015 12:53:41 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
768:SMK1BUydbSnyilvsmg2XPSrnzgZFiginBhtAyYQnhvFb8LCzazYch8c5:SBRi+2fSjzjBhNXhvFbGCzSZ

Entry address:
0xF94E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.5923

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
54.5 KB (55,808 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
5cd8f17f4086744065eb0992a09e05a2

Command:
"C:\users\{user}\appdata\local\temp\trojan.exe"..


The file gzguide.exe has been seen being distributed by the following URL.

Remove gzguide.exe - Powered by Reason Core Security