hesycasocybi.exe

The executable hesycasocybi.exe has been detected as malware by 5 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘hesycasocybi’. While running, it connects to the Internet address surveyslive.com on port 80 using the HTTP protocol.
MD5:
cffae7d8814c7ccc74997756d29d1497

SHA-1:
97451a1db100c31c7bd9a19033c403d851944c2c

SHA-256:
3371e9e56acb2fe1e3d873f5e9795b189ff856aaaab09caecf4670783c47edfc

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
11/22/2024 9:13:04 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
160917-0

Dr.Web
BackDoor.Bulknet.893
9.0.1.05190

ESET NOD32
Win32/Injector.AFMM trojan
6.3.12010.0

F-Secure
Variant.Kazy.165892
5.15.154

Microsoft Security Essentials
TrojanDownloader:Win32/Cutwail.BS
1.235.3184.0

File size:
40.5 KB (41,472 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\acer\hesycasocybi.exe

File PE Metadata
Compilation timestamp:
2/22/2006 6:40:25 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

Entry address:
0x19F2

Entry point:
33, C0, 50, 68, 36, 13, 40, 00, 50, 68, 98, 3A, 00, 00, 50, B8, 40, 1A, 40, 00, B8, 28, 1A, 40, 00, 68, 5E, 11, 40, 00, E8, 1F, 00, 00, 00, 68, 5E, 10, 40, 00, 50, E8, 1A, 00, 00, 00, FF, D0, 50, E8, 06, 00, 00, 00, FF, 25, 18, 20, 40, 00, FF, 25, 10, 20, 40, 00, FF, 25, 08, 20, 40, 00, FF, 25, 0C, 20, 40, 00, FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Code size:
3 KB (3,072 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
hesycasocybi

Command:
C:\users\acer\hesycasocybi.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to rm-vs-235-f4-ss-443.rediff.com  (202.137.235.12:80)

TCP (HTTP):
Connects to freedomfordinc.com  (67.192.6.123:80)

TCP (HTTP):
Connects to w2.src.vip.bf1.yahoo.com  (74.6.50.150:80)

TCP (SMTP):
Connects to operations-shared-redirect-vip1.phx2.cbsig.net  (64.30.228.118:25)

TCP (HTTP):
Connects to my.earthlink.net  (209.86.62.64:80)

TCP (SMTP):
Connects to manage.embarq.synacor.com  (69.168.97.85:25)

TCP (HTTP):
Connects to ec2-54-164-192-210.compute-1.amazonaws.com  (54.164.192.210:80)

TCP (HTTP):
Connects to ec2-52-30-182-55.eu-west-1.compute.amazonaws.com  (52.30.182.55:80)

TCP (SMTP):
Connects to e4373.x.akamaiedge.net  (161.170.244.20:25)

TCP (HTTP):

TCP (SMTP):
Connects to www.wp.pl  (212.77.98.9:25)

TCP (SMTP):
Connects to www.terra.cl  (208.70.188.13:25)

TCP (HTTP):
Connects to urlforward.topdns.com  (46.166.189.98:80)

TCP (HTTP):
Connects to surveyslive.com  (72.32.108.144:80)

TCP (HTTP):
Connects to personal-www.metrocast.net  (65.175.128.188:80)

TCP (HTTP):
Connects to generic170.mxout.managed.com  (70.34.34.93:80)

TCP (HTTP):
Connects to ftp.nettally.com  (199.44.82.1:80)

TCP (SMTP):
Connects to edge-003.r1.iad.cloud.rewhosting.com  (104.239.254.150:25)

TCP (HTTP):
Connects to ec2-54-225-65-66.compute-1.amazonaws.com  (54.225.65.66:80)

TCP (HTTP):
Connects to ec2-52-72-247-91.compute-1.amazonaws.com  (52.72.247.91:80)

Remove hesycasocybi.exe - Powered by Reason Core Security