hidn2.exe

The executable hidn2.exe has been detected as malware by 42 anti-virus scanners. While running, it connects to the Internet address penelope.alastyr.com on port 80 using the HTTP protocol.
MD5:
f88c8cf658b69cbb07ff64c21d0aa5bf

SHA-1:
c77eac4862cbabd522a7bc9e0888099dece25c1d

SHA-256:
b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98

Scanner detections:
42 / 68

Status:
Malware

Analysis date:
1/18/2025 1:32:34 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
DeepScan:Generic.Mitglied.A88C71C2
345

AegisLab AV Signature
W32.W.Bagle.gt!c
2.1.4+

Agnitum Outpost
I-Worm.Bagle.LC
7.1.1

AhnLab V3 Security
Win32/Bagle.worm.40565
2016.02.24

Avira AntiVirus
TR/Bagle.GD
8.3.3.2

Arcabit
DeepScan:Generic.Mitglied.A88C71C2
1.0.0.656

avast!
Win32:Beagle-AHY [Wrm]
2014.9-160224

AVG
I-Worm/Bagle
2017.0.2823

Baidu Antivirus
Worm.Win32.Bagle
4.0.3.16224

Bitdefender
DeepScan:Generic.Mitglied.A88C71C2
1.0.20.275

Bkav FE
HW32.Packed
1.3.0.7400

Clam AntiVirus
Worm.Bagle
0.98/21511

Comodo Security
UnclassifiedMalware
24309

Dr.Web
Win32.HLLM.Beagle
9.0.1.055

Emsisoft Anti-Malware
DeepScan:Generic.Mitglied.A88C71C2
8.16.02.24.10

ESET NOD32
Win32/Bagle.HE
10.13074

Fortinet FortiGate
W32/Bagle.GT@mm
2/24/2016

F-Prot
W32/Mitglieder.UZ
v6.4.7.1.166

F-Secure
DeepScan:Generic.Mitglied.A88C71C2
11.2016-24-02_4

G Data
DeepScan:Generic.Mitglied.A88C71C2
16.2.25

IKARUS anti.virus
Worm.Win32.Bagle
t3scan.2.0.7.0

K7 AntiVirus
EmailWorm
13.213.18834

Kaspersky
Email-Worm.Win32.Bagle
14.0.0.610

Malwarebytes
Worm.Bagle
v2016.02.24.10

McAfee
W32/Bagle.gen
5600.6479

Microsoft Security Essentials
Worm:Win32/Bagle.gen!B
1.1.12400.0

MicroWorld eScan
DeepScan:Generic.Mitglied.A88C71C2
17.0.0.165

NANO AntiVirus
Trojan.Win32.Bagle.hdzj
1.0.14.6204

nProtect
Worm/W32.Bagle.40561
16.02.23.01

Panda Antivirus
W32/Bagle.RC.worm
16.02.24.10

Qihoo 360 Security
Win32/Trojan.346
1.0.0.1120

Quick Heal
I-Worm.Bagle.r3
2.16.14.00

Rising Antivirus
PE:Worm.Mail.Bagle.pji!1127083 [F]
23.00.65.16222

Sophos
W32/Bagle-RC
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Bagle
9303

Total Defense
Win32/Bagle.EM
37.1.62.1

Trend Micro House Call
WORM_BAGLE.JG
7.2.55

Trend Micro
WORM_BAGLE.JG
10.465.24

Vba32 AntiVirus
MalwareScope.Trojan-PSW.Pinch.1
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
47420

ViRobot
Suspected.EntryZero[h]
2014.3.20.0

Zillya! Antivirus
Worm.Bagle.Win32.86
2.0.0.2680

File size:
39.6 KB (40,561 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\hidn\hidn2.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:cpLgUsIDKeCQm7wDDDcz7ZFzRCBw3XO1+pzzTn4fCkiK4l5:gksOemW47j9CyO1+1b8Riv

Entry point:
4D, 5A, 68, A9, A0, 42, 00, C3, 02, 00, 00, 00, FF, FF, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 20, 20, 20, 20, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 50, 45, 00, 00, 4C, 01, 03, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, E0, 00, 0E, 01, 0B, 01, 05, 0C, 71, 04, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 10, 00, 00, 00, A0, 02, 00, 00, 00, 40, 00, 00, 10, 00, 00, 00, 02, 00, 00...
 
[+]

Entropy:
7.8797  (probably packed)

Code size:
1.1 KB (1,137 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to spectrum.cfaes.ohio-state.edu  (140.254.85.223:80)

TCP (HTTP):
Connects to llgc793.servidoresdns.net  (217.76.130.123:80)

TCP (HTTP):
Connects to useron22.hostmaster.sk  (46.229.230.106:80)

TCP (HTTP):
Connects to merkur92.webhost4u.ch  (193.138.29.92:80)

TCP (HTTP):
Connects to penelope.alastyr.com  (185.8.128.31:80)

TCP (SMTP):
Connects to ci231-63.netnam.vn  (210.86.231.63:25)

TCP (HTTP):
Connects to zoe.fortion.net  (185.175.85.9:80)

TCP (HTTP):
Connects to prime.gushi.org  (149.20.61.42:80)

TCP (HTTP):
Connects to lb-182-210.above.com  (103.224.182.210:80)

TCP (HTTP):
Connects to ec2-54-88-133-92.compute-1.amazonaws.com  (54.88.133.92:80)

TCP (HTTP):
Connects to ec2-54-85-149-135.compute-1.amazonaws.com  (54.85.149.135:80)

TCP (HTTP):
Connects to web.anythingemail.com  (74.208.146.183:80)

TCP (HTTP):
Connects to plesk-web24.webhostbox.net  (199.79.63.199:80)

TCP:
Connects to google-public-dns-a.google.com  (8.8.8.8:53)

TCP (HTTP):
Connects to eu-hu-dataplex-hosting-01.azar-a.net  (91.219.236.11:80)

TCP (HTTP):
Connects to ee-ocsp-origin.ilg.ws.symantec.net  (69.58.181.240:80)

TCP (HTTP):
Connects to ec2-52-1-32-25.compute-1.amazonaws.com  (52.1.32.25:80)

TCP (HTTP):
Connects to ec2-34-206-157-64.compute-1.amazonaws.com  (34.206.157.64:80)

TCP (HTTP SSL):
Connects to csr.smarty.telekom.hu  (212.51.65.65:443)

TCP (HTTP):
Connects to 66-34-119-114.static.dal01.corespace.com  (66.34.119.114:80)

Remove hidn2.exe - Powered by Reason Core Security