hyqsapxutinl.exe

The executable hyqsapxutinl.exe has been detected as malware by 22 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘hyqsapxutinl’. While running, it connects to the Internet address 107.154.192.92.ip.incapdns.net on port 443.
MD5:
6bce674dfd1e380edf41c3d539e5e57d

SHA-1:
d905fdd2ac3ac338009bc86fe6e373f1c7f4d632

SHA-256:
edde2e05798a8f7564ab2c27b1b20d2887fedfd123384e017e0d97ed1ea0bfb7

Scanner detections:
22 / 68

Status:
Malware

Analysis date:
12/25/2024 2:49:43 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Spyware/Win32.Zbot
2013.10.16

Avira AntiVirus
TR/Crypt.ZPACK.27274
7.11.107.236

avast!
Win32:Zbot-RXZ [Trj]
2014.9-170204

AVG
Generic9_c
2018.0.2478

Baidu Antivirus
Trojan.Win32.Wigon
4.0.3.1724

Bitdefender
Trojan.GenericKDV.1333884
1.0.20.175

Comodo Security
TrojWare.Win32.Monder.GEN
17113

Emsisoft Anti-Malware
Trojan.GenericKDV.1333884
8.17.02.04.09

ESET NOD32
Win32/Wigon.PI
11.8922

Fortinet FortiGate
W32/Tepfer.AAX!tr.pws
2/4/2017

G Data
Trojan.GenericKDV.1333884
17.2.22

IKARUS anti.virus
Trojan-Downloader.Win32.Cutwail
t3scan.2.0.127

Kaspersky
Trojan.Win32.Inject
14.0.0.-1117

Malwarebytes
Trojan.ModifiedUPX
v2017.02.04.09

McAfee
Artemis!6BCE674DFD1E
5600.6134

Microsoft Security Essentials
TrojanDownloader:Win32/Cutwail.BS
1.163.1557.0

MicroWorld eScan
Trojan.GenericKDV.1333884
18.0.0.105

Panda Antivirus
Trj/Genetic.gen
17.02.04.09

Sophos
Troj/Agent-ADBJ
4.93

Trend Micro House Call
TROJ_GEN.F0C2C00JF13
7.2.35

Trend Micro
TROJ_GEN.F0C2C00JF13
10.465.04

VIPRE Antivirus
Trojan.Win32.Generic
22426

File size:
65.6 KB (67,220 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\as\hyqsapxutinl.exe

File PE Metadata
Compilation timestamp:
10/10/2013 7:16:31 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.50

Entry address:
0xC9F0

Entry point:
60, BE, 15, A0, 40, 00, 8D, BE, EB, 6F, FF, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, 49, A6, 00, 00, 57, 83, C3, 04, 53, 68, D1, 29, 00, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Code size:
16 KB (16,384 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
hyqsapxutinl

Command:
C:\users\as\hyqsapxutinl.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ws186.eu1.ppse.net  (217.195.114.124:80)

TCP (HTTP):
Connects to srv30.gepcom.com  (208.66.193.80:80)

TCP (HTTP):
Connects to ns344497.ip-178-33-227.eu  (178.33.227.198:80)

TCP (HTTP):
Connects to 107.154.192.92.ip.incapdns.net  (107.154.192.92:80)

TCP (HTTP):
Connects to vultur.fullspace.ru  (185.72.144.129:80)

TCP (HTTP):
Connects to vsg01.hosting.west-webworld.com  (185.13.64.99:80)

TCP (HTTP):
Connects to sv2.wmsj.ne.jp  (59.106.231.244:80)

TCP (HTTP SSL):
Connects to server-54-240-184-221.ams50.r.cloudfront.net  (54.240.184.221:443)

TCP (HTTP):
Connects to scp47.hosting.reg.ru  (37.140.192.197:80)

TCP (HTTP):
Connects to redirect.sedoparking.com  (91.195.240.135:80)

TCP (HTTP):
Connects to losmensajeros.com  (104.239.144.242:80)

TCP (HTTP):
Connects to host21.my-ehost.com  (198.31.50.49:80)

TCP (HTTP):
Connects to f5.69.c1ad.ip4.static.sl-reverse.com  (173.193.105.245:80)

TCP (HTTP):
Connects to ec2-54-171-199-198.eu-west-1.compute.amazonaws.com  (54.171.199.198:80)

TCP (HTTP SSL):
Connects to ec2-52-213-146-128.eu-west-1.compute.amazonaws.com  (52.213.146.128:443)

TCP (HTTP):
Connects to ec2-34-199-151-163.compute-1.amazonaws.com  (34.199.151.163:80)

TCP (HTTP):
Connects to cloud.southislandtech.com  (96.125.178.86:80)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.90:80)

TCP (HTTP):
Connects to server88-208-252-9.fasthosts.net.uk  (88.208.252.9:80)

TCP (HTTP):
Connects to server.serbay.net  (5.250.245.23:80)

Remove hyqsapxutinl.exe - Powered by Reason Core Security