images.exe

The executable images.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘iconrdb’. While running, it connects to the Internet address ip-160-153-47-192.ip.secureserver.net on port 21.
MD5:
823b343b8451abcfd38796832001f24c

SHA-1:
eb7f0e8260ee752e8bea6c2e5b4572cd229d2ab8

SHA-256:
d1efb4a0f1cbfdcd05da3ddb5ecd83c021b917191f66fb5787170cda99774558

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
11/28/2024 5:27:11 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Sality
160917-0

ESET NOD32
Python/Agent.H worm
6.3.12010.0

File size:
5.5 MB (5,787,921 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
11/10/2008 2:40:35 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x2C61

Entry point:
E8, 72, 03, 00, 00, E9, 36, FD, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 8B, 00, 81, 38, 63, 73, 6D, E0, 75, 2A, 83, 78, 10, 03, 75, 24, 8B, 40, 14, 3D, 20, 05, 93, 19, 74, 15, 3D, 21, 05, 93, 19, 74, 0E, 3D, 22, 05, 93, 19, 74, 07, 3D, 00, 40, 99, 01, 75, 05, E8, C7, 03, 00, 00, 33, C0, 5D, C2, 04, 00, 68, 6B, 2C, 40, 00, FF, 15, 20, 40, 40, 00, 33, C0, C3, CC, FF, 25, 10, 41, 40, 00, 6A, 14, 68, 30, 42, 40, 00, E8, 5E, 02, 00, 00, FF, 35, A0, 66, 40, 00, 8B, 35, B0, 40, 40, 00, FF, D6, 59, 89, 45, E4, 83...
 
[+]

Entropy:
7.6630

Code size:
8.5 KB (8,704 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
iconrdb

Command:
C:\users\{user}\appdata\roaming\iconrdb.exe


The executing file has been seen to make the following network communications in live environments.

TCP (FTP):
Connects to ip-160-153-47-192.ip.secureserver.net  (160.153.47.192:21)

TCP (HTTP):
Connects to ip-184-168-131-233.ip.secureserver.net  (184.168.131.233:80)

Remove images.exe - Powered by Reason Core Security