kb195433310.exe

MyB 应用程序

The executable kb195433310.exe, “MyB Microsoft 基础类应用程序” has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Host-process Windows (Rundll32.exe)’. While running, it connects to the Internet address ADMIN-PC on port 9997.
Product:
MyB 应用程序

Description:
MyB Microsoft 基础类应用程序

Version:
1, 0, 0, 1

MD5:
f195b2b289b81eacc2fc9c697078490d

SHA-1:
54b1672410ca11e956fd59a74e6b3231f138d640

SHA-256:
9bdf4c382fd34280866f08ef59cef3e6c87418d56cb7bc6ce203a94e22e59e21

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/27/2024 11:39:14 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Boaxxe
17.2.6.15

File size:
104.1 KB (106,612 bytes)

Product version:
1, 0, 0, 1

Copyright:
版权所有 (C) 2009

Original file name:
MyB.EXE

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Common path:
C:\users\{user}\appdata\local\temp\kb195433310.exe

File PE Metadata
Compilation timestamp:
7/15/2016 9:19:22 PM

OS version:
5.5

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.5

Entry address:
0x1E9C

Entry point:
55, 8B, EC, 6A, FE, 68, 68, 36, 40, 00, 68, C2, 20, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, 5F, 57, FF, 15, A4, 31, 40, 00, 59, 83, 0D, 48, 4C, 40, 00, FF, 83, 0D, 4C, 4C, 40, 00, FF, FF, 15, A0, 31, 40, 00, 8B, 0D, 3C, 4C, 40, 00, 89, 08, FF, 15, 9C, 31, 40, 00, 8B, 0D, 38, 4C, 40, 00, 89, 08, A1, 98, 31, 40, 00, 8B, 00, A3, 44, 4C, 40, 00, E8, A2, 01, 00, 00, 39, 1D, 40, 4B, 40, 00, 75, 0C, 68, AC, 20, 40, 00, FF, 15...
 
[+]

Entropy:
7.0009

Developed / compiled with:
Microsoft Visual C++

Code size:
8 KB (8,192 bytes)

3 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Host-process Windows (Rundll32.exe)

Command:
C:\users\{user}\appdata\roaming\rundll32.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Client Server Runtime Process

Command:
C:\users\{user}\appdata\roaming\csrss.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Service Host Process for Windows

Command:
C:\users\{user}\appdata\roaming\svchost.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to ADMIN-PC  (46.148.17.202:9997)

TCP:
Connects to customer.worldstream.nl  (217.23.11.14:9631)

TCP (SMTP):
Connects to vcs-star-s-myc.mail.vip.sg3.yahoo.com  (106.10.150.156:25)

TCP:
Connects to WIN-8UDHEG0I0H5  (46.148.17.194:9997)

TCP:
Connects to WIN-7QJT82U4LL6  (46.148.18.26:9631)

TCP:
Connects to WIN-2F7C36U6BPH  (46.148.22.10:9997)

TCP:
Connects to afguyoioauao.hosted.co.za  (154.0.173.91:9631)

TCP:
Connects to 77-226-187-203.static.youbroadband.in  (203.187.226.77:9997)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.gq1.yahoo.com  (63.250.193.229:25)

TCP (SMTP):
Connects to mx1.hotmail.com  (65.55.33.119:25)

TCP:
Connects to host189.89.125-51.dh-c.net.br  (189.89.125.51:9631)

TCP:
Connects to atlantic2020.dedicatedpanel.com  (188.138.102.152:9997)

TCP:
Connects to a8.9d.37a9.ip4.static.sl-reverse.com  (169.55.157.168:9631)

TCP:
Connects to 50-255-185-148-static.hfc.comcastbusiness.net  (50.255.185.148:9631)

TCP:
Connects to WIN-OJMG4CLJV5H  (46.148.17.146:9997)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ne1.yahoo.com  (98.138.105.22:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ir2.yahoo.com  (188.125.68.56:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.bf1.yahoo.com  (98.139.221.253:25)

TCP:
Connects to ns3022934.ip-91-121-72.eu  (91.121.72.83:9631)

TCP:
Connects to mail.sellene.com  (85.93.93.10:9631)

Remove kb195433310.exe - Powered by Reason Core Security