home

msn.exe

The executable msn.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘apo5’. While running, it connects to the Internet address 213.202.229.103.static.rdns-uclo.net on port 80 using the HTTP protocol.
MD5:
a33a7aae0b154534b867d23e3d0cf743

SHA-1:
42d5d4223631e12a83a9f7c7c3579f91a21ba287

SHA-256:
8fcfe91cf9dbac451dc1506546dc33370d7d0dea0d6703fc34f4680ee05854a0

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/27/2024 3:55:12 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Threat.Worm.Macoute (H)
17.1.27.17

File size:
516.5 KB (528,896 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
6/17/2005 2:51:32 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.20

Entry address:
0x12C0

Entry point:
39, EA, C7, C1, 0C, 87, AA, CE, 0F, BE, C1, 50, 50, 49, C6, C0, 38, F6, C5, 50, 86, D2, 70, 02, 84, C7, 8D, 2D, 86, 3A, 4D, F6, 80, C9, E8, F6, C3, FD, F7, C3, 02, B0, 72, E7, 21, FF, E8, 10, 00, 00, 00, F2, F7, C1, E0, 65, 13, E0, 46, C6, C2, A9, 0F, AF, CE, 3B, ED, BB, 34, C7, A1, 2B, 85, CA, 70, 0A, 81, E0, 2B, F1, 06, 3E, 04, BC, 29, E9, EB, 06, 0F, B7, D7, 4E, 08, E6, 81, EF, 5E, 8E, 00, 00, 0F, AF, D9, 81, EF, 28, 0F, 00, 00, 5B, 0F, AF, D6, 8B, FA, 12, F5, B1, A9, FF, C6, 85, D2, 77, 02, 85, CD, 8D...
 
[+]

Code size:
232 KB (237,568 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
apo5

Command:
C:\win\msn.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to fm.interiowo.pl  (217.74.66.160:80)

TCP (HTTP):
Connects to static-199-27-179-185.megatrhost.com  (185.179.27.199:80)

TCP (HTTP):
Connects to static-139-235-132-188.sadecehosting.net  (188.132.235.139:80)

TCP (HTTP):
Connects to ec2-52-28-249-128.eu-central-1.compute.amazonaws.com  (52.28.249.128:80)

TCP (HTTP):
Connects to 213.202.229.103.static.rdns-uclo.net  (213.202.229.103:80)

Remove msn.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.