msn.exe

The executable msn.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘apo5’. While running, it connects to the Internet address 209-99-40-222.fwd.datafoundry.com on port 80 using the HTTP protocol.
MD5:
7a73552b1e20cb884c726a93e250bbac

SHA-1:
6317eedca2a180b05121a3cde01f973e45545d70

SHA-256:
a8648d144aa4a67df8d2c0fb36b1ef30c81698cb8f737ea8e4513f3d2f6d245f

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/24/2024 4:16:15 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Threat.Worm.Macoute (H)
17.2.4.12

File size:
432.5 KB (442,880 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
10/13/2006 5:51:20 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.20

Entry address:
0x12C0

Entry point:
0F, AF, EF, 4A, C7, C1, F8, 8F, 22, F8, EB, 04, 31, D1, 89, D0, 89, CE, F3, 87, EE, 8A, ED, EB, 05, BD, 6D, AF, 49, 3A, 2B, DA, F6, C3, EC, 11, DB, 11, C6, 89, DF, F3, F2, 0F, AF, F2, 31, DA, F6, C7, 65, 0D, FB, 86, 09, 74, F6, C1, AF, E8, 00, 00, 00, 00, 5B, 0A, C6, 0F, BE, C7, 42, 46, 46, 08, CD, 0F, BE, D0, 86, D2, 29, DD, 69, E8, ED, 24, 8C, DA, 3D, 69, D2, 00, 00, 69, F9, D9, EC, 13, 10, 8A, CA, FE, C6, 86, CC, 87, C8, F2, 0F, B7, EE, 8A, D3, B2, A6, 87, EF, 8D, 0D, D0, EC, C6, BE, 31, F7, 81, F9, 5A...
 
[+]

Code size:
232 KB (237,568 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
apo5

Command:
C:\win\msn.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 209-99-40-222.fwd.datafoundry.com  (209.99.40.222:80)

TCP (HTTP):
Connects to pro12.linuxpl.com  (78.46.209.78:80)

TCP (HTTP):
Connects to 93-89-224-228.fbs.com.tr  (93.89.224.228:80)

TCP (HTTP):
Connects to 209-99-40-223.fwd.datafoundry.com  (209.99.40.223:80)

Remove msn.exe - Powered by Reason Core Security