msn.exe

The executable msn.exe has been detected as malware by 8 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘apo5’. While running, it connects to the Internet address 94-73-147-19.cizgi.net.tr on port 80 using the HTTP protocol.
MD5:
41c82cc717879df4fd9912b02d53ebed

SHA-1:
dc7fc261a9a9771741640d9f486337fc9ee9db0a

SHA-256:
6826da62d33ce31f90a9caf077607c29546507e4e42d35bc931337d186468125

Scanner detections:
8 / 68

Status:
Malware

Analysis date:
11/6/2024 12:26:43 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-GUP [Drp]
160518-2

AVG
Win32/Heur
2015.0.4591

Dr.Web
Win32.Sector.30
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Kazy.525114
11.5.0.6191

ESET NOD32
Win32/Sality.NAQ virus
8.0.319.0

F-Secure
Variant.Kazy.525114
5.15.96

Microsoft Security Essentials
Threat.Undefined
1.223.1406.0

Norman
Gen:Variant.Kazy.525114
22.05.2016 07:18:28

File size:
478.5 KB (489,984 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
3/27/2011 2:06:54 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.20

CTPH (ssdeep):
6144:xafsiuvAQ+tTm6cyERSiytj71cWE4jKS6vprEV1jtlUbYgSIccrz/:mCvAQ+q6ctRt636WfjOejbUHak

Entry address:
0x12C0

Entry point:
60, 2C, 2A, F7, C5, 00, 40, 2C, 1E, 87, CD, 20, EF, 87, EE, 0F, BF, EA, 8D, 05, 09, 0F, 02, 8B, 81, E2, 91, A2, 93, 54, 0C, C3, F3, F3, 3B, CD, 78, 03, F2, 8B, EB, 33, C0, F7, C2, 6F, 12, A1, D9, F7, C3, 2E, FB, 64, 32, F6, C4, 29, 0B, C7, BB, B5, 17, 13, 62, 69, D1, B8, 73, 27, 12, F3, 2B, F0, 88, DD, 0F, AF, D3, 69, FD, 15, FF, FA, 30, 0F, AF, FA, 81, F7, 31, C6, 1B, 49, 86, F9, F3, 85, CA, 6A, 00, 5F, 86, FB, 69, C7, 85, 3C, 1B, 00, 8D, 35, 87, E9, BE, F3, 15, 60, 29, CC, 90, B6, 0A, 85, F8, 81, C7, B1...
 
[+]

Code size:
232 KB (237,568 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
apo5

Command:
C:\win\msn.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to w.interiowo.pl  (217.74.66.161:80)

TCP (HTTP):
Connects to 94-73-147-19.cizgi.net.tr  (94.73.147.19:80)

TCP (HTTP):
Connects to 202.43.35.233.issp.co.th  (202.43.35.233:80)

Remove msn.exe - Powered by Reason Core Security