home

msn.exe

The executable msn.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘apo5’. While running, it connects to the Internet address host176.b5.trdns.com on port 80 using the HTTP protocol.
MD5:
3bc87152056e4031be93c28450b8ba87

SHA-1:
f6270e3ec0e304dfe5653ad8516284723705865d

SHA-256:
5fc827437221694e27346d1c0a42240893be9e5e87729111b0f0904b3ccf4054

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/27/2024 1:24:41 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Downloader (M)
16.4.30.15

File size:
392.5 KB (401,920 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\win\msn.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.20

CTPH (ssdeep):
6144:dafsiuvAQ+tTm6cyERSiytj71cWE4jKS6vnXEGVL2s:CCvAQ+q6ctRt636WfjOPXZss

Entry address:
0x12C0

Entry point:
60, 85, CA, 84, C6, B2, 5D, 68, 4A, B8, 92, 00, 68, 58, 5A, BA, 00, 32, ED, 84, E8, F6, C4, 55, 10, FB, 24, F2, F3, 89, D2, F6, C2, B1, 05, 3F, EF, 70, 7A, 8D, 3D, B4, 61, A8, 8B, 6B, DB, 00, 40, 88, FA, 00, E5, 81, EB, 43, A5, F2, FF, B6, 06, 81, EB, 36, 95, 0C, 00, B5, CC, 0F, C1, DD, C7, C0, 2E, 4D, 8C, 21, 81, C5, 9E, 0E, 00, 00, F3, 40, F2, BD, 58, 72, 84, DC, 69, ED, 21, 9B, EA, 47, 0C, 35, 0F, BF, F5, E8, 97, 00, 00, 00, 69, FD, 3F, F3, FC, 00, 81, CF, C6, E1, 53, 00, 8A, FB, F6, C5, 97, 4F, B0, 78...
 
[+]

Code size:
232 KB (237,568 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
apo5

Command:
C:\Program Files\win\msn.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to perfora.net  (216.250.120.214:80)

TCP (HTTP):
Connects to ekiaiooqqo.c06.mtsvc.net  (205.186.187.148:80)

TCP (HTTP):
Connects to 213.202.229.103.static.rdns-uclo.net  (213.202.229.103:80)

TCP (HTTP):
Connects to hosted-by.snel.com  (78.41.204.28:80)

TCP (HTTP):
Connects to static-ip-209-126-123-11.inaddr.ip-pool.com  (209.126.123.11:80)

TCP (HTTP):
Connects to host3.inetmar.com  (85.95.225.61:80)

TCP (HTTP):
Connects to win15.securedc.com  (64.8.117.67:80)

TCP (HTTP):
Connects to static-ip-209-126-123-13.inaddr.ip-pool.com  (209.126.123.13:80)

TCP (HTTP):
Connects to static-ip-209-126-123-12.inaddr.ip-pool.com  (209.126.123.12:80)

TCP (HTTP):
Connects to host176.b5.trdns.com  (77.245.148.176:80)

Remove msn.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.