msn.exe

The executable msn.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘apo5’. While running, it connects to the Internet address host176.b5.trdns.com on port 80 using the HTTP protocol.
MD5:
d57098b8b4d8718961c3bf1ad728deda

SHA-1:
f71e58f7999c4105e65c5f228237eb3ffe7be624

SHA-256:
99620109f3e088936f750d9364436f0c37f72075679481051757ac0d2d28457a

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/25/2024 12:05:57 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Threat.Worm.Macoute (H)
17.1.31.1

File size:
1.6 MB (1,681,920 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
3/26/2011 8:06:54 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.20

Entry address:
0x12C0

Entry point:
60, F3, 0F, AD, C1, C6, C1, 75, 0F, AC, C1, 8A, 0F, BF, DF, 0F, A5, CD, 0F, BF, C1, 84, D2, C0, C9, F0, 8D, 2D, 2F, 52, FC, 12, 69, D3, 3B, 06, 50, 89, 80, DC, 94, F7, D8, 0F, BA, FB, 9F, E8, 00, 00, 00, 00, 0F, A5, FE, 0F, C1, D5, 0F, AD, C6, 84, C8, C6, C6, EA, 89, E8, B9, DA, 9A, 5D, 6B, 81, F3, 15, BF, 00, 00, F7, DE, 5D, 0F, BA, E7, F2, 0F, BE, FB, 0F, BA, E1, 85, 87, DF, 0F, C1, D1, 0F, BA, FB, D8, 0F, AD, D3, F7, C1, 04, 45, B5, C8, 85, D6, 0F, A5, C9, 8A, EA, 3B, F8, 81, D9, 88, B9, 6B, 8B, 25, 24...
 
[+]

Code size:
232 KB (237,568 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
apo5

Command:
C:\win\msn.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to win15.securedc.com  (64.8.117.67:80)

TCP (HTTP):
Connects to host176.b5.trdns.com  (77.245.148.176:80)

TCP (HTTP):
Connects to email.interbox.cz  (77.78.99.55:80)

TCP (HTTP):
Connects to 161maklp3.guzel.net.tr  (31.192.214.161:80)

TCP (HTTP):
Connects to hostedc76.carrierzone.com  (69.49.115.40:80)

TCP (HTTP):

Remove msn.exe - Powered by Reason Core Security