n19.exe

The executable n19.exe has been detected as malware by 3 anti-virus scanners. While running, it connects to the Internet address stats.red.mysitehosted.com on port 80 using the HTTP protocol.
MD5:
e0ed98a4fd41172a21dfce2be612cb36

SHA-1:
d9bb851948d644efdad15c444555f729ebddc4d7

SHA-256:
cce4a2242b32d8b68f2448f9e3c795ab1fcaf305abd92a49ef20047ac64923e6

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
12/26/2024 12:41:38 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
2014.9-140408

ESET NOD32
Win32/Kryptik.BZGH (variant)
8.9649

Kaspersky
Backdoor.Win32.Pushdo
14.0.0.4048

File size:
99.5 KB (101,888 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\n19.exe

File PE Metadata
Compilation timestamp:
12/13/2013 7:25:50 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.10

CTPH (ssdeep):
1536:3lpo++nZJDsK/6tT6imAfGynAl10YdbaPOa5+3:1a++nZj/6tT6i5vAl10YG5+3

Entry address:
0x19EF

Entry point:
E8, 73, 77, 00, 00, E9, 8C, FB, 00, 00, 56, 57, B8, 80, 6F, 41, 00, BF, 80, 6F, 41, 00, 3B, C7, 8B, F0, 73, 0F, 8B, 06, 85, C0, 74, 02, FF, D0, 83, C6, 04, 3B, F7, 72, F1, 5F, 5E, C3, FF, 15, B0, 50, 41, 00, C2, 04, 00, A1, F0, 93, 41, 00, 83, F8, FF, 74, 16, 50, FF, 35, 08, A4, 41, 00, E8, 19, 01, 01, 00, 59, FF, D0, 83, 0D, F0, 93, 41, 00, FF, A1, F4, 93, 41, 00, 83, F8, FF, 74, 0E, 50, FF, 15, B8, 50, 41, 00, 83, 0D, F4, 93, 41, 00, FF, E9, BB, 03, 00, 00, 56, E8, 2D, 02, 01, 00, 8B, F0, 85, F6, 75, 08...
 
[+]

Entropy:
6.5164

Code size:
79 KB (80,896 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to url.hover.com  (64.99.80.30:80)

TCP (HTTP):
Connects to unknown.scnet.net  (204.93.213.45:80)

TCP (HTTP):
Connects to stats.red.mysitehosted.com  (23.91.121.152:80)

TCP (HTTP):
Connects to static.115.86.76.144.clients.your-server.de  (144.76.86.115:80)

TCP (HTTP):
Connects to p3pwssweb-v01.prod.phx3.secureserver.net  (97.74.42.79:80)

TCP (HTTP):
Connects to host75-203-110-95.serverdedicati.aruba.it  (95.110.203.75:80)

TCP (HTTP):
Connects to cluster015.ovh.net  (213.186.33.3:80)

Remove n19.exe - Powered by Reason Core Security