» new folder.exe
Overview
Analysis
File Details
Network (2)

new folder.exe

The executable new folder.exe, “Microsoft Corparation” has been detected as malware by 34 anti-virus scanners. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. While running, it connects to the Internet address p11pn-i.geo.vip.bf1.yahoo.com on port 80 using the HTTP protocol.

File name:

new folder.exe

Description:

Microsoft Corparation

Version:

1,1,2,2

MD5:

1bd90b334ffb3e08b6ab94a711d2c2fc

SHA-1:

d6eccfd8f740db8d1e2a5ebb7cdd34f34cefa949

SHA-256:

4fba8b54705f26e48a5300855d2bb62285de0795ec08b254561e84b838650ee3

Scanner detections:

34 / 68

Status:

File is infected by a Virus

Explanation:

The file is infected by a polymorphic file infector virus.

Analysis date:

11/14/2024 5:37:19 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Win32.Sality.AP.Gen

7.1.1

AhnLab V3 Security

Win32/Kashu.B

2013.05.14

Avira AntiVirus

W32/Sality.AA

7.11.78.32

avast!

AutoIt:AutoRun-B@BC [Wrm]

2014.9-160921

AVG

Worm/AutoRun

2017.0.2613

Bitdefender

Win32.Sality.OG

1.0.20.1325

Clam AntiVirus

W32.Sality-72

0.98/18155

Comodo Security

Virus.Win32.Sality.Gen

16248

Dr.Web

Win32.HLLW.Autoruner.8744

9.0.1.0265

Emsisoft Anti-Malware

Win32.Sality.OG

8.16.09.21.02

ESET NOD32

Win32/Sality.NAU

10.8327

Fortinet FortiGate

W32/Agent.FDR!tr

9/21/2016

F-Prot

W32/Sality.AK

v6.4.7.1.166

F-Secure

Win32.Sality.OG

11.2016-21-09_4

G Data

Win32.Sality.OG

16.9.22

IKARUS anti.virus

Trojan.Crypt

t3scan.2.0.0.0

K7 AntiVirus

Virus

13.166.8668

Kaspersky

Worm.Win32.AutoIt

14.0.0.-438

Malwarebytes

Worm.Agent.IMY

v2016.09.21.02

McAfee

W32/Sality.gen

5600.6269

Microsoft Security Essentials

Worm:Win32/Nuqel.AO

1.163.1557.0

MicroWorld eScan

Win32.Sality.OG

17.0.0.795

NANO AntiVirus

Virus.Win32.Sality.gcen

0.24.0.52214

Norman

007Spy.CO

11.20160921

nProtect

Win32.Sality.OG

13.05.13.04

Panda Antivirus

W32/Sality.AN

16.09.21.02

Quick Heal

W32.Sality.R

9.16.12.00

SUPERAntiSpyware

Trojan.Agent/Gen-FakeSoft

8884

Total Defense

Win32/Sality.AA

37.0.10418

Trend Micro House Call

PE_SALITY.BU

7.2.265

Trend Micro

PE_SALITY.BU

10.465.21

Vba32 AntiVirus

Virus.Win32.Sality.baka

3.12.22.0

VIPRE Antivirus

Trojan.Win32.AutoIT.gen

17712

ViRobot

Win32.Sality.L

2011.4.7.4223

File size:

864.5 KB (885,212 bytes)

File type:

Executable application (Win32 EXE)

Language:

English (United Kingdom)

File PE Metadata

Compilation timestamp:

11/25/2007 4:21:46 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

12288:LTB09SkkNXKgor5IWk3rWHfkuegrcqt4Omarj53Dvo9ysGlXkEbvy73hykz9Zicn:IScgU5og8ueZOxmKoc7LbvyFyK9YI

Entry address:

0xA8CD0

Entry point:

60, 2B, D2, 52, FF, 15, E8, 11, 4B, 00, 8B, D5, F6, D8, 0F, B7, FD, FE, CC, 87, DA, 2B, D2, 52, FF, 15, E8, 11, 4B, 00, E8, 24, 00, 00, 00, C9, 93, 29, 05, F0, 0C, 20, 56, 5C, C8, 63, C1, A1, 31, E0, E3, C7, 7E, C3, 18, 1E, 30, 8F, 9E, 1A, ED, BC, B0, 87, 72, 18, 37, F4, 44, 7C, 21, 2B, C9, 48, 58, 33, D0, 0F, BA, E9, B7, 0F, BC, C8, 0F, A4, F7, 57, 8D, 0D, A7, CE, 59, B8, F7, C7, 48, EB, 02, BD, 71, 17, 01, D2, 81, D1, 6F, 76, 61, A0, 0F, A5, D3, 0F, C1, DD, EB, 01, 50, F7, C7, E0, 23, 5A, B5, 81, C0, EF... 
[+]

Entropy:

7.9543 (probably packed)

Code size:

228 KB (233,472 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to p11pn-i.geo.vip.bf1.yahoo.com (98.139.135.128:80)

TCP (HTTP):

Connects to dev.ucoz.net (195.216.243.102:80)

Remove new folder.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.