home

obfuscator.exe

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘fa9223bf4aae97e7bb4a6769605c500d’. The file has been seen being downloaded from 73616081-509517242719949032.preview.editmysite.com and multiple other hosts.
MD5:
9a8564cff6410521db7c9635e9c672e3

SHA-1:
af903aa1e0324e979f48ad0e27cabbe80bdb8bd4

SHA-256:
7198526acf8ce50b61f4449624e3dc9834b6f4f9145dd68cbe73d2a7c9a609bf

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)

Analysis date:
2/25/2025 2:29:20 PM UTC  (today)

File size:
544.5 KB (557,568 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\obfuscator.exe

File PE Metadata
Compilation timestamp:
4/29/2016 6:03:11 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:mEOVw3425rUldyn1vzfdnNNq3H7dkqDld:mE13425rUHy1VNc3H5z

Entry address:
0x895FE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.8326

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
542 KB (555,008 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
fa9223bf4aae97e7bb4a6769605c500d

Command:
"C:\users\{user}\appdata\roaming\wmipvse.exe"..


The file obfuscator.exe has been seen being distributed by the following 2 URLs.

http://73616081-509517242719949032.preview.editmysite.com/uploads/7/3/6/1/.../obfuscator.exe

http://80521812-285151226570692406.preview.editmysite.com/uploads/8/0/5/2/.../obfuscator.exe

Scan obfuscator.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.