» ref-053113.scr
Overview
Analysis
File Details
Behaviors (1)

ref-053113.scr

2007 Microsoft Office system

Lorian Security Consultants

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The file ref-053113.scr has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘UGFiudlkk’.

File name:

ref-053113.scr

Publisher:

Microsoft Corporation (signed by Lorian Security Consultants)

Product:

2007 Microsoft Office system

Version:

12.0.4518

MD5:

e6ca4dc19101c47f82492eadffba9d1f

SHA-1:

fcc4ecda7f73b6f39849e81f3c67ecfecb600524

SHA-256:

0a83d56a31afc4471aa9118ab037bec848d723121649736085009213b492d27a

Scanner detections:

3 / 68

Status:

Malware

Analysis date:

11/27/2024 6:33:46 PM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

MSIL/Kryptik.FIO trojan

7.0.302.0

Kaspersky

Backdoor.Win32.Androm

15.0.0.562

McAfee

Trojan.Trojan-FIAC!E6CA4DC19101

18.0.204.0

File size:

825.4 KB (845,184 bytes)

Product version:

12.0.4518

Original file name:

Ref-053113.exe

Language:

Language Neutral

Digital Signature

Signed by:

Lorian Security Consultants

Authority:

Lorian Security Consultants

Valid from:

2/24/2016 9:35:12 PM

Valid to:

2/23/2017 9:35:12 PM

Subject:

E=info@loriansec.com, OU=Certification, O=Lorian Security Consultants, L=Seattle, S=Washington, C=US, CN=LorianSec

Issuer:

E=info@loriansec.com, OU=Certification, O=Lorian Security Consultants, L=Seattle, S=Washington, C=US, CN=LorianSec

Serial number:

00C47EA3B0C07C98F2

File PE Metadata

Compilation timestamp:

3/7/2016 2:18:57 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

24576:Frulq3IlGZitsG4g1K2GWacM6GejjmZv9h:FFFi7zxU8jju

Entry address:

0xC616E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.1919

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

788 KB (806,912 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

UGFiudlkk

Command:

C:\users\{user}\appdata\local\temp\sfrgi.exe

Remove ref-053113.scr - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.