» roxyir.exe
Overview
Analysis
File Details
Behaviors (1)
Network (53)

roxyir.exe

Nobemame Corporatu

The executable roxyir.exe has been detected as malware by 20 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time.

File name:

roxyir.exe

Publisher:

Nobemame Corporatu

Version:

2.47.23051.45480

MD5:

fbca66e32075335aed7fe83d75f60aa7

SHA-1:

681e4c0b2af9debc4c3294ecc04286573d389741

SHA-256:

274b2b6def6fd870f6bf1438e749dc5a63f95617138eb830c0bea4540c474658

Scanner detections:

20 / 68

Status:

Malware

Analysis date:

11/25/2024 9:42:34 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Kazy.493242

815

Avira AntiVirus

TR/Dropper.Gen

7.11.30.172

avast!

Win32:Dropper-gen [Drp]

141025-0

AVG

Win32/Cryptor

2014.0.4189

Bitdefender

Gen:Variant.Kazy.493242

1.0.20.1580

Bkav FE

HW32.Packed

1.3.0.4959

Comodo Security

TrojWare.Win32.Kryptik.ABFW

20061

Emsisoft Anti-Malware

Gen:Variant.Kazy.493242

8.14.11.12.01

ESET NOD32

Win32/Kryptik.CQAX (variant)

8.10710

F-Secure

Gen:Variant.Kazy.493242

11.2014-12-11_4

G Data

Gen:Variant.Kazy.493242

14.11.24

Malwarebytes

Trojan.Agent

v2014.11.12.01

McAfee

MysticCompressor!FBCA66E32075

5600.6949

MicroWorld eScan

Gen:Variant.Kazy.493242

15.0.0.948

Panda Antivirus

Trj/Genetic.gen

14.11.12.01

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Quick Heal

FraudTool.Security

11.14.14.00

Reason Heuristics

Threat.Win.Reputation.IMP

14.11.28.15

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.141110

VIPRE Antivirus

Threat.4150696

34232

File size:

274.6 KB (281,214 bytes)

Product version:

2.47.23051.45480

Original file name:

bandicore.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\kiywrio\roxyir.exe

File PE Metadata

Compilation timestamp:

6/3/2010 12:52:33 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

CTPH (ssdeep):

6144:Ity/2JaJsjq8+2xZBSBYoT+daxOqAa7Pzx9gyyhBDwF7ui/EFx:It02ow+gZUBYoTROqAB1q7u7L

Entry address:

0x1063C

Entry point:

55, 8B, EC, 81, EC, 30, 01, 00, 00, 8B, 05, 70, 30, 42, 00, 68, 00, 2D, 5C, 5C, E8, 8B, 20, 00, 00, 83, C4, 04, 53, 8B, 0D, B4, 30, 42, 00, EB, 0E, B8, E7, 00, 00, 00, 83, E8, DE, 89, 85, 48, FF, FF, FF, 56, 89, 85, 70, FF, FF, FF, 57, BF, 53, 00, 00, 00, 6A, 43, 6A, 76, 6A, E6, 6A, 7B, 57, E8, 71, 1B, 00, 00, 83, C4, 14, 33, F8, BA, FF, 53, 00, 00, F7, C7, 5C, 00, 00, 00, 74, 68, 81, F7, 00, 01, 20, 80, 8B, 95, 70, FF, FF, FF, 68, 00, 15, 57, CC, E8, 66, 28, 00, 00, 83, C4, 04, 3D, 54, 03, 00, 00, 75, 48... 
[+]

Entropy:

7.8955

Developed / compiled with:

Microsoft Visual C++

Code size:

124 KB (126,976 bytes)

Scheduled Task

Task name:

Security Center Update - 3972408221

Trigger:

Daily (Runs daily at 2:00:00 PM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to syd01s18-in-f13.1e100.net (74.125.237.173:80)

TCP (HTTP):

Connects to syd01s13-in-f28.1e100.net (74.125.237.156:80)

TCP (HTTP):

Connects to s-prd-umpxl-adcom_nwa_blue.evip.aol.com (149.174.67.73:80)

TCP (HTTP):

Connects to pr.pbp.vip.jp3.yahoo.com (183.177.86.125:80)

TCP (HTTP):

Connects to ny1-g007.intellitxt.com (199.16.172.17:80)

TCP (HTTP):

Connects to mpr2.ngd.vip.sg3.yahoo.com (106.10.198.32:80)

TCP (HTTP):

Connects to media-ams5.vcmedia.com (63.215.202.65:80)

TCP (HTTP):

Connects to mallet9.wikipolo.com (46.244.10.228:80)

TCP:

Connects to li727-209.members.linode.com (23.239.21.209:8007)

TCP (HTTP):

Connects to float.617.bm-impbus.prod.nym2.adnexus.net (68.67.152.152:80)

TCP (HTTP):

Connects to float.475.bm-impbus.prod.nym2.adnexus.net (68.67.152.237:80)

TCP (HTTP):

Connects to float.2259.bm-impbus.prod.nym2.adnexus.net (68.67.153.155:80)

TCP (HTTP):

Connects to float.2203.bm-impbus.prod.nym2.adnexus.net (68.67.153.207:80)

TCP (HTTP):

Connects to float.2075.bm-impbus.prod.nym2.adnexus.net (68.67.153.193:80)

TCP (HTTP):

Connects to float.2062.bm-impbus.prod.nym2.adnexus.net (68.67.153.174:80)

TCP (HTTP):

Connects to float.2047.bm-impbus.prod.nym2.adnexus.net (68.67.153.41:80)

TCP (HTTP):

Connects to float.1880.bm-impbus.prod.sin1.adnexus.net (103.243.222.40:80)

TCP (HTTP):

Connects to float.1868.bm-impbus.prod.nym2.adnexus.net (68.67.153.38:80)

TCP (HTTP):

Connects to float.1360.bm-impbus.prod.nym2.adnexus.net (68.67.152.56:80)

TCP (HTTP):

Connects to float.1249.bm-impbus.prod.nym2.adnexus.net (68.67.152.114:80)

Remove roxyir.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.