roxyir.exe

Nobemame Corporatu

The executable roxyir.exe has been detected as malware by 20 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time.
Publisher:
Nobemame Corporatu

Version:
2.47.23051.45480

MD5:
fbca66e32075335aed7fe83d75f60aa7

SHA-1:
681e4c0b2af9debc4c3294ecc04286573d389741

SHA-256:
274b2b6def6fd870f6bf1438e749dc5a63f95617138eb830c0bea4540c474658

Scanner detections:
20 / 68

Status:
Malware

Analysis date:
12/26/2024 7:47:24 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.493242
815

Avira AntiVirus
TR/Dropper.Gen
7.11.30.172

avast!
Win32:Dropper-gen [Drp]
141025-0

AVG
Win32/Cryptor
2014.0.4189

Bitdefender
Gen:Variant.Kazy.493242
1.0.20.1580

Bkav FE
HW32.Packed
1.3.0.4959

Comodo Security
TrojWare.Win32.Kryptik.ABFW
20061

Emsisoft Anti-Malware
Gen:Variant.Kazy.493242
8.14.11.12.01

ESET NOD32
Win32/Kryptik.CQAX (variant)
8.10710

F-Secure
Gen:Variant.Kazy.493242
11.2014-12-11_4

G Data
Gen:Variant.Kazy.493242
14.11.24

Malwarebytes
Trojan.Agent
v2014.11.12.01

McAfee
MysticCompressor!FBCA66E32075
5600.6949

MicroWorld eScan
Gen:Variant.Kazy.493242
15.0.0.948

Panda Antivirus
Trj/Genetic.gen
14.11.12.01

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Quick Heal
FraudTool.Security
11.14.14.00

Reason Heuristics
Threat.Win.Reputation.IMP
14.11.28.15

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.141110

VIPRE Antivirus
Threat.4150696
34232

File size:
274.6 KB (281,214 bytes)

Product version:
2.47.23051.45480

Original file name:
bandicore.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\kiywrio\roxyir.exe

File PE Metadata
Compilation timestamp:
6/3/2010 12:52:33 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

CTPH (ssdeep):
6144:Ity/2JaJsjq8+2xZBSBYoT+daxOqAa7Pzx9gyyhBDwF7ui/EFx:It02ow+gZUBYoTROqAB1q7u7L

Entry address:
0x1063C

Entry point:
55, 8B, EC, 81, EC, 30, 01, 00, 00, 8B, 05, 70, 30, 42, 00, 68, 00, 2D, 5C, 5C, E8, 8B, 20, 00, 00, 83, C4, 04, 53, 8B, 0D, B4, 30, 42, 00, EB, 0E, B8, E7, 00, 00, 00, 83, E8, DE, 89, 85, 48, FF, FF, FF, 56, 89, 85, 70, FF, FF, FF, 57, BF, 53, 00, 00, 00, 6A, 43, 6A, 76, 6A, E6, 6A, 7B, 57, E8, 71, 1B, 00, 00, 83, C4, 14, 33, F8, BA, FF, 53, 00, 00, F7, C7, 5C, 00, 00, 00, 74, 68, 81, F7, 00, 01, 20, 80, 8B, 95, 70, FF, FF, FF, 68, 00, 15, 57, CC, E8, 66, 28, 00, 00, 83, C4, 04, 3D, 54, 03, 00, 00, 75, 48...
 
[+]

Entropy:
7.8955

Developed / compiled with:
Microsoft Visual C++

Code size:
124 KB (126,976 bytes)

Scheduled Task
Task name:
Security Center Update - 3972408221

Trigger:
Daily (Runs daily at 2:00:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to syd01s18-in-f13.1e100.net  (74.125.237.173:80)

TCP (HTTP):
Connects to syd01s13-in-f28.1e100.net  (74.125.237.156:80)

TCP (HTTP):
Connects to s-prd-umpxl-adcom_nwa_blue.evip.aol.com  (149.174.67.73:80)

TCP (HTTP):
Connects to pr.pbp.vip.jp3.yahoo.com  (183.177.86.125:80)

TCP (HTTP):
Connects to ny1-g007.intellitxt.com  (199.16.172.17:80)

TCP (HTTP):
Connects to mpr2.ngd.vip.sg3.yahoo.com  (106.10.198.32:80)

TCP (HTTP):
Connects to media-ams5.vcmedia.com  (63.215.202.65:80)

TCP (HTTP):
Connects to mallet9.wikipolo.com  (46.244.10.228:80)

TCP:
Connects to li727-209.members.linode.com  (23.239.21.209:8007)

TCP (HTTP):
Connects to float.617.bm-impbus.prod.nym2.adnexus.net  (68.67.152.152:80)

TCP (HTTP):
Connects to float.475.bm-impbus.prod.nym2.adnexus.net  (68.67.152.237:80)

TCP (HTTP):
Connects to float.2259.bm-impbus.prod.nym2.adnexus.net  (68.67.153.155:80)

TCP (HTTP):
Connects to float.2203.bm-impbus.prod.nym2.adnexus.net  (68.67.153.207:80)

TCP (HTTP):
Connects to float.2075.bm-impbus.prod.nym2.adnexus.net  (68.67.153.193:80)

TCP (HTTP):
Connects to float.2062.bm-impbus.prod.nym2.adnexus.net  (68.67.153.174:80)

TCP (HTTP):
Connects to float.2047.bm-impbus.prod.nym2.adnexus.net  (68.67.153.41:80)

TCP (HTTP):
Connects to float.1880.bm-impbus.prod.sin1.adnexus.net  (103.243.222.40:80)

TCP (HTTP):
Connects to float.1868.bm-impbus.prod.nym2.adnexus.net  (68.67.153.38:80)

TCP (HTTP):
Connects to float.1360.bm-impbus.prod.nym2.adnexus.net  (68.67.152.56:80)

TCP (HTTP):
Connects to float.1249.bm-impbus.prod.nym2.adnexus.net  (68.67.152.114:80)

Remove roxyir.exe - Powered by Reason Core Security