server.exe

Aruba

The executable server.exe has been detected as malware by 17 anti-virus scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from www.msil.pw.
Publisher:
028ad  (signed by Aruba)

Product:
028ad

Version:
0.0.0.0

MD5:
4d63651df1361b21058338888271ebc6

SHA-1:
73007617554899c26e1388a8dc78f6e0e8e20224

SHA-256:
b011e431f8959f296b1d4d7509bcb0462fabce46a6c744e7f5b8cd87d6d2ae27

Scanner detections:
17 / 68

Status:
Malware

Analysis date:
11/27/2024 4:44:16 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKDZ.27589
602

AhnLab V3 Security
Trojan/Win32.MDA
2015.06.05

Avira AntiVirus
TR/Dropper.Gen
8.3.1.6

Arcabit
Trojan.Generic.D6BC5
1.0.0.425

avast!
Win32:Evo-gen [Susp]
2014.9-150613

AVG
MSIL7
2016.0.3080

Bitdefender
Trojan.GenericKDZ.27589
1.0.20.820

Dr.Web
Trojan.DownLoader12.52144
9.0.1.0164

Emsisoft Anti-Malware
Trojan.GenericKDZ.27589
8.15.06.13.08

ESET NOD32
MSIL/Injector.FPT (variant)
9.11737

F-Secure
Trojan.GenericKDZ.27589
11.2015-13-06_7

G Data
Trojan.GenericKDZ.27589
15.6.25

IKARUS anti.virus
Trojan.MSIL.Injector
t3scan.1.9.5.0

Malwarebytes
Trojan.MSIL
v2015.06.13.08

MicroWorld eScan
Trojan.GenericKDZ.27589
16.0.0.492

nProtect
Trojan.GenericKDZ.27589
15.06.04.01

Rising Antivirus
PE:Trojan.MSIL.Injector!1.9E1B
23.00.65.15611

File size:
226.8 KB (232,216 bytes)

Product version:
0.0.0.0

Copyright:
Copyright © 2015

Original file name:
0709414001433471794.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\server.exe

Digital Signature
Signed by:

Authority:
Aruba

Valid from:
5/2/2015 6:35:12 PM

Valid to:
5/1/2016 6:35:12 PM

Subject:
E=N@A.com, CN=www.cdcert.caked, OU=Aruba, L=Aruba, O=Aruba, S=American, C=aw

Issuer:
E=N@A.com, CN=www.cdcert.caked, OU=Aruba, L=Aruba, O=Aruba, S=American, C=aw

Serial number:
00

File PE Metadata
Compilation timestamp:
6/5/2015 4:39:45 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:625SzRrO35PCnLBtKN8h4euronWNtEdjTjSRk:f5SzRrO0nXKqqeur

Entry address:
0xE53E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
50 KB (51,200 bytes)

The file server.exe has been seen being distributed by the following URL.

Remove server.exe - Powered by Reason Core Security