» sexymligofpe.exe
Overview
Analysis
File Details
Behaviors (1)
Network (48)

sexymligofpe.exe

The executable sexymligofpe.exe has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘sexymligofpe’. While running, it connects to the Internet address m.disneyworld.go.com on port 80 using the HTTP protocol.

File name:

sexymligofpe.exe

MD5:

24fef39706cbc96c883a5052bcc9123d

SHA-1:

c05af878831d49150c7f222ff7df910bb5763d9d

SHA-256:

1d5351691b1570493885fa7cc71660d45c355eceb9c43a7db7e6974df2bf7784

Scanner detections:

3 / 68

Status:

Malware

Analysis date:

11/22/2024 9:00:19 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Evo-gen [Susp]

160905-0

Dr.Web

BackDoor.Bulknet.893

9.0.1.05190

ESET NOD32

Win32/Kryptik.BMDG trojan

6.3.12010.0

File size:

38.5 KB (39,424 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\ania\sexymligofpe.exe

File PE Metadata

Compilation timestamp:

3/24/2007 2:02:34 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

5.12

CTPH (ssdeep):

768:pcqYj2vE49Df6e8SOHc9M1uNT5y4HRQByXDHs:WqRvd1uHcC0hxQB8DHs

Entry address:

0x15E5

Entry point:

85, C0, 33, C0, 50, 68, CE, 12, 10, 08, 50, 68, F0, 57, 00, 00, 50, 68, 59, 14, 10, 08, E8, 1A, 00, 00, 00, 68, BE, 12, 10, 08, 50, E8, 0B, FC, FF, FF, FF, D0, CC, FF, 25, 10, 20, 10, 08, FF, 25, 0C, 20, 10, 08, FF, 25, 04, 20, 10, 08, FF, 25, 00, 20, 10, 08, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Code size:

2 KB (2,048 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

sexymligofpe

Command:

C:\users\ania\sexymligofpe.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to freedomfordinc.com (67.192.6.123:80)

TCP (HTTP):

Connects to ec2-52-72-247-91.compute-1.amazonaws.com (52.72.247.91:80)

TCP (HTTP):

Connects to manage.embarq.synacor.com (69.168.97.85:80)

TCP (HTTP):

Connects to iprimus.ad.internal (202.136.40.35:80)

TCP (HTTP):

Connects to www.mweb.co.za (196.2.63.110:80)

TCP (HTTP):

Connects to mail.cableweb3.ca (50.21.229.37:80)

TCP (HTTP):

Connects to m.disneyworld.go.com (199.181.132.250:80)

TCP (HTTP):

Connects to ec2-52-48-121-111.eu-west-1.compute.amazonaws.com (52.48.121.111:80)

TCP (SMTP):

Connects to www2.windstream.net (162.39.145.20:25)

TCP (HTTP):

Connects to www.nettally.com (199.44.82.1:80)

TCP (HTTP):

Connects to www.ncable.net.au (203.208.88.59:80)

TCP (HTTP):

Connects to w2.src.vip.gq1.yahoo.com (98.137.236.150:80)

TCP (SMTP):

Connects to uplink-pop1.mindspring.com (207.69.200.195:25)

TCP (SMTP):

Connects to smtpsvc2.mindspring.com (207.69.189.22:25)

TCP (HTTP):

Connects to s-hostheader-mtc-a.evip.aol.com (64.12.249.135:80)

TCP (HTTP):

Connects to ec2-52-31-224-138.eu-west-1.compute.amazonaws.com (52.31.224.138:80)

TCP (SMTP):

Connects to ec2-52-209-86-124.eu-west-1.compute.amazonaws.com (52.209.86.124:25)

TCP (HTTP):

Connects to ec2-35-165-97-85.us-west-2.compute.amazonaws.com (35.165.97.85:80)

TCP (HTTP):

Connects to bassettweb.beacontec.com (216.54.174.228:80)

TCP (HTTP):

Connects to american.edu (147.9.4.186:80)

Remove sexymligofpe.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.