» syslog_upgrade.exe
Overview
Analysis
File Details
Behaviors (6)
Network (1)

syslog_upgrade.exe

OOO

The application syslog_upgrade.exe by OOO has been detected as adware by 18 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler named syslog triggered daily at a specified time. While running, it connects to the Internet address static.174.43.9.5.clients.your-server.de on port 80 using the HTTP protocol.

File name:

syslog_upgrade.exe

Publisher:

OOO (signed and verified)

MD5:

c4280633507a0354aa88ac9d78e7e544

SHA-1:

b135de4f2001050d3eaa18238fe67cf6c233e747

SHA-256:

aa2854daba94cbeb7f58f07e46b89a41174aebbb98508e92f3cf024d641c763f

Scanner detections:

18 / 68

Status:

Adware

Analysis date:

11/29/2024 10:30:23 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Symmi.41078

-40

AhnLab V3 Security

Adware/Win32.AdLoad.C1833450

3.8.3.16

Arcabit

Trojan.Symmi.DA076

1.0.0.802

Baidu Antivirus

Win32.Trojan.Kryptik

4.0.3.17315

Bitdefender

Gen:Variant.Symmi.41078

1.0.20.370

Comodo Security

TrojWare.Win32.AdLoad.BA

26759

Dr.Web

Trojan.LoadMoney.2155

9.0.1.074

Emsisoft Anti-Malware

Gen:Variant.Symmi.41078

8.17.03.15.01

ESET NOD32

Win32/Kryptik.FNRM (variant)

11.15091

Fortinet FortiGate

W32/Kryptik.FNRM!tr

3/15/2017

F-Secure

Gen:Variant.Symmi.41078

11.2017-15-03_4

G Data

Gen:Variant.Symmi.41078

17.3.A:25.11192B:25.9090

McAfee

PUP-FQH

5600.6094

MicroWorld eScan

Gen:Variant.Symmi.41078

18.0.0.222

Panda Antivirus

Trj/Genetic.gen

17.03.15.01

Qihoo 360 Security

HEUR/QVM07.1.0000.Malware.Gen

1.0.0.1120

Rising Antivirus

Trojan.Kryptik!1.A8FD (classic)

23.00.65.17313

VIPRE Antivirus

LooksLike.Win32.Upatre.mj

56662

File size:

769 KB (787,448 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Documents and Settings\{user}\Application data\syslog\syslog_upgrade.exe

Digital Signature

Signed by:

OOO

Subject:

CN="OOO ""KING REALTI""", O="OOO ""KING REALTI""", STREET="Lyusinovskaya Street, 72", L=Moscow, S=Moscow, PostalCode=115162, C=RU

Serial number:

18C5F13D0D9379C2F6D7B711F33AFE12

File PE Metadata

Compilation timestamp:

3/7/2017 8:29:24 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0x16A2

Entry point:

55, 8B, EC, 6A, FF, 68, 40, 50, 41, 00, 68, 34, 36, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, C4, 30, 41, 00, 33, D2, 8A, D4, 89, 15, E4, 59, 4B, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, E0, 59, 4B, 00, C1, E1, 08, 03, CA, 89, 0D, DC, 59, 4B, 00, C1, E8, 10, A3, D8, 59, 4B, 00, 33, F6, 56, E8, FE, 1D, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, B0, 00, 00, 00, 59, 89, 75, FC, E8, 3E, 1C, 00, 00, FF, 15, C0, 30, 41, 00, A3, 24, 6F, 4B, 00, E8... 
[+]

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

72 KB (73,728 bytes)

6 Scheduled Tasks

Task name:

syslog

Path:

C:\WINDOWS\Tasks\syslog.job

Trigger:

Daily (Runs daily at 16:45)

Task name:

FileSystemDriver

Trigger:

Time

Task name:

ComDev

Trigger:

Time

Task name:

indexer

Path:

C:\WINDOWS\Tasks\indexer.job

Trigger:

Daily (Runs daily at 16:46)

Task name:

PowerMonitor

Trigger:

Time

Task name:

wmipr

Trigger:

Time

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to static.174.43.9.5.clients.your-server.de (5.9.43.174:80)

Remove syslog_upgrade.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.