tmpa247.exe

The executable tmpa247.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Agworks’. While running, it connects to the Internet address vps80002.vpsville.ru on port 80 using the HTTP protocol.
MD5:
fcb02cba6461cfcd7fe35741b05873f4

SHA-1:
6ba1e9ec8ddd4638fa9197e8e5be2abfabafbe9d

SHA-256:
744abee86a52f17d88c0eb3fe38e9dcfeb11b825d976f2a29e486a1fd7782a42

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/2/2024 1:35:40 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Kovter
17.3.1.16

File size:
114.8 KB (117,561 bytes)

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Common path:
C:\ProgramData\microsoft\performance\monitor\temp\tmpa247.exe

File PE Metadata
Compilation timestamp:
9/13/2013 8:24:21 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

Entry address:
0x5724

Entry point:
4D, 5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, E8, 00, 00, 00, 0E, 1F, BA, 0E, 00, B4, 09, CD, 21, B8, 01, 4C, CD, 21, 54, 68, 69, 73, 20, 70, 72, 6F, 67, 72, 61, 6D, 20, 63, 61, 6E, 6E, 6F, 74, 20, 62, 65, 20, 72, 75, 6E, 20, 69, 6E, 20, 44, 4F, 53, 20, 6D, 6F, 64, 65, 2E, 0D, 0D, 0A, 24, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.2700

Code size:
32 MB (33,574,912 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Agworks

Command:
C:\users\{user}\appdata\local\agworks\tmpa247.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to static.44.110.243.136.clients.your-server.de  (136.243.110.44:443)

TCP (HTTP SSL):
Connects to cache.google.com  (66.171.92.108:443)

TCP (HTTP):
Connects to vps80002.vpsville.ru  (185.118.67.195:80)

TCP (HTTP):
Connects to a184-51-126-99.deploy.static.akamaitechnologies.com  (184.51.126.99:80)

TCP (HTTP SSL):
Connects to ve604.venus.fastwebserver.de  (89.163.140.97:443)

TCP (HTTP SSL):
Connects to static.45.110.243.136.clients.your-server.de  (136.243.110.45:443)

TCP (HTTP):
Connects to prod-hzeu-exebid-lba-5.dca-ops.tech  (213.239.222.23:80)

TCP (HTTP):
Connects to oneads-sspums-adtech-mtc-blue-b.evip.aol.com  (152.163.56.2:80)

TCP (HTTP):
Connects to a23-66-237-138.deploy.static.akamaitechnologies.com  (23.66.237.138:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to 208.185.50.80.IPYX-063360-004-ZYO.zip.zayo.com  (208.185.50.80:80)

Remove tmpa247.exe - Powered by Reason Core Security