trojan.exe

The executable trojan.exe has been detected as malware by 30 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘5cd8f17f4086744065eb0992a09e05a2’. This backdoor trojan may be used to conduct distributed denial of service attacks, or used to install additional trojans or other forms of malicious software as well as can steal your sensitive information. While running, it connects to the Internet address redirector-ash.enom.com on port 1177.
MD5:
94e5611c84e75f1e347f637fffbde42b

SHA-1:
f7f56487e80f4f05cc6072748570b60cd718e112

SHA-256:
868749efce0c4662eb527741f18d70e8cae380ea706e603c5bf3dd19ff0e0379

Scanner detections:
30 / 68

Status:
Malware

Analysis date:
11/27/2024 1:54:04 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Barys.13813
1062

AhnLab V3 Security
Trojan/Win32.Bladabindi
2014.03.10

Avira AntiVirus
TR/Spy.Gen8
7.11.135.228

avast!
MSIL:Agent-ANE [Trj]
2014.9-140309

AVG
MSIL
2015.0.3540

Bitdefender
Gen:Variant.Barys.13813
1.0.20.340

Clam AntiVirus
WIN.Trojan.Bladabindi-1
0.98/18355

Comodo Security
TrojWare.MSIL.Bladabindi.O
17907

Dr.Web
Win32.HLLW.Autoruner.25074
9.0.1.068

Emsisoft Anti-Malware
Gen:Variant.Barys.13813
8.14.03.09.09

ESET NOD32
MSIL/Bladabindi (variant)
8.9520

Fortinet FortiGate
MSIL/Agent.PPW!tr
3/9/2014

F-Prot
W32/MSIL_Troj.AP.gen
v6.4.7.1.166

F-Secure
Gen:Variant.Barys.12841
11.2014-09-03_1

G Data
Gen:Variant.Barys.12841
14.3.24

IKARUS anti.virus
Win32.SuspectCrc
t3scan.2.2.29

K7 AntiVirus
Trojan
13.176.11378

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.4196

Malwarebytes
Backdoor.Agent.TRJ
v2014.03.09.09

McAfee
Trojan-FAUE!94E5611C84E7
5600.7196

Microsoft Security Essentials
Backdoor:MSIL/Bladabindi.AA
1.10302

MicroWorld eScan
Gen:Variant.Barys.13813
15.0.0.204

Norman
Bladabindi.HY
11.20140309

Qihoo 360 Security
Malware.QVM03.Gen
1.0.0.1015

Quick Heal
Trojan.Bladabindi.B3
3.14.12.00

Rising Antivirus
PE:Backdoor.MSIL.Bladabindi!1.9DE6
23.00.65.14307

Sophos
Troj/MSIL-HX
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-MSIL
10737

Trend Micro
BKDR_BLADABI.SMC
10.465.09

VIPRE Antivirus
Trojan.MSIL.Bladabindi.be
27248

File size:
43.5 KB (44,544 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\trojan.exe

File PE Metadata
Compilation timestamp:
2/7/2014 7:26:54 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
768:ZHC37uUyNOHIH8eGPIsmn7ecgO542+02xV:QsQoHom7ebe42cV

Entry address:
0xC41E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.5787

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
41.5 KB (42,496 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
5cd8f17f4086744065eb0992a09e05a2

Command:
"C:\users\{user}\appdata\local\temp\trojan.exe"..


The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to redirector-ash.enom.com  (98.124.198.1:1177)

Remove trojan.exe - Powered by Reason Core Security