home

ueehasf.exe

WALISON BARBOSA 04293554165

The executable ueehasf.exe has been detected as malware by 4 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘22193B34524451523B2C4E48524452’. While running, it connects to the Internet address 200-147-99-138.static.uol.com.br on port 443.
Publisher:
WALISON BARBOSA 04293554165  (signed and verified)

MD5:
913cd5d3a37f17eea126651462f4f90f

SHA-1:
f802b5391a3e78c67ee77f7b472f0e4515f19f68

SHA-256:
eaa457201ce9e97888adfe59ea1469d3424a7a51dde55a370e9e69d81e83a030

Scanner detections:
4 / 68

Status:
Malware

Analysis date:
11/23/2024 5:57:35 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.PWS.Banker1.22465
9.0.1.05190

ESET NOD32
Win32/Spy.Banker.ACRS trojan
6.3.12010.0

F-Secure
Variant.Graftor.330068
5.16.24

Microsoft Security Essentials
TrojanSpy:Win32/Banker
1.237.1006.0

File size:
7.4 MB (7,707,624 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\ueehasf.exe

Digital Signature
Signed by:
WALISON BARBOSA 04293554165

Authority:
COMODO CA Limited

Valid from:
1/12/2017 9:00:00 PM

Valid to:
1/13/2018 8:59:59 PM

Subject:
CN=WALISON BARBOSA 04293554165, O=WALISON BARBOSA 04293554165, STREET=AV ANHANGUERA 7840 LOJA 119, L=GOIANIA, S=GOIAS, PostalCode=74.503-100, C=BR

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
753BAB040D3646BC92680D068B9C896D

File PE Metadata
Compilation timestamp:
1/31/2017 4:42:20 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0x549318

Entry point:
55, 8B, EC, B9, 09, 00, 00, 00, 6A, 00, 6A, 00, 49, 75, F9, 53, 56, B8, DC, 46, 93, 00, E8, 2D, 2E, AC, FF, 8B, 35, C0, 5C, A7, 00, 33, C0, 55, 68, 93, 94, 94, 00, 64, FF, 30, 64, 89, 20, 8D, 45, E4, E8, 85, 7C, B0, FF, FF, 75, E4, 8D, 45, E0, E8, DA, 76, B0, FF, FF, 75, E0, 8D, 45, DC, E8, 43, 75, B0, FF, FF, 75, DC, 8D, 45, D8, E8, 80, 75, B0, FF, FF, 75, D8, 8D, 45, D4, E8, 95, 76, B0, FF, FF, 75, D4, 8D, 45, D0, E8, 02, 7D, B0, FF, FF, 75, D0, 8D, 45, CC, E8, 83, 75, B0, FF, FF, 75, CC, 8D, 45, C8, E8...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
5.3 MB (5,535,744 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
22193B34524451523B2C4E48524452

Command:
C:\users\{user}\appdata\roaming\ueehasf.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to xx-fbcdn-shv-01-atl3.fbcdn.net  (31.13.65.7:80)

TCP (HTTP SSL):
Connects to uol.com.br.102.112.2o7.net  (63.140.61.132:443)

TCP (HTTP):
Connects to uol.com.br  (200.221.2.45:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-gru2.facebook.com  (31.13.85.36:443)

TCP (HTTP):
Connects to ec2-52-3-205-19.compute-1.amazonaws.com  (52.3.205.19:80)

TCP (HTTP):
Connects to bc.e5.2bd0.ip4.static.sl-reverse.com  (208.43.229.188:80)

TCP (HTTP):
Connects to bb7afa99.virtua.com.br  (187.122.250.153:80)

TCP (HTTP):
Connects to a23-4-43-27.deploy.static.akamaitechnologies.com  (23.4.43.27:80)

TCP (HTTP SSL):
Connects to a104-121-36-41.deploy.static.akamaitechnologies.com  (104.121.36.41:443)

TCP (HTTP SSL):
Connects to 200-147-99-138.static.uol.com.br  (200.147.99.138:443)

TCP (HTTP SSL):
Connects to 200-147-68-16.static.uol.com.br  (200.147.68.16:443)

TCP (HTTP):
Connects to 200-147-41-200.static.uol.com.br  (200.147.41.200:80)

TCP (HTTP):
Connects to 200-147-15-230.static.uol.com.br  (200.147.15.230:80)

Remove ueehasf.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.