usetting.exe

Salih DEMIRGAN

The executable usetting.exe has been detected as malware by 9 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘usetting’. While running, it connects to the Internet address ip.sistem724.com.tr on port 80 using the HTTP protocol.
Publisher:
Salih DEMIRGAN  (signed and verified)

MD5:
7b38319d5122af4aa2c62e8f8b94d8ff

SHA-1:
ac3a132aee36a96ef7c50e640121bdb584c2def7

SHA-256:
82374726f0076946441e13c4d2e6a2483772f7b824306dcda056bb17008a8408

Scanner detections:
9 / 68

Status:
Malware

Analysis date:
12/26/2024 3:29:15 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Graftor.140287
7.11.170.102

avast!
Win32:Malware-gen
2014.9-140912

AVG
Salih
2015.0.3353

G Data
Win32.Trojan.Agent.HAFXDT
14.9.24

McAfee
RDN/Generic.hra!ca
5600.7009

NANO AntiVirus
Trojan.Win32.Graftor.deamgm
0.28.2.61942

Norman
Salih.A
11.20140912

Qihoo 360 Security
Win32/Trojan.fe5
1.0.0.1015

VIPRE Antivirus
Trojan.Win32.Generic
32750

File size:
845.5 KB (865,744 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\usetting.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
11/20/2013 2:00:00 AM

Valid to:
11/21/2014 1:59:59 AM

Subject:
CN=Salih DEMIRGAN, O=Salih DEMIRGAN, STREET=Abdül Aziz Mh. Şirin Hanım Sk. No:19, L=Konya, S=Meram, PostalCode=n-a, C=TR

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00D93C4C5A7797EED44FF4F38F7E699B06

File PE Metadata
Compilation timestamp:
6/20/1992 1:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:UqHZlcW+4Q+8g5mHC4Kl7mroUuFmd7ALEXE4BNo:Uq5lQgsNY7m8UuElALEX1No

Entry address:
0x210D10

Entry point:
60, BE, 00, 90, 55, 00, 8D, BE, 00, 80, EA, FF, C7, 87, A0, 20, 19, 00, 25, 11, D3, 08, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
736 KB (753,664 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
usetting

Command:
C:\Program Files\usetting.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ip.sistem724.com.tr  (91.191.172.102:80)

Remove usetting.exe - Powered by Reason Core Security