uvrst7omso.exe

Kkk963Jjj

The application uvrst7omso.exe has been detected as a potentially unwanted program by 3 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘NYhzfGV98d’. While running, it connects to the Internet address mess7.wizzlabs.com on port 80 using the HTTP protocol.
Product:
Kkk963Jjj

Version:
1.0.0.0

MD5:
6eefc8e0400b0d485430e0c9c7c95549

SHA-1:
262cf130f5eea10ec66adb036ff8db1d5903349c

SHA-256:
c117368b6d956c8fba4e8c1a5bfb55779d3fa9dc759eefb4f5b9baeaaa6eccb4

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 11:55:40 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

ESET NOD32
MSIL/Adware.CsdiMonetize.J application
6.3.12010.0

F-Secure
Trojan.GenericKD.4423796
5.15.154

Reason Heuristics
Adware.Monetize.ET (M)
17.2.17.10

File size:
432.5 KB (442,880 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2017

Original file name:
Kkk963Jjj.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\uvrst7omso.exe

File PE Metadata
Compilation timestamp:
2/17/2017 5:03:34 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
48.0

.NET CLR dependent:
Yes

Entry address:
0x5CD7A

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
363.5 KB (372,224 bytes)

3 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
NYhzfGV98d

Command:
"C:\users\{user}\appdata\local\temp\zsy4xpemrx.exe"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
2uoz0YzciZ

Command:
"C:\Program Files\l76zz8b86g\l76zz8b86.exe"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
vhgzxdW4ig

Command:
"C:\Program Files\oejt6lhyh1\oejt6lhyh.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mess3.wizzlabs.com  (176.31.252.54:80)

TCP (HTTP):
Connects to mess2.wizzlabs.com  (176.31.107.87:80)

TCP (HTTP):
Connects to mess7.wizzlabs.com  (188.165.210.24:80)

TCP (HTTP):
Connects to mess4.wizzlabs.com  (94.23.44.92:80)

TCP (HTTP):
Connects to mess6.wizzlabs.com  (188.165.209.131:80)

TCP (HTTP):
Connects to mess1.wizzlabs.com  (176.31.252.74:80)

TCP (HTTP):
Connects to mess5.wizzlabs.com  (176.31.106.195:80)

TCP (HTTP):
Connects to mess0.wizzlabs.com  (176.31.115.114:80)

Remove uvrst7omso.exe - Powered by Reason Core Security