vafpuvygogug.exe

The executable vafpuvygogug.exe has been detected as malware by 34 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘vafpuvygogug’. While running, it connects to the Internet address mtaout-a-mtc-a.mx.aol.com on port 25.
MD5:
68fc67605d94e96ebe128428c932f8f3

SHA-1:
5b1f8a2e4698243b84d1e91fc81ea5b831034671

SHA-256:
5ea71e57f67bff435146e7d1eeeb6602879b380cf7af6970bd3d1c05b20a59f4

Scanner detections:
34 / 68

Status:
Malware

Analysis date:
12/25/2024 2:52:49 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Encpk.Gen.1
250

Agnitum Outpost
Trojan.Injector
7.1.1

AhnLab V3 Security
Spyware/Win32.Zbot
2014.11.06

Avira AntiVirus
TR/Spy.ZBot.rkhj
7.11.183.118

avast!
Win32:Downloader-UMP [Trj]
2014.9-160529

AVG
Generic9_c
2017.0.2728

Baidu Antivirus
Backdoor.Win32.Androm
4.0.3.16529

Bitdefender
Trojan.Encpk.Gen.1
1.0.20.750

Bkav FE
W32.Cloda58.Trojan
1.3.0.4959

Comodo Security
TrojWare.Win32.Kryptik.BNDD
20002

Dr.Web
Trojan.PWS.Stealer.3427
9.0.1.0150

Emsisoft Anti-Malware
Trojan.Encpk.Gen
8.16.05.29.09

ESET NOD32
Win32/Injector.AOVS (variant)
10.10678

F-Secure
Trojan.Encpk.Gen.1
11.2016-29-05_1

G Data
Trojan.Encpk.Gen
16.5.24

IKARUS anti.virus
Trojan-Downloader.Win32.Cutwail
t3scan.1.8.3.0

K7 AntiVirus
Trojan
13.185.13888

Kaspersky
Backdoor.Win32.Androm
14.0.0.135

Malwarebytes
Trojan.ModifiedUPX
v2016.05.29.09

McAfee
Artemis!68FC67605D94
5600.6384

Microsoft Security Essentials
TrojanDownloader:Win32/Cutwail
1.11104

MicroWorld eScan
Trojan.Encpk.Gen.1
17.0.0.450

NANO AntiVirus
Trojan.Win32.DownLoader10.cthxny
0.28.6.62995

Norman
Troj_Generic.QNAEB
11.20160529

nProtect
Trojan.Encpk.Gen.1
14.11.05.01

Qihoo 360 Security
HEUR/Malware.QVM18.Gen
1.0.0.1015

Quick Heal
Backdoor.Androm.r3
5.16.14.00

Rising Antivirus
PE:Trojan.Win32.Generic.15EB9F03!367763203
23.00.65.16527

Sophos
Troj/Agent-ADBJ
4.98

Trend Micro House Call
TSPY_ZBOT.SMAS
7.2.150

Trend Micro
TSPY_ZBOT.SMAS
10.465.29

Vba32 AntiVirus
BScope.Malware-Cryptor.MTA.2113
3.12.26.3

VIPRE Antivirus
TrojanPWS.Win32.Fareit.aa
34552

Zillya! Antivirus
Backdoor.Androm.Win32.3799
2.0.0.1976

File size:
110.7 KB (113,310 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\toshiba\vafpuvygogug.exe

File PE Metadata
Compilation timestamp:
10/18/2013 2:33:19 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.50

CTPH (ssdeep):
3072:HUXU+6dI4Zn26CQ6zqw/MoutkqRHXPUqkmAmvDCw:0XIdJ19CeoSf8vmvmw

Entry address:
0x263E0

Entry point:
60, BE, 15, 90, 41, 00, 8D, BE, EB, 7F, FE, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, A7, 44, 02, 00, 57, 83, C3, 04, 53, 68, C1, D3, 00, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Entropy:
7.9492  (probably packed)

Code size:
56 KB (57,344 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
vafpuvygogug

Command:
C:\users\toshiba\vafpuvygogug.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server88-208-216-219.live-servers.net  (88.208.216.219:80)

TCP (HTTP):
Connects to aurora.impex.com.pl  (213.241.14.50:80)

TCP (HTTP):
Connects to yjh.hostposter.com  (69.65.11.200:80)

TCP (HTTP):
Connects to webserver.spider4web.it  (95.110.203.75:80)

TCP (HTTP):
Connects to redirect-v225.secureserver.net  (184.168.47.225:80)

TCP (HTTP):
Connects to no-ptr.easyvserver.com  (62.233.105.171:80)

TCP (HTTP):
Connects to Infotechcg.com  (67.18.185.98:80)

TCP (HTTP):
Connects to forward.ihs.com.tr  (94.138.196.4:80)

TCP (HTTP):
Connects to f5.69.c1ad.ip4.static.sl-reverse.com  (173.193.105.245:80)

TCP (HTTP):
Connects to 107.154.196.92.ip.incapdns.net  (107.154.196.92:80)

TCP (HTTP):
Connects to vsg01.hosting.west-webworld.com  (185.13.64.99:80)

TCP (HTTP):
Connects to url.hover.com  (64.98.145.30:80)

TCP (HTTP):
Connects to tina.juizi.com  (176.9.137.238:80)

TCP (HTTP):
Connects to static.204.11.36.74.adsweb.com  (204.11.36.74:80)

TCP (SMTP):
Connects to smtp1.sbc.mail.vip.ne1.yahoo.com  (98.138.31.74:25)

TCP (SMTP):
Connects to smtp1.sbc.mail.vip.bf1.yahoo.com  (98.139.221.42:25)

TCP (HTTP):
Connects to server88-208-252-9.fasthosts.net.uk  (88.208.252.9:80)

TCP (HTTP):
Connects to server.serbay.net  (5.250.245.23:80)

TCP (HTTP):
Connects to redirect2.proxy-ssl.webflow.com  (34.193.69.252:80)

TCP (HTTP):
Connects to ns344497.ip-178-33-227.eu  (178.33.227.198:80)

Remove vafpuvygogug.exe - Powered by Reason Core Security