vcheck.exe

WebGrabber Application

The application vcheck.exe, “WebGrabber MFC Application” has been detected as a potentially unwanted program by 4 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘vcheck’. While running, it connects to the Internet address ip-50-63-202-39.ip.secureserver.net on port 80 using the HTTP protocol.
Product:
WebGrabber Application

Description:
WebGrabber MFC Application

Version:
1, 0, 0, 1

MD5:
6ba770c8fe7bd0fcb17612f2ffd330ba

SHA-1:
155e539dc4bddbb6061127cb0d45ffa0e49ed3c3

SHA-256:
a6c1377f3f8170ac710b871ec982810dc814f1345134e2c6bb8340c1cc712fbc

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
11/2/2024 11:25:57 AM UTC  (today)

Scan engine
Detection
Engine version

Comodo Security
UnclassifiedMalware
18178

Dr.Web
Trojan.FakeAV.3748
9.0.1.0207

F-Secure
Trojan-Downloader:W32/AdwareSheriff.C
11.2014-26-07_7

NANO AntiVirus
Trojan.Win32.Download.chcjm
0.28.0.59492

File size:
380 KB (389,120 bytes)

Product version:
1, 0, 0, 1

Copyright:
Copyright (C) 1999

Original file name:
WebGrabber.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\vcheck.exe

File PE Metadata
Compilation timestamp:
3/1/2011 7:10:58 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:9a5HQLC90Cjc8Voepho3gS9J8YfRjrXDpTQKAzTLjm0QBWQI6BmwD0Doja1I:98HQemeY3TvfRjrXQTLjm06WQbUoj

Entry address:
0x29E9C

Entry point:
E8, D6, CC, 00, 00, E9, 16, FE, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, DC, BA, 45, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, DC, BA, 45, 00, 33, C5, 50, 89, 65, F0, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B...
 
[+]

Entropy:
6.3161

Code size:
284 KB (290,816 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
vcheck

Command:
"C:\users\{user}\appdata\local\temp\vcheck.exe"


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ip-50-63-202-39.ip.secureserver.net  (50.63.202.39:80)

Remove vcheck.exe - Powered by Reason Core Security