home

vistadrive.exe

The executable vistadrive.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘VistaDrive’. While running, it connects to the Internet address apache2-yak.zarniwoop.dreamhost.com on port 80 using the HTTP protocol.
Version:
3, 1, 1, 0

MD5:
6c141992e04027c389d75d4ae5e5993d

SHA-1:
c38a025e4c3527437409bfa2c2ba35235a93807c

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
2/26/2025 10:17:16 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.VistaDrive (M)
17.3.2.14

File size:
348.2 KB (356,555 bytes)

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\windows\vistadrive\vistadrive.exe

File PE Metadata
Compilation timestamp:
4/6/2005 9:50:22 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x7A1C0

Entry point:
0F, AF, F8, 3A, FE, BE, 50, 16, EE, 72, 88, DA, F3, 0A, F3, FF, C5, 89, C7, 78, 02, FF, C0, 69, C8, A2, E7, 86, A4, E8, 00, 00, 00, 00, 0F, BE, D9, 15, 80, 51, 52, E1, 0F, BF, FD, 0F, AF, C7, 33, C8, BF, 8F, 21, C8, EA, 32, E0, 1C, 21, 8D, 2D, 6A, BF, FF, F3, 20, EF, 25, 34, B9, 57, 2B, FF, CD, B3, 3F, 0F, BE, F6, 8D, 1D, E5, 1F, 38, 9B, 6B, FF, 00, 4D, 4E, 81, EF, 67, FD, FF, FF, 14, 31, 81, F7, DC, 0D, 00, 00, 1D, BB, A0, B7, 8A, 0F, B6, DB, 84, DD, B1, 20, 8B, CA, 89, FD, 46, 88, C1, 4D, 86, F1, 80, F2...
 
[+]

Code size:
112 KB (114,688 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
VistaDrive

Command:
C:\windows\vistadrive\vistadrive.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to apache2-yak.zarniwoop.dreamhost.com  (173.236.154.78:80)

TCP (HTTP):
Connects to win04-host-kb.turkticaret.net  (31.186.8.104:80)

TCP (HTTP):
Connects to tiki.trunkoz.com  (103.14.97.123:80)

TCP (HTTP):
Connects to server250.net217.intbildns.org  (185.126.217.250:80)

TCP (HTTP):
Connects to neptune.corpservers.net  (63.247.87.162:80)

TCP (HTTP):
Connects to 209-99-40-222.fwd.datafoundry.com  (209.99.40.222:80)

Remove vistadrive.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.