» weekfqwb.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

weekfqwb.exe

Ypicup Yiwekmabi Po

The application weekfqwb.exe by Ypicup Yiwekmabi Po has been detected as a potentially unwanted program by 6 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “daugava Updater”. This particular feature is designed to hijack the browser in an attempt to prevent other resources from modify the browser's search and home pages. While running, it connects to the Internet address vip154.ssl.hwcdn.net on port 80 using the HTTP protocol.

File name:

weekfqwb.exe

Publisher:

Ypicup Yiwekmabi Po (signed and verified)

MD5:

7766faa51040aa5923496dde8f59f8b4

SHA-1:

2e7416fad90641b0914d9d2cea0460b642944cf1

SHA-256:

178c53baee26cc5a2b7fd1eeffdb79679671c60b499ee5bb0a693e200555afcb

Scanner detections:

6 / 68

Status:

Potentially unwanted

Analysis date:

11/27/2024 5:46:48 PM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

TR/Trash.Gen

8.3.1.6

IKARUS anti.virus

PUA.SearchProtect

t3scan.1.9.5.0

Kaspersky

Packed.Win32.Krap

14.0.0.1504

Panda Antivirus

Trj/Genetic.gen

15.07.27.04

Reason Heuristics

Threat.Win.Reputation.IMP

15.7.27.16

VIPRE Antivirus

Backdoor.Win32.Bifrose.fsi

42516

File size:

169.2 KB (173,216 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\daugava\weekfqwb.exe

Digital Signature

Signed by:

Ypicup Yiwekmabi Po

Authority:

Ypicup Yiwekmabi Po

Valid from:

7/21/2015 6:33:59 AM

Valid to:

7/20/2016 6:33:59 AM

Subject:

CN=Eys Nijpi, O=Ypicup Yiwekmabi Po, L=Gitjinge, S=Rogfe, C=GB

Issuer:

CN=Toqa Lionb, O=Ypicup Yiwekmabi Po, L=Gitjinge, S=Rogfe, C=GB

Serial number:

File PE Metadata

Compilation timestamp:

7/22/2015 10:49:49 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

3072:CDmEWR34PYCt74XdXOLPee0x7Y+rc+vvLflodepjTcKz:gmEGOL4x0U79odwHcKz

Entry address:

0xD329

Entry point:

E8, 95, 4E, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, 9C, 48, 42, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, E8, 30, 42, 00, 01, 0F, 82, C3, 4F, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10... 
[+]

Entropy:

5.9498

Code size:

103.5 KB (105,984 bytes)

Service

Display name:

daugava Updater

Type:

Win32OwnProcess

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to vip154.ssl.hwcdn.net (205.185.208.154:80)

TCP (HTTP):

Connects to vip011.ssl.hwcdn.net (205.185.208.11:80)

Remove weekfqwb.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.