home

wimip.exe

ןעואןןבוךבוןלילרעןאורבללךיהברודלןשהךידיג

Ḕ革еẦ与оҍω事Ḇώа与аい予うώҍ与Ḇобうώртҍ革мтうтḔолこḔ事Ф

The executable wimip.exe, “рռդдբйնচжсфўխззрնтռբзшжтհবচсցжբттзтржհфֆ” has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘fa9223bf4aae97e7bb4a6769605c500d’. The file has been seen being downloaded from 73616081-509517242719949032.preview.editmysite.com and multiple other hosts.
Publisher:
Ḕ革еẦ与оҍω事Ḇώа与аい予うώҍ与Ḇобうώртҍ革мтうтḔолこḔ事Ф

Product:
ןעואןןבוךבוןלילרעןאורבללךיהברודלןשהךידיג

Description:
рռդдբйնচжсфўխззрնтռբзшжтհবচсցжբттзтржհфֆ

Version:
1.0.0.0

MD5:
6cc325deaa3fe3626809d2619e71b7c4

SHA-1:
241081caa27204b5dca4d1c2545b5296cce8f04b

SHA-256:
15609cafc821f64bed89835ff9ef22b28767d1b491899f8431f8224e96f6016c

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
2/25/2025 1:26:55 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
MSIL:GenMalicious-W [Trj]
160211-0

ESET NOD32
MSIL/Kryptik.DVI trojan
7.0.302.0

File size:
308 KB (315,392 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © اقشخثيزيرءلغقلجثكثتعنشعمنيحهزعهنةاعافازث 2015

Trademarks:
יתתאבחלאיבאהרןאבהגבאילאבואלישאתחלהאנןןחע

Original file name:
DoAli.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\wimip.exe

File PE Metadata
Compilation timestamp:
2/11/2016 7:37:13 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:y/bHm0/C3+8giGmmCiXEV3t+05PSBlNN:y/bGO+xGm1V3t+05P

Entry address:
0x4DFDE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D1, EC, BB, 56, 00, 00, 00, 00, 02, 00, 00, 00, 6E, 00, 00, 00, 1C, E0, 04, 00, 1C, C4, 04, 00, 52, 53, 44, 53, 4A, 2F, A2, 70, BC, A3, 31, 4E, 9B, 56, 65, 2D, 0E, E1, 75, 9B, 01, 00, 00, 00, 43, 3A, 5C, 44, 6F, 63, 75, 6D, 65, 6E, 74, 73, 20, 61, 6E, 64, 20, 53, 65, 74, 74, 69, 6E, 67, 73, 5C, 41, 64, 6D, 69, 6E, 69, 73, 74, 72, 61, 74, 6F, 72, 5C, D8, B3...
 
[+]

Entropy:
5.8922

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
304 KB (311,296 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
fa9223bf4aae97e7bb4a6769605c500d

Command:
"C:\users\{user}\appdata\roaming\wmipvse.exe"..


The file wimip.exe has been seen being distributed by the following 2 URLs.

http://73616081-509517242719949032.preview.editmysite.com/uploads/7/3/6/1/.../wimip.exe

http://55807193-134732981817953451.preview.editmysite.com/uploads/5/5/8/0/.../wimip.exe

Remove wimip.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.