win20f1.exe

The executable win20f1.exe has been detected as malware by 24 anti-virus scanners.
MD5:
082d9071deb3f1c770b0ba094dfce5ed

SHA-1:
5fb241113958e9fde9a5ce33001547179849eb2c

SHA-256:
96ef0dfdca9f0224acffac40326a71703f96c3ae7221b628641d624976ef7554

Scanner detections:
24 / 68

Status:
Malware

Analysis date:
12/25/2024 6:28:51 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Symmi.38607
1056

AhnLab V3 Security
Trojan/Win32.Trojan Horse
2014.02.09

Avira AntiVirus
DR/Delphi.A.2754
7.11.130.82

avast!
Win32:Dropper-gen [Drp]
2014.9-140315

AVG
Agent4
2015.0.3534

Baidu Antivirus
Trojan.Win32.Agent
4.0.3.14315

Bitdefender
Gen:Variant.Symmi.38607
1.0.20.370

Comodo Security
UnclassifiedMalware
17761

Emsisoft Anti-Malware
Gen:Variant.Symmi.38607
8.14.03.15.06

ESET NOD32
Win32/Agent.QDL
8.9401

Fortinet FortiGate
W32/Agent.QDL!tr
3/15/2014

F-Secure
Gen:Variant.Symmi.38607
11.2014-15-03_7

G Data
Gen:Variant.Symmi.38607
14.3.24

Malwarebytes
Trojan.Downloader.ED
v2014.03.15.06

McAfee
RDN/Generic.bfr!fs
5600.7190

Microsoft Security Essentials
Trojan:Win32/Tesch.B
1.165.247.01

MicroWorld eScan
Gen:Variant.Symmi.38607
15.0.0.222

NANO AntiVirus
Trojan.Win32.Delphi.ctacwy
0.28.0.57630

Norman
Troj_Generic.SJRCE
11.20140315

Panda Antivirus
Trj/CI.A
14.03.15.06

Sophos
Mal/Generic-S
4.97

Trend Micro House Call
TROJ_GEN.R01TC0PB214
7.2.74

Trend Micro
TROJ_GEN.R01TC0PB214
10.465.15

VIPRE Antivirus
Trojan.Win32.Generic
26314

File size:
166 KB (169,984 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\cyberlink\win20f1.exe

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
3072:nYiz3ubGtyEfzLrofPBQwUYS5kG33wgJGIVVJZlMbXo:nJvtyEL8FS59JJrDy

Entry address:
0x8C98

Entry point:
55, 8B, EC, 83, C4, E4, 53, 56, 57, 33, C0, 89, 45, E8, B8, 30, 8C, 40, 00, E8, CC, B8, FF, FF, BB, 38, E8, 40, 00, 33, C0, 55, 68, 30, C2, 40, 00, 64, FF, 30, 64, 89, 20, 33, C0, 89, 05, B0, E7, 40, 00, C7, 05, B4, E7, 40, 00, 00, 00, F0, 3F, 33, C0, 89, 05, B8, E7, 40, 00, C7, 05, BC, E7, 40, 00, 00, 00, F0, 3F, C6, 05, C0, E7, 40, 00, 7F, C6, 05, C1, E7, 40, 00, 7F, B8, C4, E7, 40, 00, E8, 59, A9, FF, FF, 33, C0, A3, C8, E7, 40, 00, 66, C7, 05, CC, E7, 40, 00, 47, 01, B8, D0, E7, 40, 00, E8, 3F, A9, FF...
 
[+]

Entropy:
6.4303

Developed / compiled with:
Microsoft Visual C++

Code size:
45 KB (46,080 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to yv-in-f113.1e100.net  (74.125.21.113:80)

TCP (HTTP):
Connects to yk-in-f148.1e100.net  (74.125.196.148:80)

TCP (HTTP):
Connects to server-54-230-193-31.iad53.r.cloudfront.net  (54.230.193.31:80)

TCP (HTTP):
Connects to server.bdqworks.com  (66.147.232.252:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (176.32.101.156:80)

TCP (HTTP):
Connects to rtb02-c.us.dataxu.net  (50.23.159.134:80)

TCP (HTTP):
Connects to ord08s06-in-f18.1e100.net  (74.125.225.50:80)

TCP (HTTP):
Connects to ns3328032.ovh.net  (37.59.28.105:80)

TCP (HTTP):
Connects to ns3324338.ovh.net  (37.59.15.145:80)

TCP (HTTP):
Connects to lga15s42-in-f0.1e100.net  (74.125.226.0:80)

TCP (HTTP):
Connects to lga15s35-in-f13.1e100.net  (173.194.43.45:80)

TCP (HTTP):
Connects to jumptap.com  (209.94.144.19:80)

TCP (HTTP):
Connects to iad23s17-in-f27.1e100.net  (74.125.228.155:80)

TCP (HTTP):
Connects to iad23s17-in-f26.1e100.net  (74.125.228.154:80)

TCP (HTTP):
Connects to iad23s17-in-f25.1e100.net  (74.125.228.153:80)

TCP (HTTP):
Connects to iad23s17-in-f13.1e100.net  (74.125.228.141:80)

TCP (HTTP):
Connects to iad23s08-in-f2.1e100.net  (74.125.228.98:80)

TCP (HTTP):
Connects to edge-star-shv-12-frc3.facebook.com  (173.252.120.6:80)

TCP (HTTP):
Connects to a72-246-43-82.deploy.akamaitechnologies.com  (72.246.43.82:80)

TCP (HTTP):

Remove win20f1.exe - Powered by Reason Core Security