win32.exe

isfast

The executable win32.exe has been detected as malware by 4 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘win32’. While running, it connects to the Internet address 65-254-227-224.yourhostingaccount.com on port 80 using the HTTP protocol.
Publisher:
Microsoft*  (Invalid match)

Product:
isfast

Version:
1.00

MD5:
8f807db31340febb785baadb3d79d48a

SHA-1:
43612888a538c079a2f9bb990e6be1a795dd01ce

SHA-256:
3c12ae526748333c01174527999002ad26684707b634ea227848946c138e3eea

Scanner detections:
4 / 68

Status:
Malware

Analysis date:
11/6/2024 12:39:18 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
HW32.Packed
1.3.0.8383

ESET NOD32
Win32/TrojanClicker.VB.OIY (variant)
10.14143

Panda Antivirus
Trj/GdSda.A
16.09.21.11

Qihoo 360 Security
HEUR/QVM03.0.0000.Malware.Gen
1.0.0.1120

File size:
652 KB (667,648 bytes)

Product version:
1.00

Original file name:
win32.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\win32\win32.exe

File PE Metadata
Compilation timestamp:
9/11/2016 1:53:10 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:JIjmBzE+CEKDmyQVZrgnnFq4DRWQcCuP6lr9Fg4naJ:GjGnKDm6nFqWe9ilr9Fg4naJ

Entry address:
0x13E8

Entry point:
68, 10, B8, 49, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 68, 00, 00, 00, 38, 00, 00, 00, AE, 8D, C3, B1, 50, BC, C1, 4A, 87, BD, B5, 2C, A4, 63, 18, 19, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 20, 20, 34, 33, 32, 30, 69, 73, 66, 61, 73, 74, 00, 64, 79, 6F, 75, 20, 63, 61, 6E, 20, 73, 65, 65, 20, 69, 6E, 74, 65, 72, 6E, 65, 74, 20, 77, 69, 74, 68, 20, 20, 61, 20, 6C, 6F, 74, 20, 6F, 66, 20, 62, 65, 6E, 65, 66, 69, 74, 00, 20, 0D, 0A, 20, 00, 00, 00, 00, FF, CC, 31, 00, 07, F5, 40, 7C...
 
[+]

Entropy:
7.8559

Developed / compiled with:
Microsoft Visual Basic v5.0/v6.0

Code size:
632 KB (647,168 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
win32

Command:
C:\windows\win32\win32.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 65-254-227-224.yourhostingaccount.com  (65.254.227.224:80)

TCP (HTTP):
Connects to ip-172-17-111-2.ec2.internal  (172.17.111.2:80)

Remove win32.exe - Powered by Reason Core Security