» win32.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

win32.exe

isfast

The executable win32.exe has been detected as malware by 4 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘win32’. While running, it connects to the Internet address 65-254-227-224.yourhostingaccount.com on port 80 using the HTTP protocol.

File name:

win32.exe

Publisher:

Microsoft* (Invalid match)

Product:

isfast

Version:

1.00

MD5:

8f807db31340febb785baadb3d79d48a

SHA-1:

43612888a538c079a2f9bb990e6be1a795dd01ce

SHA-256:

3c12ae526748333c01174527999002ad26684707b634ea227848946c138e3eea

Scanner detections:

4 / 68

Status:

Malware

Analysis date:

11/24/2024 3:36:13 AM UTC (today)

Scan engine

Detection

Engine version

Bkav FE

HW32.Packed

1.3.0.8383

ESET NOD32

Win32/TrojanClicker.VB.OIY (variant)

10.14143

Panda Antivirus

Trj/GdSda.A

16.09.21.11

Qihoo 360 Security

HEUR/QVM03.0.0000.Malware.Gen

1.0.0.1120

File size:

652 KB (667,648 bytes)

Product version:

1.00

Original file name:

win32.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\windows\win32\win32.exe

File PE Metadata

Compilation timestamp:

9/11/2016 1:53:10 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:JIjmBzE+CEKDmyQVZrgnnFq4DRWQcCuP6lr9Fg4naJ:GjGnKDm6nFqWe9ilr9Fg4naJ

Entry address:

0x13E8

Entry point:

68, 10, B8, 49, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 68, 00, 00, 00, 38, 00, 00, 00, AE, 8D, C3, B1, 50, BC, C1, 4A, 87, BD, B5, 2C, A4, 63, 18, 19, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 20, 20, 34, 33, 32, 30, 69, 73, 66, 61, 73, 74, 00, 64, 79, 6F, 75, 20, 63, 61, 6E, 20, 73, 65, 65, 20, 69, 6E, 74, 65, 72, 6E, 65, 74, 20, 77, 69, 74, 68, 20, 20, 61, 20, 6C, 6F, 74, 20, 6F, 66, 20, 62, 65, 6E, 65, 66, 69, 74, 00, 20, 0D, 0A, 20, 00, 00, 00, 00, FF, CC, 31, 00, 07, F5, 40, 7C... 
[+]

Entropy:

7.8559

Developed / compiled with:

Microsoft Visual Basic v5.0/v6.0

Code size:

632 KB (647,168 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

win32

Command:

C:\windows\win32\win32.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to 65-254-227-224.yourhostingaccount.com (65.254.227.224:80)

TCP (HTTP):

Connects to ip-172-17-111-2.ec2.internal (172.17.111.2:80)

Remove win32.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.