win99dc.exe

The executable win99dc.exe has been detected as malware by 18 anti-virus scanners. While running, it connects to the Internet address server-54-230-18-58.iad12.r.cloudfront.net on port 80 using the HTTP protocol.
MD5:
edab2983431e6bdcca4f7061e2b2e91d

SHA-1:
50c1fb42ba70552bff4ef7e1d58097c889dbfe63

SHA-256:
a7ea7aad434b2a8b82642aac393265c070c4966cdfe3e917de5160ccdfc4fe78

Scanner detections:
18 / 68

Status:
Malware

Analysis date:
11/12/2024 7:01:33 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Symmi.38164
1056

AhnLab V3 Security
Trojan/Win32.Trojan Horse
2014.02.03

Avira AntiVirus
DR/Delphi.A.2724
7.11.128.158

avast!
Win32:Downloader-UWH [Trj]
2014.9-140315

Bitdefender
Gen:Variant.Symmi.38164
1.0.20.370

Emsisoft Anti-Malware
Gen:Variant.Symmi.38164
8.14.03.15.06

Fortinet FortiGate
W32/Dx.CX3!tr
3/15/2014

F-Secure
Gen:Variant.Symmi.38164
11.2014-15-03_7

G Data
Gen:Variant.Symmi.38164
14.3.24

Malwarebytes
Trojan.Downloader.ED
v2014.03.15.06

McAfee
RDN/Generic.dx!cx3
5600.7190

MicroWorld eScan
Gen:Variant.Symmi.38164
15.0.0.222

Norman
Suspicious_Gen4.FSIPJ
11.20140315

Qihoo 360 Security
HEUR/Malware.QVM05.Gen
1.0.0.1015

Sophos
Mal/Generic-S
4.97

Trend Micro House Call
TROJ_GEN.R0C1C0EAR14
7.2.74

Trend Micro
TROJ_GEN.R0C1C0EAR14
10.465.15

VIPRE Antivirus
Trojan.Win32.Generic
26060

File size:
164.5 KB (168,448 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\microsoft\win99dc.exe

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
3072:cYiwTVJXZ9rBQ/NUPM1ZYSk3OCVJqlIbao:cJGZ2CM4SkeCDJ

Entry address:
0x8FAC

Entry point:
55, 8B, EC, 83, C4, E8, 53, 56, 57, 33, C0, 89, 45, E8, B8, 44, 8F, 40, 00, E8, B8, B5, FF, FF, BF, 10, E8, 40, 00, 33, C0, 55, 68, FE, BF, 40, 00, 64, FF, 30, 64, 89, 20, 66, C7, 05, B0, E7, 40, 00, 47, 01, 66, C7, 05, B4, E7, 40, 00, 47, 01, BE, 6E, A3, 01, 00, C7, 05, B8, E7, 40, 00, 6E, A3, 01, 00, C7, 05, BC, E7, 40, 00, 6E, A3, 01, 00, C7, 05, C0, E7, 40, 00, 6E, A3, 01, 00, 33, C0, 89, 05, C4, E7, 40, 00, C7, 05, C8, E7, 40, 00, 00, 00, F0, 3F, B8, CC, E7, 40, 00, E8, 30, A6, FF, FF, B8, D0, E7, 40...
 
[+]

Entropy:
6.4206

Developed / compiled with:
Microsoft Visual C++

Code size:
44.5 KB (45,568 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to yv-in-f95.1e100.net  (74.125.21.95:80)

TCP (HTTP):
Connects to yv-in-f155.1e100.net  (74.125.21.155:80)

TCP (HTTP):
Connects to yv-in-f149.1e100.net  (74.125.21.149:80)

TCP (HTTP):
Connects to yv-in-f148.1e100.net  (74.125.21.148:80)

TCP (HTTP):
Connects to yv-in-f138.1e100.net  (74.125.21.138:80)

TCP (HTTP):
Connects to t.mookie1.com  (208.71.122.1:80)

TCP (HTTP):
Connects to server-54-230-90-214.ind6.r.cloudfront.net  (54.230.90.214:80)

TCP (HTTP):
Connects to server-54-230-90-178.ind6.r.cloudfront.net  (54.230.90.178:80)

TCP (HTTP):
Connects to server-54-230-89-221.ind6.r.cloudfront.net  (54.230.89.221:80)

TCP (HTTP):
Connects to server-54-230-89-216.ind6.r.cloudfront.net  (54.230.89.216:80)

TCP (HTTP):
Connects to server-54-230-88-103.ind6.r.cloudfront.net  (54.230.88.103:80)

TCP (HTTP):
Connects to server-54-230-18-58.iad12.r.cloudfront.net  (54.230.18.58:80)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (205.251.243.97:80)

TCP (HTTP):
Connects to qg-in-f95.1e100.net  (74.125.29.95:80)

TCP (HTTP):
Connects to ns380828.ovh.net  (188.165.253.212:80)

TCP (HTTP):
Connects to ns3324339.ovh.net  (37.59.15.146:80)

TCP (HTTP):
Connects to ns312748.ovh.net  (188.165.219.225:80)

TCP (HTTP):
Connects to ns3096015.ovh.net  (188.165.237.147:80)

TCP (HTTP):
Connects to ns220928.ovh.net  (188.165.246.198:80)

TCP (HTTP):
Connects to m-nb.xplusone.com  (199.38.164.155:80)

Remove win99dc.exe - Powered by Reason Core Security