home

xelag.exe

Defend Center

The executable xelag.exe, “Windows Defender Service” has been detected as malware by 40 anti-virus scanners. While running, it connects to the Internet address fm.interiowo.pl on port 80 using the HTTP protocol.
Product:
Defend Center

Description:
Windows Defender Service

Version:
1, 0, 0, 0

MD5:
4a02095a8d1a4b3d580ceeeacd5ca378

SHA-1:
f4aa0230c4113103bb6002d0d13ceaa6cf41df1a

SHA-256:
bb2913e23ec9e47a127d89d77748ba655f683e8242175086a7c4d912e4de8413

Scanner detections:
40 / 68

Status:
Malware

Analysis date:
11/27/2024 3:51:55 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Strictor.79302
571

Agnitum Outpost
Trojan.Agent
7.1.1

AhnLab V3 Security
HEUR/Fakon.mwf
2015.07.12

Avira AntiVirus
TR/VB.Agent.340992
8.3.1.6

Arcabit
Trojan.Strictor.D135C6
1.0.0.425

avast!
Win32:Evo-gen [Susp]
2014.9-150713

AVG
Luhe.Fiha.E
2016.0.3049

Baidu Antivirus
Trojan.Win32.Dropper
4.0.3.15713

Bitdefender
Gen:Variant.Strictor.79302
1.0.20.970

Comodo Security
UnclassifiedMalware
22741

Dr.Web
Win32.HLLW.Autoruner2.19352
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Zusy.154502
11.5.0.6191

ESET NOD32
VBS/Agent.NHP worm
8.0.319.0

Fortinet FortiGate
W32/FrauDrop.AICRL!tr
7/13/2015

F-Prot
W32/Backdoor2.HWWI
4.6.5.141

F-Secure
Gen:Variant.Strictor.79302
11.2015-13-07_2

G Data
Gen:Variant.Strictor.79302
15.7.25

IKARUS anti.virus
Worm.VBS.Agent
t3scan.1.9.5.0

K7 AntiVirus
Riskware
13.205.16534

Kaspersky
Trojan-Dropper.Win32.FrauDrop
15.0.0.562

Malwarebytes
Trojan.Agent
v2015.07.13.07

McAfee
RDN/Generic Dropper!wd
5600.6705

Microsoft Security Essentials
Worm:VBS/Jenxcus!lnk
1.1.11804.0

MicroWorld eScan
Gen:Variant.Strictor.79302
16.0.0.582

NANO AntiVirus
Trojan.Win32.Blocker.dbnfux
0.30.24.2487

Norman
Gen:Variant.Zusy.154502
10.04.2016 15:29:17

nProtect
Trojan-Dropper/W32.FrauDrop.340992.D
15.07.10.01

Panda Antivirus
Trj/CI.A
15.07.13.07

Qihoo 360 Security
Win32/Trojan.Dropper.43a
1.0.0.1015

Quick Heal
TrojanDropper.FrauDrop.r5
7.15.14.00

Reason Heuristics
Threat.Win.Reputation.IMP
15.7.13.19

Rising Antivirus
PE:Trojan.Win32.Generic.182350EB!404967659
23.00.65.15711

Sophos
Virus 'Troj/Agent-AQVU'
5.23

Total Defense
Win32/Dapato.AY
37.1.62.1

Trend Micro House Call
TROJ_FORUCON.BMC
7.2.194

Trend Micro
TROJ_FORUCON.BMC
10.465.13

Vba32 AntiVirus
TrojanDropper.Dapato
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
41936

ViRobot
Dropper.A.FrauDrop.340992.B[h]
2014.3.20.0

Zillya! Antivirus
Trojan.Blocker.Win32.18819
2.0.0.2283

File size:
333 KB (340,992 bytes)

Product version:
1, 0, 0, 0

Copyright:
Copyright (C) 2014

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\xelag.exe

File PE Metadata
Compilation timestamp:
7/22/2013 4:13:26 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:+ziL6Tj1u6C7SdQNrJda/aulZLyVuYL9Y6K71p1gzojZDViEtnww:+vqSyJda/aulZAuYL901/gWxiEGw

Entry address:
0x19158

Entry point:
E8, 94, 37, 00, 00, E9, 79, FE, FF, FF, 3B, 0D, DC, 7D, 43, 00, 75, 02, F3, C3, E9, 16, 38, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, 75, 14, 57, 33, FF, 3B, F7, 75, 04, 33, C0, EB, 65, 39, 7D, 08, 75, 1B, E8, 55, 18, 00, 00, 6A, 16, 5E, 89, 30, 57, 57, 57, 57, 57, E8, 8E, 3D, 00, 00, 83, C4, 14, 8B, C6, EB, 45, 39, 7D, 10, 74, 16, 39, 75, 0C, 72, 11, 56, FF, 75, 10, FF, 75, 08, E8, D5, 38, 00, 00, 83, C4, 0C, EB, C1, FF, 75, 0C, 57, FF, 75, 08, E8, 94, 18, 00, 00, 83, C4, 0C, 39, 7D, 10, 74, B6, 39, 75, 0C, 73...
 
[+]

Entropy:
6.5075

Code size:
170.5 KB (174,592 bytes)

The file xelag.exe has been seen being distributed by the following 2 URLs.

temp:New folder.exe

temp:bluetooth(1).exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to fm.interiowo.pl  (217.74.66.160:80)

Remove xelag.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.