Reason Labs

weawa.exe

The executable weawa.exe has been detected as malware named Worm.AutoRun. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘weawa’.
MD5:
e2d6dc0473d9aa13008da8c9e80779bd

SHA-1:
2ff2520ee53a4648762bb360bd1585ae0c1c04d3

Detection:
Worm.AutoRun

Risk:
High

Analysis date:
9/26/2018 1:12:43 PM UTC  (today)

File size:
56 KB (57,344 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\documents and settings\kamil\weawa.exe

File PE Metadata
Compilation timestamp:
1/1/2000 1:00:00 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
768:5BHlPdzpa1smCf0mq/6/Q/9NF0+LEc8af3ts0E99:5tzWsmcq2oS+Ljb3ts0E99

Header:
4D, 5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B0, 00, 00, 00...
 
[+]

Entry address:
0x1184

Entry point:
68, 14, 12, 40, 00, E8, F0, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 81, 89, 47, A1, 4A, D5, 79, 42, 98, 62, 53, D9, 21, 71, AD, 30, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 55, 43, 43, 70, 63, 44, 5A, 6D, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 06, 00, 00, 00, C8, 35, 40, 00, 07, 00, 00, 00, B4, 2D, 40, 00, 07, 00, 00, 00, 60, 2D, 40, 00, 07, 00, 00, 00, 18, 2D, 40, 00, 07, 00, 00, 00, D4, 2C, 40, 00, 07, 00, 00, 00, 8C, 2C, 40, 00...
 
[+]

Developed / compiled with:
Microsoft Visual Basic v5.0

Characteristics:
0x271

Code size:
48 KB (49,152 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
weawa

Command:
C:\documents and settings\kamil\weawa.exe


There are numerous known code variantions that share the same compilation structure.

Clean
BR117.dll  17.103.0015  (6413445d24c29766c837c146dbcdf7730fcaee4d)

Clean
BusyVAT17.dll  17.04.0012  (81f89d1ab6248d015149dc09289e6d08ac9bdf52)

Clean
BS117.dll  17.04.0009  (0a3631501f721ac790b3bf0386150f51a5f37217)

Clean
EasyAccount.exe  1.03  (3109d11fd3e67a58ab792d0e8f7a113c7417f0af)

Worm.AutoRun
mwrioy.exe  (a5be050873a666a82e6275786c6c9719c5a92e87)

Worm.AutoRun
goiguup.exe  (c0f07969e3c94df3d858dd2744d65b0c04f7ac0d)

Worm.AutoRun
huafet.exe  (1930ea0a27ce0d9b32a47890815e392345f91cf3)

Worm.AutoRun
caeem.exe  (ac15b45ba2a46d0107bd54a9d7529fdbc5bb42ff)

Worm.AutoRun
roiviv.exe  (f9a106db3f6a66485aaf29d645cfb6a2bece767a)

Worm.AutoRun
soiom.exe  (07e02d204a3b608b00232da5674d21a1cc713d16)

Worm.AutoRun
vovaz.exe  (a42b8f089f853afcc79cf40c704db02855652fb0)

Worm.AutoRun
tiehoi.exe  (707740027fd7a126ee249713865338d7b10c6ffb)

Worm.AutoRun
mgqih.exe  (e89449248b34d9cfcc49a182a24791196075fe84)

Clean
lapeg.scr  (b9a2a96b3c44a9ff1980bfe742bc3862d0260839)

Worm.AutoRun
kvqis.exe  (ef696a6231bbc24e79c732dc3f6c39557ab87323)

Download Reason Core Security - Powerful anti-malware software