csc.exe

HowbaniSoft Internet Cafe System Client

HowbaniSoft Team - Yemen

The executable csc.exe has been detected as malware by 33 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘HISS_CLT’. While running, it connects to the Internet address 160.143.96.66.static.eigbox.net on port 80 using the HTTP protocol.
Publisher:
HowbaniSoft Team - Yemen

Product:
HowbaniSoft Internet Cafe System Client

Version:
6, 0, 0, 0

MD5:
b1fdb8bab2ec75e3ef3c94504c845322

SHA-1:
361c8f9e8ab125259dd760cf6f59afb526df6c8e

Scanner detections:
33 / 68

Status:
Malware

Analysis date:
11/24/2024 11:41:56 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Trojan.Heur.SFC.Eq1@ay7cGLmOb
533

Agnitum Outpost
Trojan.Vilsel
7.1.1

AhnLab V3 Security
Win-Trojan/Vilsel.503844
2015.03.04

Avira AntiVirus
TR/Vilsel.sxw
7.11.213.76

avast!
Win32:Malware-gen
2014.9-150820

AVG
Generic16
2016.0.3011

Baidu Antivirus
Trojan.Win32.Malat
4.0.3.15820

Bitdefender
Gen:Trojan.Heur.SFC.Eq1@ay7cGLmOb
1.0.20.1160

Clam AntiVirus
Win.Trojan.Vilsel-722
0.98/21511

Comodo Security
Heur.Suspicious
21278

Dr.Web
Trojan.StartPage.35567
9.0.1.0232

Emsisoft Anti-Malware
Gen:Trojan.Heur.SFC.Eq1@ay7cGLmOb
8.15.08.20.07

Fortinet FortiGate
W32/Vilsel.SXW!tr
8/20/2015

F-Prot
W32/TrojanX.EFUK
v6.4.7.1.166

F-Secure
Gen:Trojan.Heur.SFC.Eq1@ay7cGLmOb
11.2015-20-08_5

G Data
Gen:Trojan.Heur.SFC.Eq1@ay7cGLmOb
15.8.25

IKARUS anti.virus
Trojan.Win32.Vilsel
t3scan.1.8.6.0

K7 AntiVirus
Trojan
13.200.15142

Kaspersky
Trojan.Win32.Vilsel
14.0.0.1551

McAfee
Artemis!B1FDB8BAB2EC
5600.6667

Microsoft Security Essentials
Trojan:Win32/Malat
1.1.11400.0

MicroWorld eScan
Gen:Trojan.Heur.SFC.Eq1@ay7cGLmOb
16.0.0.696

NANO AntiVirus
Trojan.Win32.Vilsel.utcrr
0.30.0.296

Norman
Malware.LITZ
11.20150820

Panda Antivirus
W32/Spamta.QO.worm
15.08.20.07

Qihoo 360 Security
Win32/Trojan.a8f
1.0.0.1015

Rising Antivirus
PE:Trojan.Win32.Generic.11EC80B5!300712117
23.00.65.15818

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_GEN.F4AE1I1
7.2.232

Trend Micro
TROJ_GEN.F4AE1I1
10.465.20

Vba32 AntiVirus
Trojan.Vilsel
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic
38084

ViRobot
Trojan.Win32.A.Vilsel.507904.A[h]
2014.3.20.0

File size:
492 KB (503,844 bytes)

Product version:
6, 0, 0, 1

Copyright:
Copyright (C) 2000 - 2003

Trademarks:
All Rights Reserved , HowbaniSoft Team

Original file name:
CafeSysClt.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\csc.exe

File PE Metadata
Compilation timestamp:
1/24/2010 7:49:24 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:CBBHKire3Oei/Hsz1Cot7vVmuCV0n7+C+SjSopNm0VTFpx:CBBnHwt7vVmuC6n1+Suo/1p

Entry address:
0x375FB

Entry point:
E8, 63, AD, 00, 00, E9, 16, FE, FF, FF, E8, 0B, A2, 00, 00, FF, 74, 24, 04, E8, 62, A0, 00, 00, FF, 35, 14, 4B, 46, 00, E8, 3A, 3F, 00, 00, 68, FF, 00, 00, 00, FF, D0, 83, C4, 0C, C3, 68, 6C, 57, 45, 00, FF, 15, 9C, E2, 44, 00, 85, C0, 74, 16, 68, 5C, 57, 45, 00, 50, FF, 15, A0, E2, 44, 00, 85, C0, 74, 06, FF, 74, 24, 04, FF, D0, C3, FF, 74, 24, 04, E8, D1, FF, FF, FF, 59, FF, 74, 24, 04, FF, 15, 34, E3, 44, 00, CC, 6A, 08, E8, 25, 94, 00, 00, 59, C3, 6A, 08, E8, 44, 93, 00, 00, 59, C3, 56, 8B, F0, EB, 0B...
 
[+]

Entropy:
6.3825

Code size:
308 KB (315,392 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
HISS_CLT

Command:
C:\windows\csc.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 160.143.96.66.static.eigbox.net  (66.96.143.160:80)

Remove csc.exe - Powered by Reason Core Security