csc.exe

HowbaniSoft Internet Cafe System Client

HowbaniSoft Team - Yemen

The executable csc.exe has been detected as malware by 19 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘HISS_CLT’. While running, it connects to the Internet address 160.143.96.66.static.eigbox.net on port 80 using the HTTP protocol.
Publisher:
HowbaniSoft Team - Yemen

Product:
HowbaniSoft Internet Cafe System Client

Version:
7, 4, 1, 0

MD5:
641a8278e31d34ac48b85b2828541537

SHA-1:
bb995372a7247ddc55cd4b2e289e6e5593a744cd

Scanner detections:
19 / 68

Status:
Malware

Analysis date:
11/14/2024 1:59:43 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Trojan.StartPage
7.1.1

Avira AntiVirus
TR/Comitsproc.A.419
7.11.179.8

avast!
Win32:Dropper-gen [Drp]
2014.9-141017

AVG
Win32/DH{gRKBE0GBDy17Q30DZ34gLlI}
2015.0.3318

Baidu Antivirus
Trojan.Win32.Comitsproc
4.0.3.141017

Comodo Security
UnclassifiedMalware
19815

Dr.Web
Trojan.StartPage.52883
9.0.1.0290

IKARUS anti.virus
Trojan.Win32.Comitsproc
t3scan.1.7.8.0

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.3087

McAfee
Artemis!641A8278E31D
5600.6974

Microsoft Security Essentials
Trojan:Win32/Comitsproc!gmb
1.11005

NANO AntiVirus
Trojan.Win32.StartPage.cqligj
0.28.2.62671

Norman
Suspicious_Gen4.CECZL
11.20141017

Qihoo 360 Security
Win32/Trojan.e6d
1.0.0.1015

Quick Heal
Trojan.Comitsproc.r4
10.14.14.00

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_SPNR.3AHQ13
7.2.290

Trend Micro
TROJ_SPNR.3AHQ13
10.465.17

VIPRE Antivirus
Trojan.Win32.Generic
33982

File size:
496 KB (507,940 bytes)

Product version:
7, 4, 1, 0

Copyright:
Copyright (C) 2000 - 2012

Trademarks:
All Rights Reserved , HowbaniSoft Team

Original file name:
CafeSysClt.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\csc.exe

File PE Metadata
Compilation timestamp:
11/23/2012 8:34:30 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:pVvdJnTy7c7F9kZhWDAwPLaXwsbVQ1Ilxp:rdlm7c7gZhWDcgsbVV

Entry address:
0x380CB

Entry point:
E8, 63, AD, 00, 00, E9, 16, FE, FF, FF, E8, 0B, A2, 00, 00, FF, 74, 24, 04, E8, 62, A0, 00, 00, FF, 35, E4, 5B, 46, 00, E8, 3A, 3F, 00, 00, 68, FF, 00, 00, 00, FF, D0, 83, C4, 0C, C3, 68, DC, 6B, 45, 00, FF, 15, 9C, F2, 44, 00, 85, C0, 74, 16, 68, CC, 6B, 45, 00, 50, FF, 15, A0, F2, 44, 00, 85, C0, 74, 06, FF, 74, 24, 04, FF, D0, C3, FF, 74, 24, 04, E8, D1, FF, FF, FF, 59, FF, 74, 24, 04, FF, 15, 3C, F3, 44, 00, CC, 6A, 08, E8, 25, 94, 00, 00, 59, C3, 6A, 08, E8, 44, 93, 00, 00, 59, C3, 56, 8B, F0, EB, 0B...
 
[+]

Entropy:
6.3963

Code size:
312 KB (319,488 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
HISS_CLT

Command:
C:\windows\csc.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 160.143.96.66.static.eigbox.net  (66.96.143.160:80)

TCP (HTTP):
Connects to 65-254-229-20.yourhostingaccount.com  (65.254.229.20:80)

Remove csc.exe - Powered by Reason Core Security