cshpfaba.exe

The executable cshpfaba.exe has been detected as malware by 10 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘cshpfaba’. While running, it connects to the Internet address lb-182-207.above.com on port 80 using the HTTP protocol.
MD5:
aa077eacb2ee1765f43403a8ba5b9904

SHA-1:
37871aca057c0fa6c62dca2c4de1f4da7714908a

Scanner detections:
10 / 68

Status:
Malware

Analysis date:
12/25/2024 2:05:14 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.341058
-21

Bitdefender
Gen:Variant.Kazy.341058
1.0.20.275

Emsisoft Anti-Malware
Gen:Variant.Kazy.341058
8.17.02.24.04

ESET NOD32
Win32/Skintrim.LZ (variant)
11.9551

F-Secure
Gen:Variant.Kazy.341058
11.2017-24-02_6

G Data
Gen:Variant.Kazy.341058
17.2.24

IKARUS anti.virus
Trojan.Win32.Pakes
t3scan.2.2.29

MicroWorld eScan
Gen:Variant.Kazy.341058
18.0.0.165

Panda Antivirus
Suspicious file
17.02.24.04

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

File size:
872 KB (892,928 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Application data\cshpfaba.exe

File PE Metadata
Compilation timestamp:
5/24/2012 11:46:40 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

Entry address:
0x55BC

Entry point:
55, 8B, EC, 83, EC, 74, 8D, 45, 94, 50, 68, 80, A1, 40, 00, 8D, 4D, 98, FF, 15, FC, A0, 40, 00, 8D, 4D, 98, 51, B9, 48, 7B, 4D, 00, E8, FE, 38, 00, 00, 8D, 4D, 98, FF, 15, F8, A0, 40, 00, 6A, 00, B9, 48, 7B, 4D, 00, E8, C9, 38, 00, 00, 8B, C8, FF, 15, 08, A1, 40, 00, 89, 45, 90, 8D, 55, 90, 52, B9, 38, 7B, 4D, 00, E8, 60, 39, 00, 00, C7, 45, DC, 00, 00, 00, 00, C7, 45, E8, A1, 00, 00, 00, B9, F0, 79, 4D, 00, E8, 58, 1D, 00, 00, B9, B8, 78, 4D, 00, E8, CE, 36, 00, 00, FF, 15, EC, A0, 40, 00, 89, 45, EC, B9...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
36 KB (36,864 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
cshpfaba

Command:
"C:\Documents and Settings\{user}\Application data\cshpfaba.exe" cshpfaba


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to lb-182-207.above.com  (103.224.182.207:80)

Remove cshpfaba.exe - Powered by Reason Core Security