dpinstx64.exe

Driver Package Installer (DPInst)

SMSC

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable dpinstx64.exe, “Driver Package Installer” has been detected as malware by 40 anti-virus scanners. The file is most likely infected with the Neshta virus, a Russian virus that gathers system information and send it to a remote command and cotrol server.
Publisher:
Microsoft Corporation  (signed by SMSC)

Product:
Driver Package Installer (DPInst)

Description:
Driver Package Installer

Version:
2.1

MD5:
0050c45a4c64bab55df5a4e32596980f

SHA-1:
f4bd89d0a68690a0aaf854db698ecf8bad960413

SHA-256:
0ed35474b3bca75e4276331bec14bdb498e14aa5d6b9a126b62c8b445fdf8b2c

Scanner detections:
40 / 68

Status:
Malware

Explanation:
Infected with the direct-infection Neshta file infector virus.

Analysis date:
11/24/2024 5:46:23 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Neshta.C
802

Agnitum Outpost
Win32.Neshta.A
7.1.1

AhnLab V3 Security
Win32/Neshta
2013.08.22

Avira AntiVirus
W32/Neshta.a
7.11.30.172

avast!
Win32:Apanas [Trj]
2014.9-141125

AVG
Worm/Delf
2015.0.3280

Baidu Antivirus
Virus.Win32.Neshta.$a
4.0.3.141125

Bitdefender
Win32.Neshta.A
1.0.20.1645

Bkav FE
W32.HanGu.PE
1.3.0.4959

Clam AntiVirus
Neshta.B
0.98/19042

Comodo Security
Win32.Neshta.A
16801

Dr.Web
Win32.HLLP.Neshta
9.0.1.0329

Emsisoft Anti-Malware
Win32.Neshta
8.14.11.25.09

ESET NOD32
Win32/Neshta.A virus
8.7.0.302.0

Fortinet FortiGate
W32/Neshta.A
11/25/2014

F-Prot
W32/HLLP.41472
v6.4.6.5.141

F-Secure
Win32.Neshta.A
11.2014-25-11_3

G Data
Win32.Neshta
14.11.22

IKARUS anti.virus
Virus.Win32.Neshta
t3scan.2.0.127

K7 AntiVirus
Virus
13.170.9337

Kaspersky
Virus.Win32.Neshta
14.0.0.2893

Malwarebytes
Trojan.Agent
v2014.11.25.09

McAfee
W32/HLLP.41472.e
5600.6936

Microsoft Security Essentials
1.163.1557.0

MicroWorld eScan
Win32.Neshta.A
15.0.0.987

NANO AntiVirus
Virus.Win32.Neshta.cdby
0.26.0.53954

Norman
Neshta.C
11.20141125

nProtect
Virus/W32.Neshta
13.08.21.03

Panda Antivirus
W32/Neshta.A
14.11.25.09

Qihoo 360 Security
Virus.Win32.Neshta.B
1.0.0.1015

Quick Heal
W32.Neshta.A
11.14.12.00

Rising Antivirus
Win32.Netsha.a
23.00.65.141123

Sophos
W32/Bloat-A
4.91

Total Defense
Win32/Neshta.A
37.0.10498

Trend Micro House Call
PE_NESHTA.A
7.2.329

Trend Micro
PE_NESHTA.A
10.465.25

Vba32 AntiVirus
Virus.Win32.Neshta.a
3.12.22.3

VIPRE Antivirus
Virus.Win32.Neshta.a
20730

ViRobot
Win32.Neshta.B
2011.4.7.4223

Zillya! Antivirus
Virus.Neshta.Win32.1
2.0.0.1972

File size:
906.7 KB (928,496 bytes)

Product version:
2.1

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
DPInst.exe

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\x64\dpinstx64.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
10/22/2006 8:00:00 PM

Valid to:
11/1/2009 6:59:59 PM

Subject:
CN=SMSC, OU=SSG, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=SMSC, L=Hauppauge, S=NY, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
11A8E6364AA1F8858BFE04F4B11FB6E1

File PE Metadata
Compilation timestamp:
10/16/2006 7:57:22 PM

OS version:
6.0

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:OcQsynWrZI8I/VELVqZFbq+0pHKmdTJF805CbLLDFSQSAj99HJYnJzDX+v34nQTZ:FpRkVWqZRqXVI0oLD7ZxA434QTPh22

Entry address:
0x6BD3C

Entry point:
48, 83, EC, 28, E8, 2F, 09, 00, 00, 48, 83, C4, 28, E9, B6, FC, FF, FF, CC, CC, CC, CC, CC, CC, FF, 25, 2E, 5C, F9, FF, CC, CC, CC, CC, CC, CC, FF, 25, 1A, 5C, F9, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 66, 66, 66, 90, 66, 66, 66, 90, 66, 90, 48, 3B, 0D, B1, 73, 01, 00, 75, 11, 48, C1, C1, 10, 66, F7, C1, FF, FF, 75, 02, F3, C3, 48, C1, C9, 10, E9, 91, 09, 00, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, 48, 89, 5C, 24, 10, 44, 89, 44, 24, 18, 48, 89, 4C, 24, 08, 56, 57, 41, 54, 48...
 
[+]

Entropy:
5.7312

Code size:
517 KB (529,408 bytes)

Remove dpinstx64.exe - Powered by Reason Core Security