gbClientService.exe

Garena

The application gbClientService.exe, “CafeThai Pro client service” has been detected as a potentially unwanted program by 16 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “gbClientService”. While running, it connects to the Internet address ppp-111.223.35.215.revip.proen.co.th on port 80 using the HTTP protocol.
Product:
Garena

Description:
CafeThai Pro client service

Version:
2.2.20.3a5a

MD5:
aa340b05609f9581ef1bd321c84e63ce

SHA-1:
34b3cb093d62cba3457c76b0255bcbc3e834d7cf

SHA-256:
47b1f6a578bf127701336d47ed4e8fff6a3e154ec2c83e8f94a065a54b2976e6

Scanner detections:
16 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 12:32:41 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.14616287
596

Avira AntiVirus
TR/Crypt.XPACK.Gen
8.3.1.6

Arcabit
Trojan.Generic.DDF06DF
1.0.0.425

avast!
Win32:Malware-gen
2014.9-150618

Bitdefender
Trojan.Generic.14616287
1.0.20.845

Bkav FE
HW32.Packed
1.3.0.6379

Emsisoft Anti-Malware
Trojan.Generic.14616287
8.15.06.18.11

F-Secure
Gen:Variant.Adware.13
5.14.151

G Data
Trojan.Generic.14616287
15.6.25

IKARUS anti.virus
Trojan.Crypt
t3scan.1.9.5.0

McAfee
Artemis!AA340B05609F
5600.6730

MicroWorld eScan
Trojan.Generic.14616287
16.0.0.507

nProtect
Trojan.Generic.14616287
15.06.12.01

Qihoo 360 Security
HEUR/QVM16.0.Malware.Gen
1.0.0.1015

Trend Micro House Call
TROJ_GEN.R047H09F415
7.2.169

ViRobot
Trojan.Win32.S.Agent.6112256.B[h]
2014.3.20.0

File size:
5.8 MB (6,112,256 bytes)

Product version:
2.2.20.3a5a-P

Copyright:
Copyright (C) 2008

Original file name:
gbClientService.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\gbillingclient\gbclientservice.exe

File PE Metadata
Compilation timestamp:
4/13/2015 10:21:52 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
98304:ZrgVAp38JYV3/nsXn6ynllF04lNGq8MCxQ9Zf5Wm1n5muet9Nx3E3TcKB4oZ14wP:ZsVSsJKfsKynll+4lNGrMbpn5betB0jl

Entry address:
0x6BFD16

Entry point:
52, 68, 6B, CA, D0, 5E, 51, C7, 44, 24, 08, 61, 16, EE, 98, 9C, E8, A8, A4, 06, 00, 00, 00, 3F, 61, 74, 45, 6E, 64, 40, 51, 46, 69, 6C, 65, 40, 40, 55, 42, 45, 5F, 4E, 58, 5A, 00, 00, 00, 6D, 65, 6D, 6D, 6F, 76, 65, 00, 31, 09, D0, 6B, 65, 09, EB, B9, 3C, 3F, 04, C9, 4F, 12, 55, D9, 1F, A6, 2A, AD, 04, 8C, 21, 59, D2, 17, 31, 5E, 18, FD, 6C, E0, FD, 21, 89, 5D, 43, 08, 5F, 9E, A6, DA, F7, 63, 2B, 95, 04, 3C, 7E, C5, 92, 23, 53, E8, 8F, 0A, 1E, 15, E1, 02, A8, B7, 8F, 50, 4D, 1C, 86, C1, 92, 3E, 27, 12, 26...
 
[+]

Entropy:
7.8370  (probably packed)

Code size:
1.4 MB (1,483,264 bytes)

Service
Display name:
gbClientService

Type:
Win32OwnProcess

Group:
GarenaGroup


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ppp-111.223.35.215.revip.proen.co.th  (111.223.35.215:80)

TCP (HTTP):
Connects to ppp-111.223.35.214.revip.proen.co.th  (111.223.35.214:80)

TCP (HTTP):
Connects to ppp-111.223.35.217.revip.proen.co.th  (111.223.35.217:80)

TCP (HTTP):
Connects to ppp-111.223.35.216.revip.proen.co.th  (111.223.35.216:80)

TCP (HTTP):
Connects to ppp-111.223.35.213.revip.proen.co.th  (111.223.35.213:80)

Remove gbClientService.exe - Powered by Reason Core Security