Google Chrome.exe

qwe

svchost

The executable Google Chrome.exe has been detected as malware by 23 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘cfhack’. While running, it connects to the Internet address 133.54.211.130.bc.googleusercontent.com on port 80 using the HTTP protocol.
Publisher:
svchost

Product:
qwe

Description:
microsoft

Version:
1.00.0419

MD5:
ece15493c21e601c5831e18f8ce6fb02

SHA-1:
f90538d8fddb94bd359f5481794f40c0076e0716

SHA-256:
37aebdd8086489f8409f28af66633c85c585c741aebde82ebf20ae580aadf3d7

Scanner detections:
23 / 68

Status:
Malware

Analysis date:
12/28/2024 7:11:30 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Heur.ManBat.1
5865457

Agnitum Outpost
TrojanSpy.VB
7.1.1

AhnLab V3 Security
Malware/Win32.Suspicious
2015.07.31

Avira AntiVirus
TR/Crypt.FKM.Gen
8.3.1.6

Arcabit
Trojan.ManBat.1
1.0.0.425

avast!
Win32:Malware-gen
150717-0

AVG
Atros
2016.0.3032

Bitdefender
Gen:Heur.ManBat.1
1.0.20.1060

Dr.Web
Trojan.KillFiles.29004
9.0.1.05190

Emsisoft Anti-Malware
Gen:Heur.ManBat
10.0.0.5366

ESET NOD32
Win32/AdClicker.NBF trojan
7.0.302.0

Fortinet FortiGate
W32/Magania.IDPJ!tr
7/31/2015

F-Secure
Gen:Heur.ManBat.1
5.14.151

G Data
Gen:Heur.ManBat
15.7.25

Kaspersky
Trojan-Spy.Win32.VB
15.0.0.543

McAfee
Trojan.Artemis!ECE15493C21E
18.0.204.0

MicroWorld eScan
Gen:Heur.ManBat.1
16.0.0.636

Norman
Gen:Heur.ManBat.1
07.07.2015 03:10:29

Panda Antivirus
Generic Suspicious
15.07.31.05

Sophos
Mal/Generic-S
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Falcomp
9721

Trend Micro
TROJ_GEN.R08NC0EGS15
10.465.31

VIPRE Antivirus
Threat.4150696
41608

File size:
100.5 KB (102,912 bytes)

Product version:
1.00.0419

Copyright:
weq

Trademarks:
wqewqq

Original file name:
Google Chrome.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\google chrome.exe

File PE Metadata
Compilation timestamp:
7/21/2015 8:40:10 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:NiKacWZHtJqHdO102yw3vfboRxKIAlLL02kNJ53IIUl9/CRK67Eo9u7R:NiZjuHw3roRAIoLL02owBqRK6go9u9

Entry address:
0x18A8

Entry point:
B8, EC, 36, 43, 00, 50, 64, FF, 35, 00, 00, 00, 00, 64, 89, 25, 00, 00, 00, 00, 33, C0, 89, 08, 50, 45, 43, 6F, 6D, 70, 61, 63, 74, 32, 00, EB, 54, 4B, 0A, 97, 75, 1B, 74, 30, C4, A6, E4, D0, 7F, 78, 07, 3E, A3, A3, 8F, 4C, 13, 30, 91, 79, F6, 0D, 8A, EF, 04, 1C, B4, 91, 8E, 3E, F5, 17, 6E, 71, 64, FD, 24, 4A, C4, 86, 1D, D9, 5A, 82, 3C, 19, 75, 3A, CD, 4D, 37, 10, C8, 7D, E8, D9, 3E, B5, B6, 09, 81, 8C, 99, 71, 9A, 68, 06, 6B, A4, A3, 3B, 94, 70, 34, AD, C6, 5E, 76, 33, 11, C4, 49, 99, D9, EF, 85, 2A, 99...
 
[+]

Entropy:
7.5061

Packer / compiler:
PECompact v2

Code size:
92 KB (94,208 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
cfhack

Command:
C:\windows\google chrome.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to edge-star-mini-shv-01-hkg3.facebook.com  (31.13.95.36:80)

TCP (HTTP):
Connects to 133.54.211.130.bc.googleusercontent.com  (130.211.54.133:80)

TCP (HTTP):
Connects to server-54-192-75-11.hkg50.r.cloudfront.net  (54.192.75.11:80)

TCP (HTTP):
Connects to ec2-52-3-199-147.compute-1.amazonaws.com  (52.3.199.147:80)

TCP (HTTP):
Connects to 230.28.211.130.bc.googleusercontent.com  (130.211.28.230:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.10:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-hkg3.fbcdn.net  (31.13.95.12:443)

TCP (HTTP):
Connects to server-54-192-75-72.hkg50.r.cloudfront.net  (54.192.75.72:80)

TCP (HTTP):
Connects to server-54-192-75-228.hkg50.r.cloudfront.net  (54.192.75.228:80)

TCP (HTTP SSL):
Connects to server-54-192-72-69.hkg50.r.cloudfront.net  (54.192.72.69:443)

TCP (HTTP SSL):
Connects to server-54-192-72-146.hkg50.r.cloudfront.net  (54.192.72.146:443)

TCP (HTTP):
Connects to minin804.vds  (91.215.153.104:80)

TCP (HTTP):
Connects to lik.from.sh  (141.8.195.77:80)

TCP (HTTP SSL):
Connects to bam-4.nr-data.net  (50.31.164.174:443)

TCP (HTTP SSL):
Connects to 125.235.30.187.adsl.viettel.vn  (125.235.30.187:443)

TCP (HTTP):
Connects to 125.235.17.173.adsl.viettel.vn  (125.235.17.173:80)

TCP (HTTP):
Connects to ec2-52-86-22-184.compute-1.amazonaws.com  (52.86.22.184:80)

TCP (HTTP SSL):
Connects to bam-6.nr-data.net  (162.247.242.18:443)

TCP (HTTP):
Connects to yesup.com  (199.21.148.198:80)

TCP (HTTP):
Connects to server-54-239-130-246.hkg50.r.cloudfront.net  (54.239.130.246:80)

Remove Google Chrome.exe - Powered by Reason Core Security