kb00031968.exe

The executable kb00031968.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Client Server Runtime Process’. While running, it connects to the Internet address ns302526.ip-94-23-196.eu on port 9631.
MD5:
d6f440c602366c08f3a4340b5de27b76

SHA-1:
84619554b1cd84ff32093a92423d9e0552f2d435

SHA-256:
a0ab1e996e2a713c58c68b28ff98cd5d13c39ca981a708210495300427177a04

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/27/2024 7:14:27 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Torjan.RCore
16.8.23.14

File size:
116 KB (118,784 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\kb00031968.exe

File PE Metadata
Compilation timestamp:
8/17/2016 10:59:05 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:NDxlbhSnfnPtxTAqH80qZj/BgwLEmkdKQ6lSlmctzcyTxDqiHLu4f0K6:Zxlb2XtxRH80uByYYmcGyTJFHLDz6

Entry address:
0x6DC0

Entry point:
55, 8B, EC, 6A, FF, 68, 08, 8A, 20, 00, 68, E8, 6F, 20, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, 5F, 57, FF, 15, 04, 82, 20, 00, 59, 83, 0D, DC, A1, 20, 00, FF, 83, 0D, E0, A1, 20, 00, FF, FF, 15, 08, 82, 20, 00, 8B, 0D, D0, A1, 20, 00, 89, 08, FF, 15, 0C, 82, 20, 00, 8B, 0D, CC, A1, 20, 00, 89, 08, A1, 10, 82, 20, 00, 8B, 00, A3, D8, A1, 20, 00, E8, B6, 01, 00, 00, 39, 1D, F0, A0, 20, 00, 75, 0C, 68, E4, 6F, 20, 00, FF, 15...
 
[+]

Entropy:
6.9474

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
28 KB (28,672 bytes)

Approved Shell Extension
Name:
Autoplay for SlideShow

CLSID:
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}

CLSID name:
Shell Autoplay for Slideshow


2 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Client Server Runtime Process

Command:
C:\Documents and Settings\{user}\Application data\csrss.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Host-process Windows (Rundll32.exe)

Command:
C:\users\{user}\appdata\roaming\rundll32.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to ADMIN-PC  (46.148.17.202:9997)

TCP:
Connects to customer.worldstream.nl  (93.190.137.39:9631)

TCP:
Connects to 77-226-187-203.static.youbroadband.in  (203.187.226.77:9631)

TCP:
Connects to chicago8.kalltelecom.com  (108.178.8.219:9997)

TCP:
Connects to 130.100-151-104.rdns.scalabledns.com  (104.151.100.130:9631)

TCP:
Connects to WIN-8UDHEG0I0H5  (46.148.17.194:9997)

TCP:
Connects to WIN-7QJT82U4LL6  (46.148.18.26:9997)

TCP (SMTP):
Connects to vcs-star-s-myc.mail.vip.sg3.yahoo.com  (106.10.150.156:25)

TCP:
Connects to static-186-155-226-238.static.etb.net.co  (186.155.226.238:9997)

TCP (SMTP):
Connects to mx1.hotmail.com  (65.55.92.184:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.bf1.yahoo.com  (98.139.221.253:25)

TCP:
Connects to WIN-2F7C36U6BPH  (46.148.22.10:9997)

TCP (SMTP):
Connects to wb-in-f109.1e100.net  (66.102.1.109:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ir2.yahoo.com  (188.125.68.56:25)

TCP:
Connects to nsg-static-250.41.71.182.airtel.in  (182.71.41.250:9631)

TCP:
Connects to ns302526.ip-94-23-196.eu  (94.23.196.156:9631)

TCP (SMTP):
Connects to mta-v5.mail.vip.gq1.yahoo.com  (63.250.192.45:25)

TCP (SMTP):
Connects to mta-v4.mail.vip.ne1.yahoo.com  (98.138.112.35:25)

TCP (SMTP):
Connects to mta-v2.mail.vip.ne1.yahoo.com  (98.138.112.33:25)

TCP (SMTP):
Connects to mta-v2.mail.vip.bf1.yahoo.com  (66.196.118.34:25)

Remove kb00031968.exe - Powered by Reason Core Security