home

kb03723531.exe

The executable kb03723531.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Client Server Runtime Process’. While running, it connects to the Internet address loft12100.dedicatedpanel.com on port 9997.
MD5:
ae334f89b1f64934b404f76d80a6c1d1

SHA-1:
9a0629aa26cd51cb15c00a62b4d1b9619d69d245

SHA-256:
151d0bf8fafff3715de831fb127902fb7265e821dbc0358e5c487e1cd8466201

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
2/26/2025 6:37:19 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Downloader
16.11.8.17

File size:
154.3 KB (158,050 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\kb03723531.exe

File PE Metadata
Compilation timestamp:
11/1/2016 6:18:22 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:Wwb+6oNtWZGmPix7977bPKFyUgBqLRzzTV:W5vtsix2yURRzfV

Entry address:
0xCAC6

Entry point:
55, 8B, EC, 6A, FF, 68, A0, EB, 20, 00, 68, 4C, CC, 20, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 58, E3, 20, 00, 59, 83, 0D, 3C, 02, 21, 00, FF, 83, 0D, 40, 02, 21, 00, FF, FF, 15, 54, E3, 20, 00, 8B, 0D, 30, 02, 21, 00, 89, 08, FF, 15, 50, E3, 20, 00, 8B, 0D, 2C, 02, 21, 00, 89, 08, A1, 4C, E3, 20, 00, 8B, 00, A3, 38, 02, 21, 00, E8, 16, 01, 00, 00, 39, 1D, 50, 01, 21, 00, 75, 0C, 68, 48, CC, 20, 00, FF, 15, 48, E3...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
52 KB (53,248 bytes)

2 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Client Server Runtime Process

Command:
C:\Documents and Settings\{user}\Application data\csrss.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Host-process Windows (Rundll32.exe)

Command:
C:\users\{user}\appdata\roaming\rundll32.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to loft10579.serverprofi24.com  (85.25.218.71:9027)

TCP:
Connects to ns368209.ip-94-23-31.eu  (94.23.31.152:9631)

TCP:
Connects to 27.212.forpsi.net  (81.2.212.27:9997)

TCP:
Connects to ns321304.ip-91-121-169.eu  (91.121.169.202:9631)

TCP:
Connects to loft11030.dedicatedpanel.com  (188.138.57.44:9631)

TCP:
Connects to ns3022934.ip-91-121-72.eu  (91.121.72.83:9631)

TCP:
Connects to ns391674.ip-176-31-104.eu  (176.31.104.175:9997)

TCP:
Connects to loft11230.dedicatedpanel.com  (188.138.102.50:9997)

TCP:
Connects to h136-112.fcsrv.net  (194.28.112.136:9631)

TCP:
Connects to 115.112.99.221.static-delhi.vsnl.net.in  (115.112.99.221:9997)

TCP:
Connects to client-181-43-82-215.imovil.entelpcs.cl  (181.43.82.215:9997)

TCP:
Connects to a2.89.b6.static.xlhost.com  (207.182.137.162:9997)

TCP:
Connects to vps-1.morene.host  (185.48.56.106:9631)

TCP:
Connects to usloft4625.dedicatedpanel.com  (209.126.120.5:9997)

TCP:
Connects to loft11246.serverprofi24.com  (188.138.102.74:9631)

TCP:
Connects to ip-85-26-250-1.nwgsm.ru  (85.26.250.1:9631)

TCP:
Connects to db6.ms-db-set2.pricefx.net  (188.138.102.31:9631)

TCP:
Connects to customer.worldstream.nl  (93.190.137.39:9997)

TCP:
Connects to 177-114-249-37.user.vivozap.com.br  (177.114.249.37:9997)

TCP:
Connects to windows.myint85.net  (185.48.56.84:9997)

Remove kb03723531.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.