home

kb42566588.exe

ImageSegment

The executable kb42566588.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Client Server Runtime Process’. While running, it connects to the Internet address ns396520.ip-176-31-123.eu on port 9631.
Product:
ImageSegment

Description:
ImageSegment

Version:
1, 0, 0, 1

MD5:
4ff16d4185c9c54658a39a3fb9c2c5b4

SHA-1:
7b7a7936b2b015dbf1622d6011975fd536556037

SHA-256:
d44e719a7584a1678d8ebb604d464f4fcedfd28b5f4ae2bff3b53b9f2fd9d9dc

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
12/27/2024 7:31:47 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/GenKryptik.WJT trojan
6.3.12010.0

Reason Heuristics
Trojan.Installer (M)
17.3.1.8

File size:
104 KB (106,496 bytes)

Product version:
1, 0, 0, 1

Copyright:
(C) 2007

Original file name:
ImageSegment.EXE

File type:
Executable application (Win32 EXE)

Language:
Finnish (Finland)

Common path:
C:\users\{user}\appdata\local\temp\kb42566588.exe

File PE Metadata
Compilation timestamp:
2/13/2017 7:49:21 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x2886

Entry point:
55, 8B, EC, 6A, FF, 68, 78, 37, 20, 00, 68, 0C, 2A, 20, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 2C, 32, 20, 00, 59, 83, 0D, 8C, 4C, 20, 00, FF, 83, 0D, 90, 4C, 20, 00, FF, FF, 15, 30, 32, 20, 00, 8B, 0D, 80, 4C, 20, 00, 89, 08, FF, 15, 34, 32, 20, 00, 8B, 0D, 7C, 4C, 20, 00, 89, 08, A1, 38, 32, 20, 00, 8B, 00, A3, 88, 4C, 20, 00, E8, 16, 01, 00, 00, 39, 1D, 80, 4B, 20, 00, 75, 0C, 68, 08, 2A, 20, 00, FF, 15, 3C, 32...
 
[+]

Entropy:
7.1757

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
12.3 KB (12,544 bytes)

Approved Shell Extension
Name:
Autoplay for SlideShow

CLSID:
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}

CLSID name:
Shell Autoplay for Slideshow


2 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Client Server Runtime Process

Command:
C:\users\{user}\appdata\roaming\csrss.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Host-process Windows (Rundll32.exe)

Command:
C:\windows\syswow64\csrss.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to ns396520.ip-176-31-123.eu  (176.31.123.194:9631)

TCP:
Connects to ns3022934.ip-91-121-72.eu  (91.121.72.83:9631)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ir2.yahoo.com  (188.125.68.56:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.bf1.yahoo.com  (98.139.221.253:25)

TCP:
Connects to ns368209.ip-94-23-31.eu  (94.23.31.152:9631)

TCP:
Connects to loft9631.serverprofi24.de  (85.25.207.23:9631)

TCP (SMTP):
Connects to vcs-star-s-myc.mail.vip.sg3.yahoo.com  (106.10.150.156:25)

TCP:
Connects to ns391674.ip-176-31-104.eu  (176.31.104.175:9631)

TCP:
Connects to kvm1.schlumbergerlimited.ch  (188.138.102.48:9997)

TCP:
Connects to loft12056.dedicatedpanel.com  (85.93.93.50:9631)

TCP:
Connects to static-mumbai.wnet.net.in  (49.128.166.43:9997)

TCP:
Connects to db6.ms-db-set2.pricefx.net  (188.138.102.31:9997)

TCP:
Connects to 191-18-21-36.user.vivozap.com.br  (191.18.21.36:9631)

TCP:
Connects to loft12007.serverprofi24.eu  (85.25.237.240:9997)

TCP:
Connects to loft11390.dedicatedpanel.com  (85.25.237.138:9631)

TCP:
Connects to loft11230.dedicatedpanel.com  (188.138.102.50:9997)

TCP:
Connects to 115.112.99.221.static-delhi.vsnl.net.in  (115.112.99.221:9997)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ne1.yahoo.com  (98.138.105.22:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.gq1.yahoo.com  (63.250.193.229:25)

TCP:
Connects to usloft4625.dedicatedpanel.com  (209.126.120.5:9997)

Remove kb42566588.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.