home

kb741027609.exe

The executable kb741027609.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Client Server Runtime Process’. While running, it connects to the Internet address vcs-ssmyc.mail.vip.bf1.yahoo.com on port 25.
MD5:
4e7c1067772df5d5e5ce0e55feefb928

SHA-1:
0a7b3076f2ed532a6bdcc42fab19e23900cbe668

SHA-256:
4bae4be10a33ab5550caba9d4480781b3e1f811ae5a9b06c7207d2f06639cc00

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/27/2024 7:11:44 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Installer (M)
16.12.6.15

File size:
158.3 KB (162,146 bytes)

File type:
Executable application (Win32 EXE)

Language:
Icelandic (Iceland)

Common path:
C:\users\{user}\appdata\local\temp\kb741027609.exe

File PE Metadata
Compilation timestamp:
11/29/2016 5:40:51 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:LnASnt8R66zXHxGTMYdUwdWRC4tcHFoanaZV0K:kyuzXgQBRC4CHMn

Entry address:
0xD24C

Entry point:
55, 8B, EC, 6A, FF, 68, 00, F0, 20, 00, 68, 90, D3, 20, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 28, E3, 20, 00, 59, 83, 0D, 44, 04, 21, 00, FF, 83, 0D, 48, 04, 21, 00, FF, FF, 15, 74, E3, 20, 00, 8B, 0D, 38, 04, 21, 00, 89, 08, FF, 15, 70, E3, 20, 00, 8B, 0D, 34, 04, 21, 00, 89, 08, A1, 6C, E3, 20, 00, 8B, 00, A3, 40, 04, 21, 00, E8, 16, 01, 00, 00, 39, 1D, 30, 03, 21, 00, 75, 0C, 68, CE, D3, 20, 00, FF, 15, 68, E3...
 
[+]

Entropy:
6.8116

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
52 KB (53,248 bytes)

2 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Client Server Runtime Process

Command:
C:\users\{user}\appdata\roaming\csrss.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Host-process Windows (Rundll32.exe)

Command:
C:\windows\syswow64\csrss.exe


The executing file has been seen to make the following network communications in live environments.

TCP (SMTP):
Connects to mta-v5.mail.vip.gq1.yahoo.com  (63.250.192.45:25)

TCP:
Connects to customer.worldstream.nl  (217.23.11.14:9631)

TCP:
Connects to mail.norcentro.com.pe  (185.25.48.20:9997)

TCP:
Connects to nsg-static-220.27.71.182.airtel.in  (182.71.27.220:9997)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ne1.yahoo.com  (98.138.105.22:25)

TCP:
Connects to chicago8.kalltelecom.com  (108.178.8.219:9997)

TCP (SMTP):
Connects to vcs-star-s-myc.mail.vip.sg3.yahoo.com  (106.10.150.156:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.gq1.yahoo.com  (63.250.193.229:25)

TCP:
Connects to static-186-155-226-238.static.etb.net.co  (186.155.226.238:9997)

TCP:
Connects to nsg-static-250.41.71.182.airtel.in  (182.71.41.250:9997)

TCP (SMTP):
Connects to lr-in-f108.1e100.net  (209.85.233.108:25)

TCP:
Connects to host189.89.125-50.dh-c.net.br  (189.89.125.50:9997)

TCP:
Connects to 50-255-185-148-static.hfc.comcastbusiness.net  (50.255.185.148:9631)

TCP:
Connects to WIN-UVI9959O36V  (46.148.18.82:9997)

TCP:
Connects to WIN-8UDHEG0I0H5  (46.148.17.194:9631)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.bf1.yahoo.com  (98.139.221.253:25)

TCP:
Connects to colo.gothamweb.net  (69.67.59.197:9997)

TCP:
Connects to 203-151-166-4.inter.net.th  (203.151.166.4:9631)

TCP:
Connects to 140-127-232-218.nuk.edu.tw  (140.127.232.218:9997)

Remove kb741027609.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.