regsvr.exe

The executable regsvr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Msn Messsenger’.
MD5:
8a3fff9039ef323749f433e3b5ac1bd6

SHA-1:
77f90b2826a1b083f2fe7c473b447fee2122336d

SHA-256:
c4123e668d361c56d455ef813171c4bb9a2c74ecb00c618f7289aa983bbf35b2

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/25/2024 12:35:36 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Threat.Tojan.Click (H)
17.2.5.10

File size:
900.5 KB (922,112 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\regsvr.exe

File PE Metadata
Compilation timestamp:
9/25/2007 2:47:08 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

Entry address:
0x10686D

Entry point:
83, 3C, 24, FE, 8D, 3F, 77, FE, 8D, 64, 24, CC, 90, 60, F7, D7, 83, EC, DC, E8, BF, FF, FF, FF, 4B, 66, 4B, 75, FC, F6, D2, 8D, 17, FF, 73, 3C, 85, DA, 59, 81, E9, FD, FF, FF, 7F, 0F, 83, E5, FF, FF, FF, 90, 81, D9, E6, 13, 00, 00, 71, DC, 39, F7, 46, 46, FF, B4, 19, E4, 13, 00, 80, 4E, 83, C4, 04, 66, 81, 44, 24, FC, B0, BA, 75, C4, 85, F9, 28, DC, 68, 1F, BC, 71, 36, 87, F1, E8, 8D, FF, FF, FF, 89, 74, 24, 44, E8, C5, 01, 00, 00, 89, 44, 24, 34, FC, 83, E8, 04, F6, D1, 0F, 82, 03, FE, FF, FF, 64, A1, 18...
 
[+]

Entropy:
7.7234  (probably packed)

Code size:
404.5 KB (414,208 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Msn Messsenger

Command:
C:\users\{user}\appdata\roaming\regsvr.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to win15.securedc.com  (64.8.117.67:80)

TCP (HTTP):
Connects to master.interbox.cz  (77.78.99.55:80)

TCP (HTTP):
Connects to hostedc76.carrierzone.com  (69.49.115.40:80)

TCP (HTTP):
Connects to host176.b5.trdns.com  (77.245.148.176:80)

TCP (HTTP):
Connects to HDRedirect-LB3-890977680.us-east-1.elb.amazonaws.com  (68.168.222.206:80)

TCP (HTTP):

TCP (HTTP):
Connects to 161maklp3.guzel.net.tr  (31.192.214.161:80)

Remove regsvr.exe - Powered by Reason Core Security