» regsvr.exe
Overview
Analysis
File Details
Behaviors (1)
Network (7)

regsvr.exe

The executable regsvr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Msn Messsenger’.

File name:

regsvr.exe

MD5:

8a3fff9039ef323749f433e3b5ac1bd6

SHA-1:

77f90b2826a1b083f2fe7c473b447fee2122336d

SHA-256:

c4123e668d361c56d455ef813171c4bb9a2c74ecb00c618f7289aa983bbf35b2

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

11/5/2024 2:24:53 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Threat.Tojan.Click (H)

17.2.5.10

File size:

900.5 KB (922,112 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\regsvr.exe

File PE Metadata

Compilation timestamp:

9/25/2007 2:47:08 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

Entry address:

0x10686D

Entry point:

83, 3C, 24, FE, 8D, 3F, 77, FE, 8D, 64, 24, CC, 90, 60, F7, D7, 83, EC, DC, E8, BF, FF, FF, FF, 4B, 66, 4B, 75, FC, F6, D2, 8D, 17, FF, 73, 3C, 85, DA, 59, 81, E9, FD, FF, FF, 7F, 0F, 83, E5, FF, FF, FF, 90, 81, D9, E6, 13, 00, 00, 71, DC, 39, F7, 46, 46, FF, B4, 19, E4, 13, 00, 80, 4E, 83, C4, 04, 66, 81, 44, 24, FC, B0, BA, 75, C4, 85, F9, 28, DC, 68, 1F, BC, 71, 36, 87, F1, E8, 8D, FF, FF, FF, 89, 74, 24, 44, E8, C5, 01, 00, 00, 89, 44, 24, 34, FC, 83, E8, 04, F6, D1, 0F, 82, 03, FE, FF, FF, 64, A1, 18... 
[+]

Entropy:

7.7234 (probably packed)

Code size:

404.5 KB (414,208 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Msn Messsenger

Command:

C:\users\{user}\appdata\roaming\regsvr.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to win15.securedc.com (64.8.117.67:80)

TCP (HTTP):

Connects to master.interbox.cz (77.78.99.55:80)

TCP (HTTP):

Connects to hostedc76.carrierzone.com (69.49.115.40:80)

TCP (HTTP):

Connects to host176.b5.trdns.com (77.245.148.176:80)

TCP (HTTP):

Connects to HDRedirect-LB3-890977680.us-east-1.elb.amazonaws.com (68.168.222.206:80)

TCP (HTTP):

Connects to ec2-54-251-109-4.ap-southeast-1.compute.amazonaws.com (54.251.109.4:80)

TCP (HTTP):

Connects to 161maklp3.guzel.net.tr (31.192.214.161:80)

Remove regsvr.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.