service.exe

The executable service.exe, “Windows Servis İşlemleri” has been detected as malware by 30 anti-virus scanners. Accoriding to the detections, this has been classified as a kyelogger which is capable of recoring a user's keystrokes. While running, it connects to the Internet address ip.sistem724.com.tr on port 80 using the HTTP protocol.
Description:
Windows Servis İşlemleri

Version:
1.0.0.0

MD5:
f7d2aec727173fd142a659252ca05933

SHA-1:
cbeb7a5183b5b712dcd778e4b19109027df8e9ff

SHA-256:
930f086805658c9306640106ddc204688fd651a0184dc78fe57cc85b79a12ced

Scanner detections:
30 / 68

Status:
Malware

Analysis date:
12/26/2024 3:41:24 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.187950
508

Agnitum Outpost
Trojan.StartPage
7.1.1

AhnLab V3 Security
Malware/Win32.Generic
2015.08.16

Avira AntiVirus
TR/Graftor.613376.1
8.3.1.6

Arcabit
Trojan.Graftor.D2DE2E
1.0.0.425

avast!
Win32:Trojan-gen
2014.9-150915

AVG
Generic13_c
2016.0.2986

Baidu Antivirus
Trojan.Win32.StartPage
4.0.3.15915

Bitdefender
Gen:Variant.Graftor.187950
1.0.20.1290

Comodo Security
UnclassifiedMalware
23013

Dr.Web
Trojan.KeyLogger.27151
9.0.1.0258

Emsisoft Anti-Malware
Gen:Variant.Graftor.187950
8.15.09.15.12

ESET NOD32
Win32/StartPage.ALJ (variant)
9.12099

Fortinet FortiGate
W32/StartPage.ALJ!tr
9/15/2015

F-Secure
Gen:Variant.Graftor.187950
11.2015-15-09_3

G Data
Gen:Variant.Graftor.187950
15.9.25

IKARUS anti.virus
Trojan.Win32.StartPage
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.2016900

Kaspersky
Trojan.Win32.StartPage
14.0.0.1425

McAfee
RDN/Generic StartPage
5600.6642

Microsoft Security Essentials
Trojan:Win32/Tarhana.A
1.1.11903.0

MicroWorld eScan
Gen:Variant.Graftor.187950
16.0.0.774

NANO AntiVirus
Trojan.Win32.StartPage.dsxjpx
0.30.24.3079

Panda Antivirus
Trj/CI.A
15.09.15.12

Qihoo 360 Security
Trojan.Generic
1.0.0.1015

Rising Antivirus
PE:Trojan.Win32.Generic.18C4F076!415559798
23.00.65.15913

Sophos
Mal/Generic-S
4.98

Trend Micro
TROJ_GEN.R01TC0EF915
10.465.15

VIPRE Antivirus
Trojan.Win32.Generic
42904

Zillya! Antivirus
Trojan.StartPage.Win32.23565
2.0.0.2352

File size:
599 KB (613,376 bytes)

Product version:
1.0.0.0

File type:
Executable application (Win32 EXE)

Language:
Turkish (Turkey)

Common path:
C:\Program Files\service.exe

File PE Metadata
Compilation timestamp:
6/20/1992 1:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:myqHFmJA8q++O3zbgdXfdmY+bJZYpzMTJK:myqldi3zbcl78JZYpQTJ

Entry address:
0x7EDE0

Entry point:
55, 8B, EC, 83, C4, F0, B8, 58, EA, 47, 00, E8, 7C, 78, F8, FF, A1, EC, 0B, 48, 00, 8B, 00, E8, 48, A8, FD, FF, 8B, 0D, 94, 0D, 48, 00, A1, EC, 0B, 48, 00, 8B, 00, 8B, 15, 30, B6, 47, 00, E8, 48, A8, FD, FF, A1, EC, 0B, 48, 00, 8B, 00, E8, BC, A8, FD, FF, E8, C7, 53, F8, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
504 KB (516,096 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ip.sistem724.com.tr  (91.191.172.102:80)

Remove service.exe - Powered by Reason Core Security