home

services.exe

Brontok.A

The executable services.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Tok-Cirrhatus’. While running, it connects to the Internet address hm9410.publiccloud.com.br on port 80 using the HTTP protocol.
Product:
Brontok.A

Version:
1.00.0004

MD5:
9eae36abbb3db279797d959cbf486487

SHA-1:
e5d07ff19bdc5bf2f072f5a282df7e0dec0f0479

SHA-256:
c3960e98ff8938f358efcc7f722e1b0c20b2211a376ad16d3de7e7d02e57db3f

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/15/2024 1:34:21 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Win32.Generic
17.2.28.10

File size:
152 KB (155,648 bytes)

Product version:
1.00.0004

Original file name:
Brontok.A.HVM31

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\services.exe

File PE Metadata
Compilation timestamp:
9/28/2005 6:04:05 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x1178

Entry point:
60, 89, CB, 69, F3, F4, 31, 67, 43, 8D, 35, 4D, F1, 4F, 8E, 68, 10, C9, E3, 00, 89, EB, F7, C5, F3, D9, A8, 97, C7, C5, A8, 59, AC, 27, 86, E9, C7, C2, D9, 87, 8D, DA, 8D, 0D, 4D, AC, 4A, BC, 74, 05, 05, 34, DE, 93, D4, C6, C1, 54, F2, E8, E1, 00, 00, 00, B5, E9, 80, CF, EE, B1, 76, 0F, BF, D8, 8A, DF, BE, 8A, A5, 0B, 00, 8B, E8, 81, F6, 0B, 80, 00, 00, 71, 07, B2, CF, 8B, D0, 0F, AF, FB, 81, EE, 19, 10, 0B, 00, 3B, CA, 72, 06, F7, C1, 62, 58, 6B, FB, 80, ED, C3, 81, FD, C3, 83, 00, 00, 72, 01, 49, 88, DC...
 
[+]

Entropy:
6.5535

Code size:
60 KB (61,440 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Tok-Cirrhatus

Command:
"C:\users\{user}\appdata\local\smss.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to media-router-fp1.prod.media.vip.ir2.yahoo.com  (188.125.80.144:443)

TCP (HTTP):
Connects to clipart.geo.vip.bf1.yahoo.com  (98.137.201.117:80)

TCP (HTTP SSL):
Connects to ats.sbs.vip.dc11.lumsb.com  (8.12.146.61:443)

TCP (HTTP SSL):
Connects to ir2.fp.vip.ir2.yahoo.com  (46.228.47.114:443)

TCP (HTTP):
Connects to orion04.locaweb.com.br  (191.252.4.20:80)

TCP (HTTP SSL):
Connects to ir1.fp.vip.ir2.yahoo.com  (46.228.47.115:443)

TCP (HTTP):
Connects to hm9410.publiccloud.com.br  (186.202.151.180:80)

Remove services.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.