suchost..exe

WindowsFormsApplication5

The executable suchost..exe, “Host Process for Windows Services” has been detected as malware by 4 anti-virus scanners.
Publisher:
Microsoft*  (Invalid match)

Product:
WindowsFormsApplication5

Description:
Host Process for Windows Services

Version:
1.0.0.0

MD5:
d43b77476d21fd8e09e1cd7b39116bbd

SHA-1:
cfa29ec5231553dc1ab10c9185e8c53304b339b8

Scanner detections:
4 / 68

Status:
Malware

Analysis date:
12/25/2024 1:39:47 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
MSIL/Agent.AY worm
6.3.12010.0

F-Prot
W32/MSIL_Agent.K.gen
4.6.5.141

Kaspersky
Worm.MSIL.Agent
15.0.2.529

Microsoft Security Essentials
Worm:MSIL/Mofin.A
1.231.585.0

File size:
224 KB (229,376 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2011

Original file name:
WindowsFormsApplication5.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\system\suchost..exe

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
3072:Q3BPXZf7nECworDBqhElSksQ9na/tK88sWR:Q3znqksQRa/8vxR

Entry address:
0x5E1E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.1180

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
16 KB (16,384 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to sc-in-f109.1e100.net  (74.125.68.109:587)

TCP:
Connects to sa-in-f108.1e100.net  (74.125.200.108:587)

TCP:
Connects to qm-in-f108.1e100.net  (173.194.205.108:587)

Remove suchost..exe - Powered by Reason Core Security