susrv.exe

The application susrv.exe has been detected as a potentially unwanted program by 8 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “SU Service component”. While running, it connects to the Internet address dl21.clickmein.com on port 80 using the HTTP protocol.
MD5:
8d69dfbf32dd858eeeefbb5591946305

SHA-1:
4f4bf8adc1f54b90d42c496a472135576e9cebe3

SHA-256:
aa499f8d1a5e3b1df4e8563dd797d5bd023ec516df362218abeeb682e45347b9

Scanner detections:
8 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 6:16:49 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
Adware/AgentCV.A.8372
7.11.209.140

Baidu Antivirus
Adware.Win32.AdService
4.0.3.15211

Emsisoft Anti-Malware
Gen:Variant.Graftor.175920
8.15.07.28.03

ESET NOD32
Win32/Adware.AdService (variant)
9.11160

F-Secure
Gen:Variant.Graftor.175920
11.2015-28-07_3

IKARUS anti.virus
PUA.AdService
t3scan.1.8.6.0

Reason Heuristics
Threat.Win.Reputation.IMP
15.7.27.23

Trend Micro House Call
Suspicious_GEN.F47V0209
7.2.42

File size:
113.5 KB (116,224 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\softwareupdater\susrv.exe

File PE Metadata
Compilation timestamp:
2/7/2015 2:53:21 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:eHawZB7ZvzMs4BGFtZ3xb/HUyjzxIue5:4awZB7ZvzMjBGFtZ3xTH9zxpu

Entry address:
0xD212

Entry point:
E8, FD, 39, 00, 00, E9, 89, FE, FF, FF, 3B, 0D, F8, B0, 41, 00, 75, 02, F3, C3, E9, 84, 3A, 00, 00, 8B, FF, 55, 8B, EC, 8B, 55, 08, 53, 8B, 5D, 14, 56, 57, 85, DB, 75, 10, 85, D2, 75, 10, 39, 55, 0C, 75, 12, 33, C0, 5F, 5E, 5B, 5D, C3, 85, D2, 74, 07, 8B, 7D, 0C, 85, FF, 75, 13, E8, 29, 1F, 00, 00, 6A, 16, 5E, 89, 30, E8, 3B, 2F, 00, 00, 8B, C6, EB, DD, 85, DB, 75, 07, 33, C0, 66, 89, 02, EB, D0, 8B, 4D, 10, 85, C9, 75, 07, 33, C0, 66, 89, 02, EB, D4, 8B, C2, 83, FB, FF, 75, 18, 8B, F2, 2B, F1, 0F, B7, 01...
 
[+]

Code size:
84 KB (86,016 bytes)

Service
Display name:
SU Service component

Service name:
serversu

Description:
Ongoing updates responsible service.

Type:
Win32OwnProcess


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to dl21.clickmein.com  (216.227.128.186:80)

Remove susrv.exe - Powered by Reason Core Security