home

svchost.exe

The application svchost.exe, “Host Process for Windows Services” has been detected as a potentially unwanted program by 25 anti-malware scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Setup’. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS.
Description:
Host Process for Windows Services

Version:
0.0.0.34

MD5:
047f100f1b228960115f0f7ab106fab5

SHA-1:
3620ded4a41b1ee0ab56e80752af86522ba19996

SHA-256:
b5d92bc976c8dc62e22f0790ebd7ba5efb5739f04bece08209ad95e6b0180bdb

Scanner detections:
25 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/24/2024 10:43:19 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.10137403
959

Avira AntiVirus
TR/Dropper.Gen
7.11.125.190

avast!
Java:BitCoinMiner-A [PUP]
2014.9-140621

AVG
Generic9_c
2015.0.3437

Baidu Antivirus
Trojan.Win32.BitCoinMiner
4.0.3.14621

Bitdefender
Trojan.Generic.10137403
1.0.20.860

Comodo Security
UnclassifiedMalware
17639

Dr.Web
Tool.BtcMine.134
9.0.1.0172

Emsisoft Anti-Malware
Trojan.Generic.10137403
8.14.06.21.05

ESET NOD32
Win32/BitCoinMiner.AF (variant)
8.9309

Fortinet FortiGate
Riskware/Java_BitCoinMiner
6/21/2014

F-Secure
Trojan.Generic.10137403
11.2014-21-06_7

G Data
Trojan.Generic.10137403
14.6.24

IKARUS anti.virus
not-a-virus:RiskTool.Java.BitCoinMiner
t3scan.2.2.29

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.3679

McAfee
Artemis!047F100F1B22
5600.7093

Microsoft Security Essentials
Trojan:Win32/Comroki
1.165.247.01

MicroWorld eScan
Trojan.Generic.10137403
15.0.0.516

NANO AntiVirus
Riskware.Win32.BtcMine.blcexn
0.28.0.57029

nProtect
Trojan.Generic.10137403
14.01.19.01

Panda Antivirus
Trj/CI.A
14.06.21.05

Trend Micro House Call
TROJ_SPNR.08C913
7.2.172

Trend Micro
TROJ_SPNR.08C913
10.465.21

Vba32 AntiVirus
Trojan-Downloader.Autoit.gen
3.12.24.3

VIPRE Antivirus
Trojan.Win32.AutoIt.gen.1
25576

File size:
17.9 MB (18,768,127 bytes)

Copyright:
Microsoft Corporation

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\sysinstall\svchost.exe

File PE Metadata
Compilation timestamp:
1/30/2012 12:32:28 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
393216:jMJWssRAqK2nmJXLoQ//+ul4NzSWThHDsxDIyXmUB:4JwHmaQHbuNWWThDshIy2UB

Entry address:
0x165C1

Entry point:
E8, 16, 90, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A0, 01, 00, 00, 81, F9, 80, 00, 00, 00, 72, 1C, 83, 3D, 24, 97, 4A, 00, 00, 74, 13, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 05, E9, DD, 03, 00, 00, F7, C7, 03, 00, 00, 00, 75, 14, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 29, F3, A5, FF, 24, 95, 40, 67, 41, 00, 8B, C7, BA, 03, 00, 00, 00, 83, E9, 04, 72, 0C, 83, E0, 03, 03, C8...
 
[+]

Code size:
514 KB (526,336 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Setup

Command:
"C:\users\{user}\appdata\roaming\sysinstall\svchost.exe"


The file svchost.exe has been seen being distributed by the following 2 URLs.

http://r2.fayloobmennik.net/files/.../132846705.html?check=1c711eaabaac46291932267087a76b7a&file=2659116

http://www.fayloobmennik.net/files/.../132846705.html?check=1c711eaabaac46291932267087a76b7a&file=2659116

Remove svchost.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.