svchost.exe

The application svchost.exe has been detected as a potentially unwanted program by 13 anti-malware scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS. The file has been seen being downloaded from www.cs.cmu.edu.
MD5:
7f2588848040af6f4d8c43f6b6fb34c8

SHA-1:
3ac628d3383a362fe7c6ece81eeae96a9736970e

SHA-256:
426efa3e5951ef5bbaf8ea397a9754f776bd68201a1cfa18dfa247ae142d9e77

Scanner detections:
13 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
12/26/2024 1:29:50 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.BitCoinMiner.GW
536

Agnitum Outpost
Riskware.Agent
7.1.1

Arcabit
Application.BitCoinMiner.GW
1.0.0.425

Baidu Antivirus
Hacktool.Win64.BitCoinMiner
4.0.3.15818

Bitdefender
Application.BitCoinMiner.GW
1.0.20.1150

ESET NOD32
Win64/BitCoinMiner.Z potentially unsafe (variant)
9.12069

F-Secure
Application.BitCoinMiner.GW
11.2015-18-08_3

G Data
Application.BitCoinMiner.GW
15.8.25

Malwarebytes
RiskWare.BitCoinMiner
v2015.08.18.10

MicroWorld eScan
Application.BitCoinMiner.GW
16.0.0.690

Quick Heal
Riskware.BitCoinMiner.r11 (Not a Virus)
8.15.14.00

VIPRE Antivirus
Trojan.Win32.Generic
42758

ViRobot
Trojan.Win32.A.Downloader.837253[h]
2014.3.20.0

File size:
817.6 KB (837,253 bytes)

File type:
Executable application (Win64 EXE)

Common path:
C:\users\{user}\appdata\roaming\svchost\m\svchost.exe

File PE Metadata
Compilation timestamp:
9/2/2014 5:11:13 PM

OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
2.23

CTPH (ssdeep):
12288:zCD9aisioSfSg282ud/FQ5LjfOOosmkF5z1/mphv1bWE:z/SIhud/FQ5LzOOlLz1/Wv1bWE

Entry address:
0x14B0

Entry point:
48, 83, EC, 28, C7, 05, E2, EA, 08, 00, 00, 00, 00, 00, E8, DD, C7, 04, 00, E8, B8, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 48, 83, EC, 28, FF, 15, 46, 10, 09, 00, 89, C0, 48, 83, C4, 28, C3, 66, 66, 66, 66, 66, 66, 2E, 0F, 1F, 84, 00, 00, 00, 00, 00, 48, 83, EC, 38, 48, 8D, 4C, 24, 20, FF, 15, 51, 10, 09, 00, 48, 8B, 44, 24, 20, 48, 83, C4, 38, C3, 0F, 1F, 80, 00, 00, 00, 00, 48, 83, EC, 38, 48, 8D, 4C, 24, 20, FF, 15, 39, 10, 09, 00, 48, 8B, 44, 24, 20, 48, 83, C4, 38, C3, 90, 90, 90, 90, 90, 90, 90...
 
[+]

Code size:
370 KB (378,880 bytes)

The file svchost.exe has been seen being distributed by the following URL.

Remove svchost.exe - Powered by Reason Core Security