» svchost.exe
Overview
Analysis
File Details
Downloads (1)

svchost.exe

The application svchost.exe has been detected as a potentially unwanted program by 13 anti-malware scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS. The file has been seen being downloaded from www.cs.cmu.edu.

File name:

svchost.exe

MD5:

7f2588848040af6f4d8c43f6b6fb34c8

SHA-1:

3ac628d3383a362fe7c6ece81eeae96a9736970e

SHA-256:

426efa3e5951ef5bbaf8ea397a9754f776bd68201a1cfa18dfa247ae142d9e77

Scanner detections:

13 / 68

Status:

Potentially unwanted

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

11/5/2024 10:31:47 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.BitCoinMiner.GW

536

Agnitum Outpost

Riskware.Agent

7.1.1

Arcabit

Application.BitCoinMiner.GW

1.0.0.425

Baidu Antivirus

Hacktool.Win64.BitCoinMiner

4.0.3.15818

Bitdefender

Application.BitCoinMiner.GW

1.0.20.1150

ESET NOD32

Win64/BitCoinMiner.Z potentially unsafe (variant)

9.12069

F-Secure

Application.BitCoinMiner.GW

11.2015-18-08_3

G Data

Application.BitCoinMiner.GW

15.8.25

Malwarebytes

RiskWare.BitCoinMiner

v2015.08.18.10

MicroWorld eScan

Application.BitCoinMiner.GW

16.0.0.690

Quick Heal

Riskware.BitCoinMiner.r11 (Not a Virus)

8.15.14.00

VIPRE Antivirus

Trojan.Win32.Generic

42758

ViRobot

Trojan.Win32.A.Downloader.837253[h]

2014.3.20.0

File size:

817.6 KB (837,253 bytes)

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\appdata\roaming\svchost\m\svchost.exe

File PE Metadata

Compilation timestamp:

9/2/2014 5:11:13 PM

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows Console

Linker version:

2.23

CTPH (ssdeep):

12288:zCD9aisioSfSg282ud/FQ5LjfOOosmkF5z1/mphv1bWE:z/SIhud/FQ5LzOOlLz1/Wv1bWE

Entry address:

0x14B0

Entry point:

48, 83, EC, 28, C7, 05, E2, EA, 08, 00, 00, 00, 00, 00, E8, DD, C7, 04, 00, E8, B8, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 48, 83, EC, 28, FF, 15, 46, 10, 09, 00, 89, C0, 48, 83, C4, 28, C3, 66, 66, 66, 66, 66, 66, 2E, 0F, 1F, 84, 00, 00, 00, 00, 00, 48, 83, EC, 38, 48, 8D, 4C, 24, 20, FF, 15, 51, 10, 09, 00, 48, 8B, 44, 24, 20, 48, 83, C4, 38, C3, 0F, 1F, 80, 00, 00, 00, 00, 48, 83, EC, 38, 48, 8D, 4C, 24, 20, FF, 15, 39, 10, 09, 00, 48, 8B, 44, 24, 20, 48, 83, C4, 38, C3, 90, 90, 90, 90, 90, 90, 90... 
[+]

Code size:

370 KB (378,880 bytes)

The file svchost.exe has been seen being distributed by the following URL.

http://www.cs.cmu.edu/~dga/crypto/.../xptminer-sse4-b16.exe

Remove svchost.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.