svchost.exe

The executable svchost.exe has been detected as malware by 7 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘34d91dfb34a7283483d0aaba9d10147d’. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS. The file has been seen being downloaded from reggiemenacherry.in.
Version:
1.0.0.1

MD5:
ce7f8a17a8bc5a132001698f26d0d918

SHA-1:
b4d86446cc05ee941e9a6661287ae9179e13e043

SHA-256:
125930df8e37d0d5696c9edc4c3105dfa59c9ece020a1e30f8d464e4d0d12c06

Scanner detections:
7 / 68

Status:
Malware

Analysis date:
12/29/2024 7:07:17 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
160215-2

Dr.Web
Trojan.DownLoader16.34257
9.0.1.05190

Emsisoft Anti-Malware
Trojan.GenericKDZ.30364
11.5.0.6191

ESET NOD32
MSIL/Injector.MAG trojan
8.0.319.0

F-Secure
Trojan.GenericKDZ.30364
5.15.21

Microsoft Security Essentials
Threat.Undefined
1.215.312.0

Norman
Trojan.GenericKDZ.30364
29.02.2016 03:11:57

File size:
235 KB (240,640 bytes)

Product version:
1.0.0.1

Original file name:
NvBackend.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\svchost.exe

File PE Metadata
Compilation timestamp:
11/1/2015 8:56:31 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
3072:pEEyom8TguMCgqcmoyhQK8mIies64WEyQO8AKBOV4KiAmUq8gnReoLbQ9x9Z0IqE:hDx0g4oLbq9r/D02VMs/HNDN42lLSK

Entry address:
0x397FE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.6376

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
222.5 KB (227,840 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
34d91dfb34a7283483d0aaba9d10147d

Command:
C:\users\{user}\appdata\local\temp\{random}.tmp\svchost.exe


The file svchost.exe has been seen being distributed by the following URL.

Remove svchost.exe - Powered by Reason Core Security