svchostupdate.exe

The executable svchostupdate.exe has been detected as malware by 5 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘test’. While running, it connects to the Internet address expirepages-kiae-1.nic.ru on port 9997.
MD5:
6095ab0a18d1b48b7427141cbd912218

SHA-1:
d73cca6ff48045be479851b69ade8188612eafe4

SHA-256:
e6868034de22310b5b7f3a9db94c0fe6bfca49a128500c1e81368a6655182007

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
12/26/2024 4:48:27 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Kazy.huy.11
7.11.215.206

AVG
Pakes_c
2016.0.3011

IKARUS anti.virus
Trojan.Win32.Pakes
t3scan.1.8.6.0

Norman
Suspicious_Gen4.FTVQP
11.20150821

VIPRE Antivirus
Trojan.Win32.Generic
38292

File size:
124 KB (126,976 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\svchost\svchostupdate.exe

File PE Metadata
Compilation timestamp:
2/23/2012 7:59:16 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
768:silW7GYDbayYpcP+zrXYPhyUNH+JQlDs/Dg61Y/k95N5YfTJwttZtlSEhyjKB:8BeYPEuHL4zn5UtwttZ/SEhQKB

Entry address:
0x1725

Entry point:
E8, F2, 15, 00, 00, E9, 78, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 8B, 00, 81, 38, 63, 73, 6D, E0, 75, 2A, 83, 78, 10, 03, 75, 24, 8B, 40, 14, 3D, 20, 05, 93, 19, 74, 15, 3D, 21, 05, 93, 19, 74, 0E, 3D, 22, 05, 93, 19, 74, 07, 3D, 00, 40, 99, 01, 75, 05, E8, 47, 16, 00, 00, 33, C0, 5D, C2, 04, 00, 68, 2F, 17, 40, 00, FF, 15, 4C, 90, 40, 00, 33, C0, C3, 8B, FF, 55, 8B, EC, 57, BF, E8, 03, 00, 00, 57, FF, 15, 50, 90, 40, 00, FF, 75, 08, FF, 15, 0C, 90, 40, 00, 81, C7, E8, 03, 00, 00, 81, FF, 60, EA, 00...
 
[+]

Code size:
31.5 KB (32,256 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
test

Command:
C:\windows\svchost\svchostupdate.exe


The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to expirepages-kiae-1.nic.ru  (109.70.26.37:9997)

Remove svchostupdate.exe - Powered by Reason Core Security