syshost.exe

Internet Explorer

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable syshost.exe, “Internet Explorer ImpExp FF exporter” has been detected as malware by 6 anti-virus scanners. It runs as a separate (within the context of its own process) windows Service named “syshost32”. While running, it connects to the Internet address 00001001.ch on port 80 using the HTTP protocol.
Publisher:
Microsoft Corporation*  (Invalid match)

Product:
Internet Explorer

Description:
Internet Explorer ImpExp FF exporter

Version:
11.00.9600.16428 (winblue_gdr.131013-1700)

MD5:
6c04641c42f3f7d77aefec0fd0f7baca

SHA-1:
0ed162f5161aaea7c7688d09be6a6488d52e5799

SHA-256:
6ae3f79641cb2cbda12aa183f38732db630faf84a0ba24d29acb4bcb69c57c7a

Scanner detections:
6 / 68

Status:
Malware

Analysis date:
12/26/2024 2:39:20 PM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
HW32.CDB
1.3.0.4959

Kaspersky
Trojan-Dropper.Win32.Necurs
14.0.0.3930

Malwarebytes
Trojan.FakeMS
v2014.05.01.11

Panda Antivirus
Trj/Genetic.gen
14.05.01.11

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Rising Antivirus
PE:Malware.XPACK-HIE/Heur!1.9C48
23.00.65.14429

File size:
76.5 KB (78,336 bytes)

Product version:
11.00.9600.16428

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
extexport.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\installer\{f9573d80-1202-a98d-24af-9286045dd982}\syshost.exe

File PE Metadata
Compilation timestamp:
4/30/2014 8:58:59 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
1536:5p0X5Hu7MsSnIkSPqwGN+7oiEzt3WN861TlKLlLK:5p0pO7MsSnICwT7oiAWr1hK5

Entry address:
0x4833

Entry point:
E8, A2, 7F, 00, 00, E9, 27, E4, FF, FF, C8, C8, C8, C8, C8, C8, C8, C8, C8, C8, 6A, D6, 56, 02, 09, 00, 3C, F6, 70, 06, 00, B9, 8D, 9E, 0F, BA, 94, 0C, EB, 28, C6, 27, 39, FF, 39, 30, 57, C0, 70, 40, 00, 29, C3, 6A, 84, 03, 50, D9, 57, 81, C7, 50, A3, 8C, 0F, 73, 0A, F7, 5A, 40, CC, E8, D1, 03, 06, 91, FF, 10, 02, 12, 75, 00, 00, 10, 2B, FF, 00, 48, 51, CB, C0, 66, 00, EF, 65, FB, D0, D4, FF, 7D, 0A, 00, 75, 56, 00, 8D, 70, 82, 44, 03, A3, 02, 24, 02, 4F, 60, AA, FF, 53, 68, 7D, E8, 33, 80, 55, E4, 0C, 04...
 
[+]

Entropy:
6.8107

Code size:
49.5 KB (50,688 bytes)

Service
Display name:
syshost32

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to static-188-137-75-72.leon.com.pl  (188.137.75.72:32709)

TCP (HTTP):
Connects to 00001001.ch  (65.55.58.201:80)

Remove syshost.exe - Powered by Reason Core Security