» xtermsettings.exe
Overview
Analysis
File Details
Behaviors (1)

xtermsettings.exe

C S S CORPORATIVO SISTEMAS E SOLUCOES LTDA ME

The executable xtermsettings.exe has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘XTermSettings.exe’.

File name:

xtermsettings.exe

Publisher:

C S S CORPORATIVO SISTEMAS E SOLUCOES LTDA ME (signed and verified)

MD5:

ac8acd102e39b01e180b7d41e0b58f0b

SHA-1:

ffe4449549112faaf01066e82675b98917eabba4

SHA-256:

ba6adbc3adab5ae17dc69b1076e51a613a2dffeb407d39c29447740f12c571f6

Scanner detections:

3 / 68

Status:

Malware

Analysis date:

11/29/2024 9:32:25 AM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/Spy.Banker.ABEO trojan

6.3.12010.0

Kaspersky

Trojan-Banker.Win32.Banker

15.0.2.529

Microsoft Security Essentials

TrojanSpy:Win32/Banker.XE

1.231.585.0

File size:

1.1 MB (1,192,224 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\15092014\xtermsettings.exe

Digital Signature

Signed by:

C S S CORPORATIVO SISTEMAS E SOLUCOES LTDA ME

Authority:

Thawte, Inc.

Valid from:

8/11/2014 9:00:00 PM

Valid to:

8/12/2015 8:59:59 PM

Subject:

CN=C S S CORPORATIVO SISTEMAS E SOLUCOES LTDA ME, OU=software, O=C S S CORPORATIVO SISTEMAS E SOLUCOES LTDA ME, L=CRICIUMA, S=SANTA CATARINA, C=BR

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

20BE615B9C56F97B0FFA3EA9711B19AD

File PE Metadata

Compilation timestamp:

9/8/2014 4:49:23 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:bh7SR0kfAvFDBTEKNU0rRYdcoifRslBM+dv32o70kAJSCp9KwYfJumlqo39oL6z9:LkfAvLdNU0rRYdcoifRslBM+dv32o706

Entry address:

0x28DB3

Entry point:

60, BE, 2A, 11, 40, 00, 8D, BE, EB, AF, FF, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 61, 90, 90, 50, 51, 74, 05, 83, C8, 01, EB, 02, 31, C0, F9, 1B, C9, EB, 0D, F7, D0, F7, D0, F7, D3, F7, D3, EB, 01, E8, 33, C9, 85, C9, F7, D0, F7, D0, F7, D3, F7, D3, EB, 01, EB, E3, 05, EB, 01, EA, EB, DF, 59, 85, C0, 58, EB, 01, EB, 6A, 00, 5A, EB, 15, 2A, 0B, 50, 26, 5A, 5D, 4C, 2E, 01, 57, 2F, 05, 1F, 64, 17, 39, 3F, 42, 3C, 41, EB, 83, FA, 00, 75, E6, 50, 51, 74, 05... 
[+]

Code size:

659 KB (674,816 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

XTermSettings.exe

Command:

C:\users\{user}\appdata\roaming\15092014\xtermsettings.exe

Remove xtermsettings.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.