home

catroot.exe

cnkcompany

The executable catroot.exe has been detected as malware by 9 anti-virus scanners. This is a trojan Bot that uses IRC to communicate with a comand and control network. The Trojan drops other malicious software and opens a backdoor on the infected computer and will run automatically on each boot.
Publisher:
cnkcompany  (signed and verified)

MD5:
763a70087bc8652252f3e2c683c81665

SHA-1:
650be704ae246d1a083c0bb230a162e19c0dfd61

SHA-256:
80735eaa690ff1fd06a7596a59c045b1e19e119d3acebd167de4f9ea73406ee6

Scanner detections:
9 / 68

Status:
Malware

Explanation:
Part of a backdoor IRC bot network.

Analysis date:
5/18/2024 9:18:20 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Trojan.DL.Rootcat
7.1.1

AhnLab V3 Security
Downloader/Win32.Rootcat
2015.05.23

avast!
Win32:Dropper-gen [Drp]
2014.9-160726

Comodo Security
TrojWare.Win32.Agent.COC
22212

McAfee
Artemis!763A70087BC8
5600.6326

Qihoo 360 Security
HEUR/QVM19.1.Malware.Gen
1.0.0.1015

Trend Micro House Call
Suspicious_GEN.F47V0516
7.2.208

VIPRE Antivirus
Backdoor.Win32.Ircbot.gen
40462

ViRobot
Trojan.Win32.Agent.1149952[h]
2014.3.20.0

File size:
1.1 MB (1,157,752 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Windows\System32\appcompat\catroot\catroot.exe

Digital Signature
Signed by:
cnkcompany

Authority:
Thawte, Inc.

Valid from:
10/22/2014 9:00:00 AM

Valid to:
12/22/2015 8:59:59 AM

Subject:
CN=cnkcompany, O=cnkcompany, L=Asan, S=Chungcheongnam-do, C=KR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
2F41604294679E0EEDB9C93BAC1748D8

File PE Metadata
Compilation timestamp:
5/13/2015 2:26:47 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:IeWiJZMogevqY6Z8kPSwFM9mDP0Vvl9l+ZS4Hi1hTY5dCFSKtM:ZJTMpe/Y8kP6OM1BscQ6I

Entry address:
0x270000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 89, C3, 40, 2D, 00, B0, 0C, 00, 2D, 1C, 8A, 09, 10, 05, 11, 8A, 09, 10, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, DE, 2F, F3, 63, 68, B0, E9, 37, 7D, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 89, E5, 50, 53, 51, 56, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, 85, C9, 74, 0A, 31, 06, 01, 1E, 83, C6, 04, 49, EB, F2, 5E, 59, 5B, 58, C9, C2, 10, 00, BB, 51, C2, 40, 13, 3A, CE, 1F, 12, 39, 40, 5C, 3D, 9C...
 
[+]

Entropy:
7.9259  (probably packed)

Code size:
546.5 KB (559,616 bytes)

Remove catroot.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.