igfxhost.exe

 

The executable igfxhost.exe has been detected as malware by 5 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘igfxhost’. While running, it connects to the Internet address hostedc40.carrierzone.com on port 80 using the HTTP protocol.
Publisher:
 

Product:
 

Version:
1.00

MD5:
a08292462055d104908425ed227c7d3c

SHA-1:
37807b1f1f4dc164d2bdddba811beca21cb3bd72

SHA-256:
4e57d8796e5d5f4a80c7cfa2a7e044411f0fb512aa2972ead5e0fff52fcdddfc

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
6/21/2018 4:01:37 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Oncer
160917-0

Clam AntiVirus
Win.Worm.Brontok-88
0.98/23042

F-Prot
W32/Thecid.B@mm
4.6.5.141

F-Secure
Win32.Runouce.B@mm
5.15.154

Kaspersky
Email-Worm.Win32.Runouce
15.0.2.529

File size:
4.1 MB (4,338,680 bytes)

Product version:
1.00

Original file name:
intralog.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\ss\igfxhost.exe

File PE Metadata
Compilation timestamp:
8/12/2005 8:04:03 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x4219FC

Entry point:
60, E8, E6, 19, 00, 00, 8B, 74, 24, 20, E8, 08, 00, 00, 00, 61, 68, B5, 12, 82, 00, C3, E9, 59, E8, 01, 16, 00, 00, 81, E6, 00, F0, FF, FF, 81, EE, 00, 10, 00, 00, 66, 81, 3E, 4D, 5A, 75, F3, 0F, B7, 7E, 3C, 03, FE, 8B, 6F, 78, 03, EE, 8B, 5D, 20, 03, DE, 33, C0, 8B, D6, 83, C3, 04, 40, 8B, 3B, 03, FA, E8, 0F, 00, 00, 00, 47, 65, 74, 50, 72, 6F, 63, 41, 64, 64, 72, 65, 73, 73, 00, 5E, 33, C9, B1, 0F, FC, F3, A6, 75, DA, 8B, F2, 8B, 5D, 24, 03, DE, 0F, B7, 0C, 43, 8B, 5D, 1C, 03, DE, 8B, 1C, 8B, 03, DE, 81...
 
[+]

Entropy:
2.2799

Packer / compiler:
ASPack v1.08.04

Code size:
112 KB (114,688 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
igfxhost

Command:
C:\users\ss\igfxhost.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

TCP (HTTP):
Connects to hostedc40.carrierzone.com  (64.29.151.221:80)

Remove igfxhost.exe - Powered by Reason Core Security