home

kb00482953.exe

The executable kb00482953.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Client Server Runtime Process’. While running, it connects to the Internet address ns391674.ip-176-31-104.eu on port 9631.
MD5:
762ce731acb139ad59a1ffa9fde74fcf

SHA-1:
67a1e0b0370f0fde402506eea29c2d05ad3cd60c

SHA-256:
9a8df7c3e363a90999fcbb05bd38676d28df0a94c2db6758b3b4889c5e8eaeb9

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
5/3/2024 7:47:48 PM UTC  (today)

Scan engine
Detection
Engine version

Norman
Trojan.Lethic.Gen.5
28.05.2016 15:32:18

Reason Heuristics
Trojan.Downloader (M)
16.7.16.18

File size:
124 KB (126,976 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\kb00482953.exe

File PE Metadata
Compilation timestamp:
6/29/2016 11:57:12 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:US/TwO/MV3aNDo2J3vGsuwXasd8k+QTgXO6H0ZO2I6AtuqGw:3/TRcaN82JesumI

Entry address:
0x7060

Entry point:
55, 8B, EC, 6A, FE, 68, 20, 86, 40, 00, 68, 78, 72, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 08, 82, 40, 00, 59, 83, 0D, 0C, 91, 40, 00, FF, 83, 0D, 10, 91, 40, 00, FF, FF, 15, 0C, 82, 40, 00, 8B, 0D, 00, 91, 40, 00, 89, 08, FF, 15, 10, 82, 40, 00, 8B, 0D, FC, 90, 40, 00, 89, 08, A1, 14, 82, 40, 00, 8B, 00, A3, 08, 91, 40, 00, E8, 98, 01, 00, 00, 39, 1D, 20, 90, 40, 00, 75, 0C, 68, 64, 72, 40, 00, FF, 15, 18, 82...
 
[+]

Entropy:
7.0101

Developed / compiled with:
Microsoft Visual C++

Code size:
28 KB (28,672 bytes)

Approved Shell Extension
Name:
Autoplay for SlideShow

CLSID:
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}

CLSID name:
Shell Autoplay for Slideshow


2 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Client Server Runtime Process

Command:
C:\Documents and Settings\{user}\Application data\csrss.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Host-process Windows (Rundll32.exe)

Command:
C:\users\{user}\appdata\roaming\rundll32.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to ns396520.ip-176-31-123.eu  (176.31.123.194:9631)

TCP:
Connects to a2.89.b6.static.xlhost.com  (207.182.137.162:9997)

TCP:
Connects to ns398924.ip-37-59-42.eu  (37.59.42.217:9631)

TCP:
Connects to kvm1.schlumbergerlimited.ch  (188.138.102.48:9997)

TCP:
Connects to loft9199.serverprofi24.eu  (188.138.41.30:9997)

TCP:
Connects to ns391674.ip-176-31-104.eu  (176.31.104.175:9631)

TCP:
Connects to loft11230.dedicatedpanel.com  (188.138.102.50:9631)

TCP:
Connects to windows.myint85.net  (185.48.56.84:9631)

TCP (SMTP):
Connects to vcs-star-s-myc.mail.vip.sg3.yahoo.com  (106.10.150.156:25)

TCP:
Connects to ns3022934.ip-91-121-72.eu  (91.121.72.83:9631)

TCP:
Connects to loft11332.dedicatedpanel.com  (85.25.237.52:9997)

TCP:
Connects to loft11030.dedicatedpanel.com  (188.138.57.44:9631)

TCP:
Connects to jira.freldo.com  (185.48.56.107:9997)

TCP:
Connects to vps-1.morene.host  (185.48.56.106:9631)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.ir2.yahoo.com  (188.125.68.56:25)

TCP (SMTP):
Connects to vcs-ssmyc.mail.vip.gq1.yahoo.com  (63.250.193.229:25)

TCP:
Connects to ns368209.ip-94-23-31.eu  (94.23.31.152:9997)

TCP:
Connects to loft12100.dedicatedpanel.com  (85.93.93.92:9631)

TCP:
Connects to 27.212.forpsi.net  (81.2.212.27:9631)

TCP:
Connects to user-109-243-127-214.play-internet.pl  (109.243.127.214:9997)

Remove kb00482953.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.