home

regsvr.exe

The executable regsvr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Msn Messsenger’.
MD5:
51101b740f187f84c35d46b2b13455ee

SHA-1:
31147f5f0c2fa49b823d06cc382963c42e96d3a4

SHA-256:
deb4153b2b6cd5947f1b21993df2aa549ea7f5090794290b204c96cf65a247b3

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
5/6/2024 4:40:37 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Threat.Tojan.Click (H)
17.3.7.6

File size:
824 KB (843,777 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\regsvr.exe

File PE Metadata
Compilation timestamp:
11/25/2007 2:21:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

Entry address:
0xA5000

Entry point:
60, B6, 23, 8A, D7, 84, E2, 0F, BC, F8, 0F, AB, C7, C6, C4, 53, 0F, AF, FF, FE, CA, 8D, 05, 36, 08, 67, FA, B0, 02, 0F, BA, F5, A8, 0F, C1, CA, 89, D7, B4, D1, 81, FE, E1, F2, 00, 00, 86, D6, 55, 50, 8B, CD, F3, 0F, A4, F5, 1F, C1, C8, 4E, 8D, 15, DD, 8C, 42, 46, 69, EA, 48, 2D, CF, 22, EB, 07, 8A, F9, 8B, D2, 0F, BE, C0, E8, 00, 00, 00, 00, 5B, C7, C6, 7D, AB, F5, 07, FF, C2, F6, D2, 89, F2, F3, 34, C6, 81, C3, B7, F7, 01, 00, 69, C0, A0, 72, 59, BC, 0F, AD, FE, 0F, A4, F8, 92, 81, C8, DD, 65, 25, 17, 0F...
 
[+]

Entropy:
7.2764

Code size:
404.5 KB (414,208 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Msn Messsenger

Command:
C:\users\{user}\appdata\roaming\regsvr.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 147.62.236.23.bc.googleusercontent.com  (23.236.62.147:80)

TCP (HTTP):
Connects to ec2-52-28-249-128.eu-central-1.compute.amazonaws.com  (52.28.249.128:80)

TCP (HTTP):
Connects to ec2-34-197-139-56.compute-1.amazonaws.com  (34.197.139.56:80)

TCP (HTTP):
Connects to ns8914.dotvndns.vn  (112.213.89.14:80)

TCP (HTTP):
Connects to s11.linuxpl.com  (88.198.8.17:80)

Remove regsvr.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.