regsvr.exe

The application regsvr.exe has been detected as a potentially unwanted program by 28 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler. While running, it connects to the Internet address ir1.fp.vip.ne1.yahoo.com on port 80 using the HTTP protocol.
MD5:
2c03ebfcce68f0499ffe6379044b9e29

SHA-1:
7ca81aae28be8568e21e79d632792b4e8e587fd3

Scanner detections:
28 / 68

Status:
Potentially unwanted

Analysis date:
3/2/2017 3:50:27 PM UTC  (eight months ago)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win32/Sohanad.worm.617343
17.03.02

Avira AntiVirus
TR/Autoit.CI.14
17.03.02

SafeCentral
W32/Trojan2.DFYJ
17.03.02

avast!
Win32:AutoIt-CI
2014.9-170302

Bitdefender
Trojan.Generic.319872
1.0.20.305

Clam AntiVirus
Trojan.Autoit.gen
0.98/18155

Dr.Web
Trojan.Siggen.288
9.0.1.061

ESET NOD32
Win32/Autoit.CC
11.-

eTrust Vet Antivirus
Win32/Armax.H
17.03.02

Fortinet FortiGate
W32/Yahlover.C!worm
3/2/2017

F-Prot
W32/Trojan2.DFYJ
v6.-

F-Secure
Trojan.Win32.Autoit.ci
11.2017-02-03_5

G Data
Trojan.Generic.319872
17.3.-

IKARUS anti.virus
Trojan.Autoit.CI.14
17.03.02

K7 AntiVirus
not-a-virus:Monitor.Win32.Ardamax.ae
13.-

Kaspersky
Trojan.Win32.Autoit
14.0.0.-1247

McAfee
W32/Yahlover.worm.gen.c
5600.6108

Microsoft Security Essentials
TrojanDownloader:AutoIt/Agent
1.163.1557.0

NOD32Beta
Win32/Autoit.CC
17.03.02

Norman
Sohanad.gen6
11.20170302

Quick Heal
Worm.AutoIt.x
3.17.-

Rising Antivirus
Win32.Virut.GEN
23.00.65.17228

Sophos
W32/Autoit-Z
17.03.02

Sunbelt AntiMalware
Backdoor.Win32.Bifrose.aci
3.2.183.3

Trend Micro
WORM_DELF.FKZ
10.465.02

Vba32 AntiVirus
Worm.Win32.AutoIt.x
17.03.02

ViRobot
Trojan.Win32.Autoit.617343
17.03.02

WebWasher Gateway
Trojan.Autoit.CI.14
17.03.02

File size:
609.4 KB (623,995 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Windows\System32\regsvr.exe

File PE Metadata
Compilation timestamp:
5/25/2055 11:40:40 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

Entry address:
0xA5001

Entry point:
60, E8, 03, 00, 00, 00, E9, EB, 04, 5D, 45, 55, C3, E8, 01, 00, 00, 00, EB, 5D, BB, ED, FF, FF, FF, 03, DD, 81, EB, 00, 50, 0A, 00, 83, BD, 22, 04, 00, 00, 00, 89, 9D, 22, 04, 00, 00, 0F, 85, 65, 03, 00, 00, 8D, 85, 2E, 04, 00, 00, 50, FF, 95, 4D, 0F, 00, 00, 89, 85, 26, 04, 00, 00, 8B, F8, 8D, 5D, 5E, 53, 50, FF, 95, 49, 0F, 00, 00, 89, 85, 4D, 05, 00, 00, 8D, 5D, 6B, 53, 57, FF, 95, 49, 0F, 00, 00, 89, 85, 51, 05, 00, 00, 8D, 45, 77, FF, E0, 56, 69, 72, 74, 75, 61, 6C, 41, 6C, 6C, 6F, 63, 00, 56, 69, 72...
 
[+]

Entropy:
7.7862

Packer / compiler:
ASPack v2.12

Code size:
404.5 KB (414,208 bytes)

Scheduled Task
Task name:
At1

Path:
C:\WINDOWS\Tasks\At1.job

Trigger:
Weekly (Runs weekly on Fridays at 9:00 AM)

Description:
Created by NetScheduleJobAdd.


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ir1.fp.vip.ne1.yahoo.com  (98.138.253.109:80)

TCP (HTTP):
Connects to ir1.fp.vip.gq1.yahoo.com  (206.190.36.45:80)

Remove regsvr.exe - Powered by Reason Core Security