» regsvr.exe
Overview
Analysis
File Details
Behaviors (1)
Network (4)

regsvr.exe

The executable regsvr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Msn Messsenger’. While running, it connects to the Internet address ir2.fp.vip.bf1.yahoo.com on port 80 using the HTTP protocol.

File name:

regsvr.exe

MD5:

41b018b9e59049a2030c2f98df17bb9f

SHA-1:

8fda77eb80e63350ed5db547dae6cec44b267b1f

SHA-256:

4e604c59cbdebfd881ffb0a17c4a1d5fd6c3c319c63afee0afcf2bd91c177b60

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

4/16/2024 4:49:33 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Threat.Tojan.Click (H)

16.2.4.3

File size:

663.5 KB (679,424 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\regsvr.exe

File PE Metadata

Compilation timestamp:

11/25/2007 4:21:46 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

12288:c3TdtLW5WIj1YSSdFxsBSXFJ5F7vuLLYL0lqP9Vg2:GDsj1dEcBcFJ5ULLvly9VL

Entry address:

0xA5001

Entry point:

60, E8, 03, 00, 00, 00, E9, EB, 04, 5D, 45, 55, C3, E8, 01, 00, 00, 00, EB, 5D, BB, ED, FF, FF, FF, 03, DD, 81, EB, 00, 50, 0A, 00, 83, BD, 22, 04, 00, 00, 00, 89, 9D, 22, 04, 00, 00, 0F, 85, 65, 03, 00, 00, 8D, 85, 2E, 04, 00, 00, 50, FF, 95, 4D, 0F, 00, 00, 89, 85, 26, 04, 00, 00, 8B, F8, 8D, 5D, 5E, 53, 50, FF, 95, 49, 0F, 00, 00, 89, 85, 4D, 05, 00, 00, 8D, 5D, 6B, 53, 57, FF, 95, 49, 0F, 00, 00, 89, 85, 51, 05, 00, 00, 8D, 45, 77, FF, E0, 56, 69, 72, 74, 75, 61, 6C, 41, 6C, 6C, 6F, 63, 00, 56, 69, 72... 
[+]

Packer / compiler:

ASPack v2.12

Code size:

404.5 KB (414,208 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Msn Messsenger

Command:

C:\users\{user}\appdata\roaming\regsvr.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ir1.fp.vip.ne1.yahoo.com (98.138.253.109:80)

TCP (HTTP):

Connects to ir2.fp.vip.bf1.yahoo.com (98.139.183.24:80)

TCP (HTTP):

Connects to ir1.fp.vip.gq1.yahoo.com (206.190.36.45:80)

TCP (HTTP):

Connects to ir2.fp.vip.sg3.yahoo.com (106.10.138.240:80)

Remove regsvr.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.