» regsvr.exe
Overview
Analysis
File Details
Behaviors (1)
Network (6)

regsvr.exe

The executable regsvr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Msn Messsenger’. While running, it connects to the Internet address ir1.fp.vip.ir2.yahoo.com on port 80 using the HTTP protocol.

File name:

regsvr.exe

MD5:

f09c7d85d9837970a4ff171bf28058a8

SHA-1:

9b3ad2992c6e27cbaaea8a27a5ee56f7a60c4878

SHA-256:

b12143503acf90a440816857e646e58a184195142911755e27fad2e659300f2d

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

4/23/2024 6:19:44 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Threat.Tojan.Click (H)

16.1.27.22

File size:

1.7 MB (1,736,192 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\regsvr.exe

File PE Metadata

Compilation timestamp:

1/29/1987 7:38:08 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

24576:bDsj1dEgBcJ9nPx/igrj+XDsj1dEgBcJ9nPx/igrj+XoQptms59Ai7b6dI:bDe1WgsnP8vXDe1WgsnP8vXLXmoxb6dI

Entry address:

0xA5002

Entry point:

E8, 03, 00, 00, 00, E9, EB, 04, 5D, 45, 55, C3, E8, 01, 00, 00, 00, EB, 5D, BB, ED, FF, FF, FF, 03, DD, 81, EB, 00, 50, 0A, 00, 83, BD, 22, 04, 00, 00, 00, 89, 9D, 22, 04, 00, 00, 0F, 85, 65, 03, 00, 00, 8D, 85, 2E, 04, 00, 00, 50, FF, 95, 4D, 0F, 00, 00, 89, 85, 26, 04, 00, 00, 8B, F8, 8D, 5D, 5E, 53, 50, FF, 95, 49, 0F, 00, 00, 89, 85, 4D, 05, 00, 00, 8D, 5D, 6B, 53, 57, FF, 95, 49, 0F, 00, 00, 89, 85, 51, 05, 00, 00, 8D, 45, 77, FF, E0, 56, 69, 72, 74, 75, 61, 6C, 41, 6C, 6C, 6F, 63, 00, 56, 69, 72, 74... 
[+]

Entropy:

7.8664 (probably packed)

Code size:

404.5 KB (414,208 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Msn Messsenger

Command:

C:\users\{user}\appdata\roaming\regsvr.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ir1.fp.vip.ne1.yahoo.com (98.138.253.109:80)

TCP (HTTP):

Connects to ir2.fp.vip.bf1.yahoo.com (98.139.183.24:80)

TCP (HTTP):

Connects to ir1.fp.vip.gq1.yahoo.com (206.190.36.45:80)

TCP (HTTP):

Connects to ir1.fp.vip.ir2.yahoo.com (46.228.47.115:80)

TCP (HTTP):

Connects to ir2.fp.vip.ir2.yahoo.com (46.228.47.114:80)

TCP (HTTP):

Connects to ir1.fp.vip.bf1.yahoo.com (98.139.180.149:80)

Remove regsvr.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.