» regsvr.exe
Overview
Analysis
File Details
Network (3)

regsvr.exe

The executable regsvr.exe has been detected as malware by 40 anti-virus scanners. While running, it connects to the Internet address ir2.fp.vip.bf1.yahoo.com on port 80 using the HTTP protocol.

File name:

regsvr.exe

MD5:

6e6d612dcd8e92e6a9ef628a611632ae

SHA-1:

b0995d95d027269ffc4547bba56052e41369e992

Scanner detections:

40 / 68

Status:

Malware

Analysis date:

4/19/2024 9:43:18 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Worm.Sohanad.NBN

922

Agnitum Outpost

Trojan.Autoit.DX

7.1.1

AhnLab V3 Security

Trojan/Win32.CSon

2014.02.16

Avira AntiVirus

TR/Autoit.CI.14

7.11.131.238

avast!

AutoIt:AutoRun-B@BC [Wrm]

2014.9-140728

AVG

Autoit

2015.0.3400

Baidu Antivirus

Worm.Win32.AutoRun

4.0.3.14728

Bitdefender

Win32.Worm.Sohanad.NBN

1.0.20.1045

Bkav FE

W32.Clodab6.Trojan

1.3.0.4924

Clam AntiVirus

Trojan.Siggen-7

0.98/18355

Comodo Security

TrojWare.Win32.Trojan.Autoit.ci0

17794

Dr.Web

Trojan.Click1.37970

9.0.1.0209

Emsisoft Anti-Malware

Win32.Worm.Sohanad.NBN

8.14.07.28.02

ESET NOD32

Win32/Sohanad.NCB

8.9429

Fortinet FortiGate

W32/Agent.FDR!tr

7/28/2014

F-Prot

W32/Trojan2.DFYJ

v6.4.7.1.166

F-Secure

IM-Worm:W32/Sohanad.HM

11.2014-28-07_2

G Data

Win32.Worm.Sohanad.NBN

14.7.24

IKARUS anti.virus

Trojan.Autoit

t3scan.2.2.29

K7 AntiVirus

Trojan

13.175.11177

Kaspersky

Worm.Win32.AutoRun

14.0.0.3495

Malwarebytes

Trojan.IMWorm

v2014.07.28.02

McAfee

W32/Yahlover.worm

5600.7056

Microsoft Security Essentials

Worm:Win32/Nuqel.AE

1.165.247.01

MicroWorld eScan

Win32.Worm.Sohanad.NBN

15.0.0.627

NANO AntiVirus

Trojan.Win32.AutoRun.hcfwq

0.28.0.57630

Norman

Sohanad.gen5

11.20140728

nProtect

Worm/W32.Sohanad.617984

14.02.16.01

Panda Antivirus

Trj/OCJ.A

14.07.28.02

Qihoo 360 Security

Worm.Win32.FakeFolder.BV

1.0.0.1015

Quick Heal

Worm.AutoRun.A10

7.14.12.00

Rising Antivirus

PE:Malware.FakeFolder@CV!1.6AA9

23.00.65.14726

Sophos

W32/Imaut-H

4.97

SUPERAntiSpyware

Trojan.Agent/Gen-Yahlover

10457

Total Defense

Win32/Yahlover.DN

37.0.10764

Trend Micro House Call

WORM_OTOIT.SMT

7.2.209

Trend Micro

WORM_OTOIT.SMT

10.465.28

Vba32 AntiVirus

Trojan-Downloader.Autoit.gen

3.12.24.3

VIPRE Antivirus

Trojan.Win32.Generic!SB.0

26516

ViRobot

Worm.Win32.A.IM-Sohanad.511488

2011.4.7.4223

File size:

603.5 KB (617,984 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\windows\regsvr.exe

File PE Metadata

Compilation timestamp:

1/29/1987 7:38:08 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

12288:b3TdtLW5WIj1YSSdFxmkgUKBxeDDDDDdFFFFFFFZ:bDsj1dE2C

Entry address:

0xA5002

Entry point:

E8, 03, 00, 00, 00, E9, EB, 04, 5D, 45, 55, C3, E8, 01, 00, 00, 00, EB, 5D, BB, ED, FF, FF, FF, 03, DD, 81, EB, 00, 50, 0A, 00, 83, BD, 22, 04, 00, 00, 00, 89, 9D, 22, 04, 00, 00, 0F, 85, 65, 03, 00, 00, 8D, 85, 2E, 04, 00, 00, 50, FF, 95, 4D, 0F, 00, 00, 89, 85, 26, 04, 00, 00, 8B, F8, 8D, 5D, 5E, 53, 50, FF, 95, 49, 0F, 00, 00, 89, 85, 4D, 05, 00, 00, 8D, 5D, 6B, 53, 57, FF, 95, 49, 0F, 00, 00, 89, 85, 51, 05, 00, 00, 8D, 45, 77, FF, E0, 56, 69, 72, 74, 75, 61, 6C, 41, 6C, 6C, 6F, 63, 00, 56, 69, 72, 74... 
[+]

Entropy:

7.7812 (probably packed)

Code size:

404.5 KB (414,208 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ir2.fp.vip.bf1.yahoo.com (98.139.183.24:80)

TCP (HTTP):

Connects to ir2.fp.vip.ir2.yahoo.com (46.228.47.114:80)

TCP (HTTP):

Connects to ir1.fp.vip.ne1.yahoo.com (98.138.253.109:80)

Remove regsvr.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.