Service_KMS.exe

Service_KMS

ByELDI Certificate

The application Service_KMS.exe by ByELDI Certificate has been detected as a potentially unwanted program by 26 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Service KMSELDI”. While running, it connects to the Internet address 2a.6a.acb8.ip4.static.sl-reverse.com on port 13.
Publisher:
ByELDI Certificate  (signed and verified)

Product:
Service_KMS

Version:
10.3.0.0

MD5:
23081884235a212fd56bf28a71e0adfc

SHA-1:
7aa2da98f5c094c9f26bd044877147e03e409832

SHA-256:
eddde95d8187a7791dbe25f7f8fbd35722cbd09f22d45bcf865b77469c5fa040

Scanner detections:
26 / 68

Status:
Potentially unwanted

Analysis date:
11/19/2017 7:41:04 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.10015259
1135

AhnLab V3 Security
Trojan/Win32.ADH
2013.12.05

Antiy Labs AVL
Trojan/Win32.Generic
2.0.3.7

AVG
Dropper.Msil
2014.0.3613

Baidu Antivirus
Trojan.Win32.Generic
4.0.3.131227

Bitdefender
Trojan.Generic.10015259
1.0.20.1805

Bkav FE
W32.Clod352.Trojan
1.3.0.4613

Emsisoft Anti-Malware
Trojan.Generic.10015259
8.13.12.27.01

ESET NOD32
MSIL/HackTool.IdleKMS (variant)
8.9190

Fortinet FortiGate
W32/Generic!tr
12/27/2013

F-Secure
Trojan.Generic.10015259
11.2013-27-12_6

G Data
Trojan.Generic.10015259
13.12.22

IKARUS anti.virus
Virus.Dropper
t3scan.2.2.29

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.4280

Kingsoft AntiVirus
Win32.Troj.Undef.(kcloud)
331020.49267

McAfee
RDN/Generic Dropper!sh
5600.7269

McAfee Web Gateway
RDN/Generic Dropper!sh
7.7269

MicroWorld eScan
Trojan.Generic.10015259
14.0.0.1083

NANO AntiVirus
Trojan.Win32..cnjpub
0.28.0.56582

Norman
Agent.AOQWC
11.20131227

Panda Antivirus
Generic Malware
13.12.27.01

Reason Heuristics
PUP.Service.ByELDICertificate.L
14.2.20.22

Sophos
Generic PUA BA
4.96

Trend Micro House Call
TROJ_GEN.R0CBC0EKQ13
7.2.361

Trend Micro
TROJ_GEN.R0CBC0EKQ13
10.465.27

VIPRE Antivirus
Trojan.Win32.Generic
24020

File size:
674.8 KB (690,968 bytes)

Product version:
10.3.0.0

Original file name:
Service_KMS.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\kmspico\service_kms.exe

Digital Signature
Authority:
ByELDI Certificate

Valid from:
11/17/2013 1:41:41 PM

Valid to:
12/31/2039 6:59:59 PM

Subject:
CN=ByELDI Certificate

Issuer:
CN=ByELDI Certificate

Serial number:
AB81DC9F367529BE42665B07570FFA05

File PE Metadata
Compilation timestamp:
11/19/2013 11:00:23 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:pomT1omoVSljFNHXTrw90HSPxH4UosnX99nCdCJSXb:zToYljjjr28GhX96b

Entry address:
0xA5BEE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 17, 8B, 8B, 52, 00, 00, 00, 00, 02, 00, 00, 00, 1C, 01, 00, 00, 1C, 60, 0A, 00, 1C, 40, 0A, 00, 52, 53, 44, 53, 86, AE, 28, C6, AA, 6F, B8, 4D, B4, 73, C8, 1D, 8A, 0E, 21, AC, 01, 00, 00, 00, 4A, 3A, 5C, 44, 6F, 63, 75, 6D, 65, 6E, 74, 73, 5C, 56, 69, 73, 75, 61, 6C, 20, 53, 74, 75, 64, 69, 6F, 20, 32, 30, 31, 33, 5C, 50, 72, 6F, 6A, 65, 63, 74, 73, 5C, 4B, 4D, 53, 20, 45, 4C, 44, 49, 5C, 53, 65, 72, 76, 69, 63, 65, 5F...
 
[+]

Entropy:
5.6613

Code size:
655 KB (670,720 bytes)

Service
Display name:
Service KMSELDI

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to time-c.nist.gov  (129.6.15.30:13)

TCP:
Connects to time-d.nist.gov  (129.6.15.27:13)

TCP:
Connects to nist1-lnk.binary.net  (216.229.0.179:13)

TCP:
Connects to 207_223_123_18.colo.teklinks.net  (207.223.123.18:13)

TCP:
Connects to 2a.6a.acb8.ip4.static.sl-reverse.com  (184.172.106.42:13)

TCP:
Connects to nist.netservicesgroup.com  (64.113.32.5:13)

TCP:
Connects to nist-time-server.eoni.com  (216.228.192.69:13)

TCP:
Connects to nisttime.edzone.net  (198.111.152.100:13)

TCP:
Connects to host-24-56-178-140.beyondbb.com  (24.56.178.140:13)

Remove Service_KMS.exe - Powered by Reason Core Security