home

services.exe

The executable services.exe has been detected as malware by 40 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Tok-Cirrhatus-2091’. While running, it connects to the Internet address ats.sbs.vip.dc11.lumsb.com on port 443.
MD5:
41bc917a697ab13ecb4c97496300080b

SHA-1:
3963b429bf098b194c49a83a4360d65b5c56c746

SHA-256:
12d5a47f20853176b8ea4941b8386171e668272b69a1745160222cb98c724d25

Scanner detections:
40 / 68

Status:
Malware

Analysis date:
5/21/2024 12:44:08 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Backdoor.Hupigon.ADI
784

Agnitum Outpost
I-Worm.Brontok.SN
7.1.1

AhnLab V3 Security
Win32/Brontok.worm.45417
2014.12.08

Avira AntiVirus
TR/Crypt.cfi.4991
7.11.193.98

avast!
Win32:Brontok-CE [Wrm]
2014.9-141213

AVG
I-Worm/Brontok
2015.0.3262

Baidu Antivirus
Trojan.Win32.FakeFolder
4.0.3.141213

Bitdefender
Backdoor.Hupigon.ADI
1.0.20.1735

Bkav FE
W32.BrontokQ
1.3.0.6267

Clam AntiVirus
Worm.Brontok.AD
0.98/21511

Comodo Security
Worm.Win32.Brontok.CM
20302

Dr.Web
BackDoor.Generic.3162
9.0.1.0347

ESET NOD32
Win32/Brontok.CM
8.10841

Fortinet FortiGate
W32/Brontok.K@mm
12/13/2014

F-Prot
W32/Brontok.DT@mm
v6.4.7.1.166

F-Secure
Backdoor.Hupigon.ADI
11.2014-13-12_7

G Data
Backdoor.Hupigon.ADI
14.12.24

IKARUS anti.virus
Email-Worm.Win32.Brontok
t3scan.1.8.5.0

K7 AntiVirus
EmailWorm
13.186.14262

Kaspersky
Email-Worm.Win32.Brontok
14.0.0.2803

Malwarebytes
Trojan.Dropper
v2014.12.13.11

McAfee
W32/Rontokbro.gen@MM
5600.6918

Microsoft Security Essentials
Worm:Win32/Brontok.AF@mm
1.11202

MicroWorld eScan
Backdoor.Hupigon.ADI
15.0.0.1041

NANO AntiVirus
Trojan.Win32.Alman.btuxjj
0.28.6.63850

Norman
Rontokbro
11.20141213

nProtect
Trojan/W32.Agent.45417.D
14.12.05.01

Panda Antivirus
Trj/WL.A
14.12.13.11

Qihoo 360 Security
Trojan.Generic
1.0.0.1015

Quick Heal
W32.Brontok.Q
12.14.14.00

Rising Antivirus
PE:Trojan.Win32.Generic.1298B62C!311997996
23.00.65.141211

Sophos
W32/Brontok-K
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-SV
10180

Total Defense
Win32/Robknot.EN
37.0.11318

Trend Micro House Call
WORM_RONTKBR.D
7.2.347

Trend Micro
WORM_RONTKBR.D
10.465.13

Vba32 AntiVirus
Trojan.VBRA.06574
3.12.26.3

VIPRE Antivirus
Email-Worm.Win32.Brontok.a
35524

ViRobot
I-Worm.Win32.Brontok.45417[h]
2014.3.20.0

Zillya! Antivirus
Worm.Brontok.Win32.483
2.0.0.2000

File size:
44.4 KB (45,417 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\services.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:hzx/4NOHLJ4bc0xn6hU+HjGnGEe2v35BMCJ:RBrHLccKnH+aLeA59

Entry address:
0x32F50

Entry point:
E9, FF, D1, FC, FF, 0C, 80, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 27, 2F, 03, 00, 0C, 80, 02, 00...
 
[+]

Packer / compiler:
RLPack FullEdition V1.1X

Code size:
512 Bytes (512 bytes)

2 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Tok-Cirrhatus-2091

Command:
"C:\users\{user}\appdata\local\br5205on.exe"

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Tok-Cirrhatus-1167

Command:
"C:\users\{user}\appdata\local\br3357on.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ats.sbs.vip.dc11.lumsb.com  (8.12.146.61:443)

TCP (HTTP SSL):
Connects to ir2.fp.vip.ir2.yahoo.com  (46.228.47.114:443)

TCP (HTTP SSL):
Connects to media-router-fp1.prod.media.vip.ir2.yahoo.com  (188.125.80.144:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.ir2.yahoo.com  (46.228.47.115:443)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.121:80)

Remove services.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.