Download
Community
knowledgeBase
» services.exe
Overview
Analysis
File Details
Behaviors (2)
Network (5)
services.exe
The executable services.exe has been detected as malware by 40 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Tok-Cirrhatus-2091’. While running, it connects to the Internet address ats.sbs.vip.dc11.lumsb.com on port 443.
File name:
services.exe
MD5:
41bc917a697ab13ecb4c97496300080b
SHA-1:
3963b429bf098b194c49a83a4360d65b5c56c746
SHA-256:
12d5a47f20853176b8ea4941b8386171e668272b69a1745160222cb98c724d25
Analysis
Scanner detections:
40 / 68
Status:
Malware
Analysis date:
5/21/2024 12:44:08 PM UTC
(today)
Scan engine
Detection
Engine version
Lavasoft Ad-Aware
Backdoor.Hupigon.ADI
784
Agnitum Outpost
I-Worm.Brontok.SN
7.1.1
AhnLab V3 Security
Win32/Brontok.worm.45417
2014.12.08
Avira AntiVirus
TR/Crypt.cfi.4991
7.11.193.98
avast!
Win32:Brontok-CE [Wrm]
2014.9-141213
AVG
I-Worm/Brontok
2015.0.3262
Baidu Antivirus
Trojan.Win32.FakeFolder
4.0.3.141213
Bitdefender
Backdoor.Hupigon.ADI
1.0.20.1735
Bkav FE
W32.BrontokQ
1.3.0.6267
Clam AntiVirus
Worm.Brontok.AD
0.98/21511
Comodo Security
Worm.Win32.Brontok.CM
20302
Dr.Web
BackDoor.Generic.3162
9.0.1.0347
ESET NOD32
Win32/Brontok.CM
8.10841
Fortinet FortiGate
W32/Brontok.K@mm
12/13/2014
F-Prot
W32/Brontok.DT@mm
v6.4.7.1.166
F-Secure
Backdoor.Hupigon.ADI
11.2014-13-12_7
G Data
Backdoor.Hupigon.ADI
14.12.24
IKARUS anti.virus
Email-Worm.Win32.Brontok
t3scan.1.8.5.0
K7 AntiVirus
EmailWorm
13.186.14262
Kaspersky
Email-Worm.Win32.Brontok
14.0.0.2803
Malwarebytes
Trojan.Dropper
v2014.12.13.11
McAfee
W32/Rontokbro.gen@MM
5600.6918
Microsoft Security Essentials
Worm:Win32/Brontok.AF@mm
1.11202
MicroWorld eScan
Backdoor.Hupigon.ADI
15.0.0.1041
NANO AntiVirus
Trojan.Win32.Alman.btuxjj
0.28.6.63850
Norman
Rontokbro
11.20141213
nProtect
Trojan/W32.Agent.45417.D
14.12.05.01
Panda Antivirus
Trj/WL.A
14.12.13.11
Qihoo 360 Security
Trojan.Generic
1.0.0.1015
Quick Heal
W32.Brontok.Q
12.14.14.00
Rising Antivirus
PE:Trojan.Win32.Generic.1298B62C!311997996
23.00.65.141211
Sophos
W32/Brontok-K
4.98
SUPERAntiSpyware
Trojan.Agent/Gen-SV
10180
Total Defense
Win32/Robknot.EN
37.0.11318
Trend Micro House Call
WORM_RONTKBR.D
7.2.347
Trend Micro
WORM_RONTKBR.D
10.465.13
Vba32 AntiVirus
Trojan.VBRA.06574
3.12.26.3
VIPRE Antivirus
Email-Worm.Win32.Brontok.a
35524
ViRobot
I-Worm.Win32.Brontok.45417[h]
2014.3.20.0
Zillya! Antivirus
Worm.Brontok.Win32.483
2.0.0.2000
File Details
File size:
44.4 KB (45,417 bytes)
File type:
Executable application (Win32 EXE)
Common path:
C:\users\{user}\appdata\local\services.exe
File PE Metadata
OS version:
4.0
OS bitness:
Win32
Subsystem:
Windows GUI
Linker version:
5.12
CTPH (ssdeep):
768:hzx/4NOHLJ4bc0xn6hU+HjGnGEe2v35BMCJ:RBrHLccKnH+aLeA59
Entry address:
0x32F50
Entry point:
E9, FF, D1, FC, FF, 0C, 80, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 27, 2F, 03, 00, 0C, 80, 02, 00...
[+]
Packer / compiler:
RLPack FullEdition V1.1X
Code size:
512 Bytes (512 bytes)
Behaviors
2 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name:
Tok-Cirrhatus-2091
Command:
"C:\users\{user}\appdata\local\br5205on.exe"
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name:
Tok-Cirrhatus-1167
Command:
"C:\users\{user}\appdata\local\br3357on.exe"
Network Communications
The executing file has been seen to make the following network communications in live environments.
TCP (HTTP SSL):
Connects to
ats.sbs.vip.dc11.lumsb.com
 (8.12.146.61:443)
TCP (HTTP SSL):
Connects to
ir2.fp.vip.ir2.yahoo.com
 (46.228.47.114:443)
TCP (HTTP SSL):
Connects to
media-router-fp1.prod.media.vip.ir2.yahoo.com
 (188.125.80.144:443)
TCP (HTTP SSL):
Connects to
ir1.fp.vip.ir2.yahoo.com
 (46.228.47.115:443)
TCP (HTTP):
Connects to
unknown.prolexic.com
 (72.52.4.121:80)
Remove services.exe
- Powered by Reason Core Security
X