Download
Community
knowledgeBase
» services.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)
services.exe
The executable services.exe has been detected as malware by 41 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘Bron-Spizaetus’. While running, it connects to the Internet address ats.sbs.vip.dc11.lumsb.com on port 443.
File name:
services.exe
MD5:
2fbc874a623f6d8b0cfcd26466dc3e5c
SHA-1:
7df9508892852b909b53c81ac7a179fb2125c77c
SHA-256:
5e2307e2581bc5577fff211474ffbff8e5dcc2aca1cf0c47a50a55723dfd3ffa
Analysis
Scanner detections:
41 / 68
Status:
Malware
Analysis date:
5/21/2024 9:22:33 PM UTC
(today)
Scan engine
Detection
Engine version
Lavasoft Ad-Aware
Win32.Generic.5568
456
Agnitum Outpost
I-Worm.Brontok
7.1.1
AhnLab V3 Security
HEUR/Fakon.mwf
2015.11.03
Avira AntiVirus
WORM/Brontok.E.1
8.3.2.2
Arcabit
Win32.Generic.5568
1.0.0.585
avast!
Win32:Brontok-CE [Wrm]
2014.9-151105
AVG
I-Worm/Brontok.X
2016.0.2934
Baidu Antivirus
Worm.Win32.Brontok
4.0.3.15115
Bitdefender
Win32.Generic.5568
1.0.20.1545
Bkav FE
W32.RontokbroGH
1.3.0.7383
Clam AntiVirus
Worm.Brontok.H
0.98/21511
Comodo Security
Worm.Win32.Brontok.CH
23521
Dr.Web
Win32.HLLM.Generic.440
9.0.1.0309
Emsisoft Anti-Malware
Win32.Generic.5568
8.15.11.05.06
ESET NOD32
Win32/Brontok.CH
9.12506
Fortinet FortiGate
W32/Brontok.X@mm
11/5/2015
F-Prot
W32/Brontok.FE@mm
v6.4.7.1.166
F-Secure
Win32.Generic.5568
11.2015-05-11_5
G Data
Win32.Generic.5568
15.11.25
IKARUS anti.virus
Email-Worm.Win32.Brontok
t3scan.1.9.5.0
K7 AntiVirus
Trojan
13.212.17724
Kaspersky
Email-Worm.Win32.Brontok
14.0.0.1166
Malwarebytes
Trojan.Dropper
v2015.11.05.06
McAfee
W32/Rontokbro.gen@MM
5600.6590
Microsoft Security Essentials
Worm:Win32/Brontok.BK@mm
1.1.12205.0
MicroWorld eScan
Win32.Generic.5568
16.0.0.927
NANO AntiVirus
Trojan.Win32.Brontok.ppjl
0.30.26.4437
nProtect
Win32.Generic.5568
15.11.02.01
Panda Antivirus
Trj/Agent.IVN
15.11.05.06
Qihoo 360 Security
Trojan.Generic
1.0.0.1015
Quick Heal
W32.Brontok.Q
11.15.11.00
Rising Antivirus
PE:Trojan.Win32.Mnless.dyr!1442186 [F]
23.00.65.151103
Sophos
W32/Brontok-X
4.98
SUPERAntiSpyware
Trojan.Agent/Gen-FakeSec
9525
Total Defense
Win32/ASuspect.HFAEN!genus
37.1.62.1
Trend Micro House Call
WORM_RONTKBR.AH
7.2.309
Trend Micro
WORM_RONTKBR.AH
10.465.05
Vba32 AntiVirus
Email-Worm.Brontok
3.12.26.4
VIPRE Antivirus
Email-Worm.Win32.Brontok.a
44972
ViRobot
I-Worm.Win32.A.Brontok.44424.A[h]
2014.3.20.0
Zillya! Antivirus
Worm.Brontok.Win32.468
2.0.0.2488
File Details
File size:
43.4 KB (44,424 bytes)
File type:
Executable application (Win32 EXE)
Common path:
C:\users\{user}\appdata\local\services.exe
File PE Metadata
OS version:
4.0
OS bitness:
Win32
Subsystem:
Windows GUI
Linker version:
5.12
CTPH (ssdeep):
768:PxYl/O9ilwgMmVBjg7bE0qUuas/mHxoVTaD+jPARJrtRwycYyab5aaeLv35BMCH:pYNmilwnajoE0JomRoVTS+sTtiYXb5gR
Entry address:
0x31B6F
Entry point:
E9, E0, E5, FC, FF, 0C, 70, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 46, 1B, 03, 00, 0C, 70, 02, 00...
[+]
Packer / compiler:
RLPack FullEdition V1.1X
Code size:
512 Bytes (512 bytes)
Behaviors
Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name:
Bron-Spizaetus
Command:
"C:\windows\shellnew\rakyatkelaparan.exe"
Network Communications
The executing file has been seen to make the following network communications in live environments.
TCP (HTTP):
Connects to
unknown.prolexic.com
 (72.52.4.121:80)
TCP (HTTP SSL):
Connects to
ats.sbs.vip.dc11.lumsb.com
 (8.12.146.61:443)
Remove services.exe
- Powered by Reason Core Security
X