» services.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

services.exe

The executable services.exe has been detected as malware by 41 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘Bron-Spizaetus’. While running, it connects to the Internet address ats.sbs.vip.dc11.lumsb.com on port 443.

File name:

services.exe

MD5:

2fbc874a623f6d8b0cfcd26466dc3e5c

SHA-1:

7df9508892852b909b53c81ac7a179fb2125c77c

SHA-256:

5e2307e2581bc5577fff211474ffbff8e5dcc2aca1cf0c47a50a55723dfd3ffa

Scanner detections:

41 / 68

Status:

Malware

Analysis date:

5/21/2024 9:22:33 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Generic.5568

456

Agnitum Outpost

I-Worm.Brontok

7.1.1

AhnLab V3 Security

HEUR/Fakon.mwf

2015.11.03

Avira AntiVirus

WORM/Brontok.E.1

8.3.2.2

Arcabit

Win32.Generic.5568

1.0.0.585

avast!

Win32:Brontok-CE [Wrm]

2014.9-151105

AVG

I-Worm/Brontok.X

2016.0.2934

Baidu Antivirus

Worm.Win32.Brontok

4.0.3.15115

Bitdefender

Win32.Generic.5568

1.0.20.1545

Bkav FE

W32.RontokbroGH

1.3.0.7383

Clam AntiVirus

Worm.Brontok.H

0.98/21511

Comodo Security

Worm.Win32.Brontok.CH

23521

Dr.Web

Win32.HLLM.Generic.440

9.0.1.0309

Emsisoft Anti-Malware

Win32.Generic.5568

8.15.11.05.06

ESET NOD32

Win32/Brontok.CH

9.12506

Fortinet FortiGate

W32/Brontok.X@mm

11/5/2015

F-Prot

W32/Brontok.FE@mm

v6.4.7.1.166

F-Secure

Win32.Generic.5568

11.2015-05-11_5

G Data

Win32.Generic.5568

15.11.25

IKARUS anti.virus

Email-Worm.Win32.Brontok

t3scan.1.9.5.0

K7 AntiVirus

Trojan

13.212.17724

Kaspersky

Email-Worm.Win32.Brontok

14.0.0.1166

Malwarebytes

Trojan.Dropper

v2015.11.05.06

McAfee

W32/Rontokbro.gen@MM

5600.6590

Microsoft Security Essentials

Worm:Win32/Brontok.BK@mm

1.1.12205.0

MicroWorld eScan

Win32.Generic.5568

16.0.0.927

NANO AntiVirus

Trojan.Win32.Brontok.ppjl

0.30.26.4437

nProtect

Win32.Generic.5568

15.11.02.01

Panda Antivirus

Trj/Agent.IVN

15.11.05.06

Qihoo 360 Security

Trojan.Generic

1.0.0.1015

Quick Heal

W32.Brontok.Q

11.15.11.00

Rising Antivirus

PE:Trojan.Win32.Mnless.dyr!1442186 [F]

23.00.65.151103

Sophos

W32/Brontok-X

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-FakeSec

9525

Total Defense

Win32/ASuspect.HFAEN!genus

37.1.62.1

Trend Micro House Call

WORM_RONTKBR.AH

7.2.309

Trend Micro

WORM_RONTKBR.AH

10.465.05

Vba32 AntiVirus

Email-Worm.Brontok

3.12.26.4

VIPRE Antivirus

Email-Worm.Win32.Brontok.a

44972

ViRobot

I-Worm.Win32.A.Brontok.44424.A[h]

2014.3.20.0

Zillya! Antivirus

Worm.Brontok.Win32.468

2.0.0.2488

File size:

43.4 KB (44,424 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\services.exe

File PE Metadata

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

5.12

CTPH (ssdeep):

768:PxYl/O9ilwgMmVBjg7bE0qUuas/mHxoVTaD+jPARJrtRwycYyab5aaeLv35BMCH:pYNmilwnajoE0JomRoVTS+sTtiYXb5gR

Entry address:

0x31B6F

Entry point:

E9, E0, E5, FC, FF, 0C, 70, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 46, 1B, 03, 00, 0C, 70, 02, 00... 
[+]

Packer / compiler:

RLPack FullEdition V1.1X

Code size:

512 Bytes (512 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Bron-Spizaetus

Command:

"C:\windows\shellnew\rakyatkelaparan.exe"

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to unknown.prolexic.com (72.52.4.121:80)

TCP (HTTP SSL):

Connects to ats.sbs.vip.dc11.lumsb.com (8.12.146.61:443)

Remove services.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.