home

svchost.exe

The application svchost.exe has been detected as a potentially unwanted program by 26 anti-malware scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS. The file has been seen being downloaded from m.0459f1e5dc998dc996096e9552b42918.com.
MD5:
f9b2f1595746bed5d927e800e5d82df8

SHA-1:
4b1de917c424cf5aee72b7423f25a5bdf82a5c05

SHA-256:
848ee3f73d08d0471e15ce6ef3504bc066e17eff4fe4e1ab9d7404002b75fdbe

Scanner detections:
26 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
5/20/2024 10:02:31 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.125351
1133

AhnLab V3 Security
Trojan/Win32.BitMiner
2013.12.30

Avira AntiVirus
SPR/BitCoin.bwq
7.11.122.174

avast!
Win32:BitCoinMiner-DN [PUP]
2014.9-131228

AVG
Skodna.BitCoinMiner
2014.0.3611

Baidu Antivirus
Trojan.Win32.BitCoinMiner
4.0.3.131228

Bitdefender
Gen:Variant.Graftor.125351
1.0.20.1810

Bkav FE
W32.Clodceb.Trojan
1.3.0.4613

Comodo Security
UnclassifiedMalware
17518

Dr.Web
Tool.BtcMine.143
9.0.1.0362

Emsisoft Anti-Malware
Gen:Variant.Graftor.125351
8.13.12.28.06

ESET NOD32
Win32/BitCoinMiner.AF (variant)
7.9190

F-Secure
Gen:Variant.Graftor.125351
11.2013-28-12_7

G Data
Gen:Variant.Graftor.125351
13.12.22

IKARUS anti.virus
not-a-virus:RiskTool.Win32
t3scan.2.2.29

K7 AntiVirus
Trojan
13.174.10656

Malwarebytes
PUP.Optional.Cgminer
v2013.12.28.06

McAfee
RDN/Generic PUP.x!bnw
5600.7267

MicroWorld eScan
Gen:Variant.Graftor.125351
14.0.0.1086

Panda Antivirus
Trj/dtcontx.I
13.12.28.06

Reason Heuristics
Threat.Win.Reputation.IMP
14.12.21.14

Rising Antivirus
PE:Trojan.Win32.Generic.161A82A8!370836136
23.00.65.131226

Sophos
Generic PUA EL
4.96

Trend Micro House Call
TROJ_SPNR.07LD13
7.2.362

Trend Micro
TROJ_SPNR.07LD13
10.465.28

VIPRE Antivirus
Trojan.Win32.Generic
24882

File size:
950 KB (972,814 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\temp\svchost.exe

File PE Metadata
Compilation timestamp:
9/13/2013 12:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
2.23

CTPH (ssdeep):
24576:AUDQM4I7ftpJeAGvhl4rVu+YesegShI/0MD93Pkcahn6kcgNfPF7:iRI7ShlGufesegSi5D938ca9JcgN3R

Entry address:
0x1280

Entry point:
83, EC, 1C, C7, 04, 24, 01, 00, 00, 00, FF, 15, A0, 96, 51, 00, E8, 6B, FD, FF, FF, 8D, 74, 26, 00, 8D, BC, 27, 00, 00, 00, 00, 83, EC, 1C, C7, 04, 24, 02, 00, 00, 00, FF, 15, A0, 96, 51, 00, E8, 4B, FD, FF, FF, 8D, 74, 26, 00, 8D, BC, 27, 00, 00, 00, 00, A1, FC, 96, 51, 00, FF, E0, 89, F6, 8D, BC, 27, 00, 00, 00, 00, A1, D0, 96, 51, 00, FF, E0, 90, 90, 90, 90, 90, 90, 90, 90, 90, 55, 89, E5, 83, EC, 18, C7, 04, 24, 00, 90, 4B, 00, E8, B2, 06, 0B, 00, BA, 00, 00, 00, 00, 83, EC, 04, 85, C0, 74, 15, C7, 44...
 
[+]

Code size:
722 KB (739,328 bytes)

The file svchost.exe has been seen being distributed by the following URL.

http://m.0459f1e5dc998dc996096e9552b42918.com/.../svchost.exe

Remove svchost.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.