» svchost.exe
Overview
Analysis
File Details
Behaviors (1)

svchost.exe

Select'Assistance Pro

The executable svchost.exe has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Sidebar(x34) Build18’. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS.

File name:

svchost.exe

Publisher:

Microsoft® Windows® Operating System (signed by Select'Assistance Pro)

Product:

Microsoft® Windows® Operating System

Description:

svchost.exe

Version:

6.2.9200.16420

MD5:

a2fb7b78355758e07f1790eb5187e775

SHA-1:

70cff7c045203744f43c1111cfc735ccb06e29ce

SHA-256:

19220d1fff3e83c3bb6089b9a602829ea4365ed398738f531378fb6095085227

Scanner detections:

3 / 68

Status:

Malware

Analysis date:

4/27/2024 3:59:34 AM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

MSIL/Agent.EI trojan

6.3.12010.0

F-Secure

Variant.MSILPerseus.1806

5.15.154

Microsoft Security Essentials

Backdoor:MSIL/Bladabindi

1.229.259.0

File size:

303.2 KB (310,456 bytes)

Product version:

6.2.9200.16420

Trademarks:

Microsoft Fonction Basic

Original file name:

f.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\roaming\programme files(x34)build18\svchost.exe

Digital Signature

Signed by:

Select'Assistance Pro

Authority:

DigiCert Inc

Valid from:

4/3/2014 2:00:00 AM

Valid to:

4/7/2017 2:00:00 PM

Subject:

CN=Select'Assistance Pro, O=Select'Assistance Pro, L=Strasbourg, C=FR

Issuer:

CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

06CE209477F1AC19A2049BDC5846A831

File PE Metadata

Compilation timestamp:

4/9/2014 12:07:10 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

6144:csrxCmCpO6eo5kwIKZ3gfpGfboaje2jVFd:csGdIKOfQzoQe2Xd

Entry address:

0x46F7E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

276 KB (282,624 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Sidebar(x34) Build18

Command:

C:\users\{user}\appdata\roaming\programme files(x34)build18\svchost.exe

Remove svchost.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.