home

svchost10.exe

The executable svchost10.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘WirelessConfig’. While running, it connects to the Internet address apache2-yak.zarniwoop.dreamhost.com on port 80 using the HTTP protocol.
MD5:
97549a4d0490cc48fef73f2cb4e63659

SHA-1:
7beb255adc161a704c1d50b309b5fb2491695446

SHA-256:
282ac9c5c5d5b2a497cd8105e64dfe2b025ab0931a137589d5882199591abb5f

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
4/25/2024 5:34:59 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Ransomeware (M)
17.2.27.13

File size:
267 KB (273,408 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\svchost10.exe

File PE Metadata
Compilation timestamp:
5/23/2009 6:27:32 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x3167A

Entry point:
8B, F6, 8B, C3, 68, 62, E8, 60, 00, 8D, 1D, 27, 47, 1F, 2E, 87, F3, 1B, D6, B6, 92, 0F, BE, CD, 1B, F8, 0F, AF, C1, 84, FF, F7, C0, 28, DB, 54, C9, 81, C8, EC, 19, 51, 4D, 87, C7, 52, 8A, F9, 89, F0, 59, F7, C3, 2D, 5E, E5, D2, 86, DF, C7, C0, DE, 91, C8, 2D, 09, C3, 0F, AF, C3, 2B, F1, B6, 83, 85, E8, 8A, C3, 3D, 67, 77, 20, 30, 8A, EA, 69, EA, C3, F0, C5, 19, 87, D0, 81, FE, 30, 3B, 00, 00, 74, 09, F7, C3, 59, CD, EC, 4E, C6, C0, AC, E8, 00, 00, 00, 00, 33, FF, 21, F1, 86, D3, 39, C2, 43, F3, 3A, E4, 8B...
 
[+]

Entropy:
7.6029

Code size:
14.5 KB (14,848 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WirelessConfig

Command:
C:\users\{user}\appdata\roaming\svchost10.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to win04-host-kb.turkticaret.net  (31.186.8.104:80)

TCP (HTTP SSL):
Connects to text-lb.esams.wikimedia.org  (91.198.174.192:443)

TCP (HTTP):
Connects to server250.net217.intbildns.org  (185.126.217.250:80)

TCP (HTTP):
Connects to server123.managedns.org  (103.14.97.123:80)

TCP (HTTP):
Connects to neptune.corpservers.net  (63.247.87.162:80)

TCP (HTTP):
Connects to mail2.ic.cz  (88.86.100.180:80)

TCP (HTTP):
Connects to ec2-52-28-249-128.eu-central-1.compute.amazonaws.com  (52.28.249.128:80)

TCP (HTTP):
Connects to apache2-yak.zarniwoop.dreamhost.com  (173.236.154.78:80)

TCP (HTTP):
Connects to 209-99-40-222.fwd.datafoundry.com  (209.99.40.222:80)

Remove svchost10.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.