home

syshost.exe

foobar2000

Peter Pawlowski

The executable syshost.exe, “foobar2001 shell extension” has been detected as malware by 1 anti-virus scanner. It runs as a separate (within the context of its own process) windows Service named “syshost32”. While running, it connects to the Internet address hbnfty.minorjc.top on port 80 using the HTTP protocol.
Publisher:
Peter Pawlowski

Product:
foobar2000

Description:
foobar2001 shell extension

Version:
1.0.0.7

MD5:
e598d1d69dab2c43ba4a7d7cd3db8f76

SHA-1:
f34784ef98f588c89d6414b188859d22bb91ea4b

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
5/13/2024 9:55:09 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Dropper (M)
16.6.5.15

File size:
60 KB (61,440 bytes)

Product version:
0.9.7

Copyright:
(c) Peter Pawlowski. All rights reserved.

Original file name:
Fb2kShellExt.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\installer\{a0275a7c-dde6-3dc4-090d-d81ee89e7179}\syshost.exe

File PE Metadata
Compilation timestamp:
10/18/2013 8:11:10 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
1536:X5UStUYbkP9QWIwbSVyF7Iqzqybqh7tTBTPoBqZI0Fdk:pUStUYmqW/44IaHbY7tTBjoBcHLk

Entry address:
0xA15D

Entry point:
50, F7, D0, 23, 04, 24, 59, 68, 6D, 19, 40, 00, F7, D9, 03, 0C, 24, C3, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Code size:
40.5 KB (41,472 bytes)

Service
Display name:
syshost32

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hbnfty.minorjc.top  (217.23.9.162:80)

TCP (HTTP):
Connects to ns532044.ip-198-245-62.net  (198.245.62.96:80)

TCP (HTTP):
Connects to dev.crazycraftland.info  (198.245.50.125:80)

TCP (HTTP):
Connects to dedi274.flk1.host-h.net  (213.239.194.73:80)

TCP (HTTP):
Connects to a72-247-184-75.deploy.akamaitechnologies.com  (72.247.184.75:80)

Remove syshost.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.