home

systm.exe

The executable systm.exe has been detected as malware by 33 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘45467b6c8a905a8a88429593036f8ea8’. While running, it connects to the Internet address host-41.35.0.98.tedata.net on port 1177.
MD5:
dfec2f92a0383d978bc8f98f9614aa8f

SHA-1:
a1fdc49638fdf33f6ad20ccbaa7a810ef4977714

SHA-256:
38991e00394243f817e6b051886a4a4391be1f45d679a48d76290af1e6ecbe89

Scanner detections:
33 / 68

Status:
Malware

Analysis date:
4/16/2024 6:39:49 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Barys.8300
5843186

Agnitum Outpost
Trojan.RatJn.Gen.MG
7.1.1

AhnLab V3 Security
Trojan/Win32.Bladabindi
2014.11.27

Avira AntiVirus
TR/ATRAPS.Gen
7.11.189.28

avast!
MSIL:GenMalicious-V [Trj]
141119-1

AVG
Could be a Trojan horse PSW.ILUSpy
2014.0.4189

Baidu Antivirus
Trojan.MSIL.Bladabindi
4.0.3.141126

Bitdefender
Gen:Variant.Barys.8300
1.0.20.1650

Comodo Security
TrojWare.MSIL.Bladabindi.KX
20202

Dr.Web
BackDoor.Bladabindi.1091
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Barys.8300
9.0.0.4570

ESET NOD32
MSIL/Bladabindi.F trojan
7.0.302.0

Fortinet FortiGate
MSIL/Agent.PPV!tr
11/26/2014

F-Prot
W32/MSIL_Bladabindi.N.gen
v6.4.7.1.166

F-Secure
Gen:Variant.Barys.8300
11.2014-26-11_4

G Data
Gen:Variant.Barys.8300
14.11.24

IKARUS anti.virus
Trojan.MSIL.Bladabindi
t3scan.1.8.3.0

K7 AntiVirus
Trojan
13.186.14150

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.2885

Malwarebytes
Trojan.MSIL
v2014.11.26.09

McAfee
BackDoor-NJRat!DFEC2F92A038
5600.6934

Microsoft Security Essentials
Threat.Undefined
1.189.660.0

MicroWorld eScan
Gen:Variant.Barys.8300
15.0.0.990

NANO AntiVirus
Trojan.Win32.DownLoader10.dbxzfj
0.28.6.63726

Norman
MSIL.BZ
11.20141126

Qihoo 360 Security
Malware.QVM03.Gen
1.0.0.1015

Quick Heal
Backdoor.Bladabindi.AL3
11.14.14.00

Rising Antivirus
PE:Backdoor.Bot!1.6675
23.00.65.141124

Sophos
Mal/Bbindi-C
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Barys
10213

Trend Micro House Call
BKDR_BLADABI.SMC
7.2.330

Trend Micro
BKDR_BLADABI.SMC
10.465.26

VIPRE Antivirus
Threat.4799966
35088

File size:
39 KB (39,936 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\systm.exe

File PE Metadata
Compilation timestamp:
11/17/2014 10:04:43 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
768:tI7KuA+Au4JqwGa+ecBKh0p29SgRaVlzKJuBbP:tI7KuI9nKKhG29jaVd4UP

Entry address:
0x8BFE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.6903

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
27.5 KB (28,160 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
45467b6c8a905a8a88429593036f8ea8

Command:
"C:\users\{user}\appdata\roaming\systm.exe"..


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to host-41.35.92.255.tedata.net  (41.35.92.255:1177)

TCP:
Connects to host-41.35.0.98.tedata.net  (41.35.0.98:1177)

Remove systm.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.