vsserv.exe

SlimAV v2

Slimware Utilities Holdings, Inc.

The application vsserv.exe, “SlimAV Security Service” by Slimware Utilities Holdings has been detected as a potentially unwanted program by 2 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “SlimAV Virus Shield”.
Publisher:
SlimAV  (signed by Slimware Utilities Holdings, Inc.)

Product:
SlimAV v2

Description:
SlimAV Security Service

Version:
19.1.0.117 108468

MD5:
82be8e518bc992e0a8ee6935a0d289ff

SHA-1:
755c8f2f3a70e16f6c8c9fca7938d334545c4d4a

SHA-256:
ca42334dd43fea69e5e5c0fcd6b987b94c408968c8b0d17dd7f870eaea85b7d2

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
6/23/2018 1:42:32 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
riskware program Program.Unwanted.341
9.0.1.05190

Reason Heuristics
PUP.Optional.SlimwareUtilitiesHoldings.Service
15.10.4.0

File size:
1.5 MB (1,530,528 bytes)

Product version:
19.1.0.117 108468

Copyright:
©1997-2015 SlimAV

Original file name:
vsserv.exe

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Common path:
C:\Program Files\slimav\slimav\vsserv.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
2/22/2015 6:00:00 PM

Valid to:
1/6/2018 5:59:59 PM

Subject:
CN="Slimware Utilities Holdings, Inc.", O="Slimware Utilities Holdings, Inc.", L=New York, S=New York, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
246BBE812B36C137225497BA8DF178FA

File PE Metadata
Compilation timestamp:
6/18/2015 10:18:15 AM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:M5J4AZ2R2fJzrc2cthtan5bz6Ogj7oR3Glm16:GC2xzQp7a5bz6OC7oFwr

Entry address:
0xCD968

Entry point:
48, 83, EC, 28, E8, 7B, 03, 00, 00, 48, 83, C4, 28, E9, DA, FC, FF, FF, FF, 25, 60, 13, 0A, 00, 48, 89, 4C, 24, 08, 48, 81, EC, 88, 00, 00, 00, 48, 8D, 0D, 3D, F2, 08, 00, FF, 15, 3F, 0E, 0A, 00, 48, 8B, 05, 28, F3, 08, 00, 48, 89, 44, 24, 58, 45, 33, C0, 48, 8D, 54, 24, 60, 48, 8B, 4C, 24, 58, E8, D5, 11, 01, 00, 48, 89, 44, 24, 50, 48, 83, 7C, 24, 50, 00, 74, 41, 48, C7, 44, 24, 38, 00, 00, 00, 00, 48, 8D, 44, 24, 48, 48, 89, 44, 24, 30, 48, 8D, 44, 24, 40, 48, 89, 44, 24, 28, 48, 8D, 05, E8, F1, 08, 00...
 
[+]

Entropy:
5.5507

Code size:
1002.5 KB (1,026,560 bytes)

Service
Display name:
SlimAV Virus Shield

Service name:
VSSERV

Type:
Win32OwnProcess

Group:
System Reserved


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to mybd-push1-hzn  (88.198.155.41:4004)

TCP:
Connects to mybd-push2-hzn  (88.198.157.122:4006)

TCP (HTTP SSL):
Connects to ec2-52-38-24-169.us-west-2.compute.amazonaws.com  (52.38.24.169:443)

TCP (HTTP):
Connects to ec2-52-86-68-218.compute-1.amazonaws.com  (52.86.68.218:80)

TCP (HTTP SSL):
Connects to ec2-52-7-93-255.compute-1.amazonaws.com  (52.7.93.255:443)

TCP (HTTP SSL):
Connects to ec2-52-54-188-32.compute-1.amazonaws.com  (52.54.188.32:443)

TCP (HTTP):
Connects to ec2-52-42-81-204.us-west-2.compute.amazonaws.com  (52.42.81.204:80)

TCP (HTTP SSL):
Connects to ec2-52-42-191-47.us-west-2.compute.amazonaws.com  (52.42.191.47:443)

TCP (HTTP):
Connects to ec2-52-41-185-181.us-west-2.compute.amazonaws.com  (52.41.185.181:80)

TCP (HTTP):
Connects to ec2-52-22-129-90.compute-1.amazonaws.com  (52.22.129.90:80)

TCP (HTTP):

TCP (HTTP):
Connects to server-54-239-132-81.sfo9.r.cloudfront.net  (54.239.132.81:80)

TCP (HTTP):
Connects to server-54-230-206-147.atl50.r.cloudfront.net  (54.230.206.147:80)

TCP (HTTP):
Connects to server-52-84-132-254.atl52.r.cloudfront.net  (52.84.132.254:80)

TCP (HTTP):
Connects to server-52-84-132-169.atl52.r.cloudfront.net  (52.84.132.169:80)

TCP (HTTP):
Connects to reverse-unset.bbu.exdc01.bitdefender.net  (81.161.59.79:80)

TCP (HTTP):
Connects to ec2-54-209-220-177.compute-1.amazonaws.com  (54.209.220.177:80)

TCP (HTTP SSL):
Connects to ec2-54-165-79-185.compute-1.amazonaws.com  (54.165.79.185:443)

TCP (HTTP):
Connects to ec2-52-73-40-44.compute-1.amazonaws.com  (52.73.40.44:80)

TCP (HTTP):
Connects to ec2-52-73-159-126.compute-1.amazonaws.com  (52.73.159.126:80)

Remove vsserv.exe - Powered by Reason Core Security