home

conhost41.exe

Host Process for Windows Services

The executable conhost41.exe has been detected as malware by 10 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘svchost86x.sys’. While running, it connects to the Internet address ad-sj2.mediaplex.com on port 80 using the HTTP protocol.
Publisher:
Microsoft*  (Invalid match)

Product:
Host Process for Windows Services

Version:
1.0.0.0

MD5:
89c136eae9163d63918e0ef59bd6ac82

SHA-1:
871a7d7ff99cbcade1366769612269b444230121

SHA-256:
ebc43e8c0c05c8f7eec424ce3832ae382ec7832e37939e52a67f164918354f52

Scanner detections:
10 / 68

Status:
Malware

Analysis date:
4/19/2024 7:28:59 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.435348
885

Avira AntiVirus
TR/Spy.Gen8
7.11.170.144

Bitdefender
Gen:Variant.Kazy.435348
1.0.20.1225

Emsisoft Anti-Malware
Gen:Variant.Kazy.435348
9.0.0.4324

F-Secure
Gen:Variant.Kazy.435348
11.2014-02-09_3

G Data
Gen:Variant.Kazy.435348
14.9.24

Malwarebytes
Trojan.Psuedo
v2014.09.02.01

MicroWorld eScan
Gen:Variant.Kazy.435348
15.0.0.735

Sophos
Mal/Spy-AH
4.98

Trend Micro House Call
TROJ_GEN.R0C1H08I214
7.2.245

File size:
77.5 KB (79,360 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Microsoft 1968

Original file name:
csIWebBrowse.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\conhost41.exe

File PE Metadata
Compilation timestamp:
9/2/2014 1:17:38 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
1536:4C9JI2mNo/8hKKcvw1DS2UZGvciqr6BgdSmWQfdsGqCVcztX3IGkNhB07C:G2mKgZBc/r5Sw6GqRhnvkNhBwC

Entry address:
0x14A4E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.8566

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
75 KB (76,800 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
svchost86x.sys

Command:
"C:\users\{user}\appdata\local\temp\conhost41.exe"


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to static.67.36.76.144.clients.your-server.de  (144.76.36.67:9789)

TCP:
Connects to static.198.66.40.188.clients.your-server.de  (188.40.66.198:82)

TCP (HTTP):
Connects to rtb02.us.dataxu.net  (50.23.159.133:80)

TCP (HTTP):
Connects to reserved-98.euroclick.com  (193.149.47.98:80)

TCP (HTTP SSL):
Connects to r-199-59-150-46.twttr.com  (199.59.150.46:443)

TCP (HTTP):
Connects to pb-in-f141.1e100.net  (173.194.79.141:80)

TCP (HTTP):
Connects to lax02s01-in-f28.1e100.net  (74.125.224.188:80)

TCP (HTTP):
Connects to lax02s01-in-f14.1e100.net  (74.125.224.174:80)

TCP (HTTP):
Connects to img-sj2.mediaplex.com  (64.156.167.78:80)

TCP (HTTP):
Connects to ec2-54-85-76-73.compute-1.amazonaws.com  (54.85.76.73:80)

TCP (HTTP):
Connects to ec2-54-84-219-229.compute-1.amazonaws.com  (54.84.219.229:80)

TCP (HTTP):
Connects to ec2-54-243-238-196.compute-1.amazonaws.com  (54.243.238.196:80)

TCP (HTTP):
Connects to ec2-54-225-65-53.compute-1.amazonaws.com  (54.225.65.53:80)

TCP (HTTP):
Connects to ec2-54-215-227-17.us-west-1.compute.amazonaws.com  (54.215.227.17:80)

TCP (HTTP):
Connects to ec2-50-18-171-108.us-west-1.compute.amazonaws.com  (50.18.171.108:80)

TCP (HTTP):
Connects to ec2-23-21-211-9.compute-1.amazonaws.com  (23.21.211.9:80)

TCP (HTTP):
Connects to ec2-23-21-205-139.compute-1.amazonaws.com  (23.21.205.139:80)

TCP (HTTP):
Connects to ec2-184-72-247-26.compute-1.amazonaws.com  (184.72.247.26:80)

TCP (HTTP):
Connects to ec2-184-169-154-158.us-west-1.compute.amazonaws.com  (184.169.154.158:80)

TCP (HTTP):
Connects to ad-sj2.mediaplex.com  (64.156.167.77:80)

Remove conhost41.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.