× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e506af6e3d8b1ace5a352f7f825c95cb82e323e48a13f1a07ee4384dbcc69719
File name: svchost.exe
Detection ratio: 30 / 61
Analysis date: 2017-05-09 18:50:54 UTC ( 1 year, 9 months ago ) View latest
Antivirus Result Update
Ad-Aware Application.Miner.Y 20170509
AhnLab-V3 Trojan/Win64.BitMin.C1565339 20170509
Antiy-AVL RiskWare[RiskTool]/Win64.BitCoinMiner.tb 20170509
Arcabit PUP.Riskware 20170509
AVG Skodna.BitCoinMiner.HB 20170509
Avira (no cloud) PUA/BitcoinMiner.Gen 20170509
BitDefender Application.Miner.Y 20170509
Bkav W64.HfsAdware.EB0E 20170509
CAT-QuickHeal RiskTool.Win64 20170509
DrWeb Trojan.BtcMine.793 20170509
Emsisoft Application.Miner (A) 20170509
Endgame malicious (high confidence) 20170503
ESET-NOD32 a variant of Win64/BitCoinMiner.AN potentially unsafe 20170509
GData Application.Miner.Y 20170509
Ikarus not-a-virus:RiskTool.BitCoinMiner 20170509
Sophos ML virus.win32.sality.at 20170413
Jiangmin Trojan.Generic.fxfa 20170509
K7AntiVirus Unwanted-Program ( 004b9d8e1 ) 20170509
K7GW Unwanted-Program ( 004b9d8e1 ) 20170509
Kaspersky not-a-virus:RiskTool.Win64.BitCoinMiner.tb 20170509
McAfee Artemis!E40D9CFEE95E 20170509
McAfee-GW-Edition Artemis!PUP 20170509
eScan Application.Miner.Y 20170509
NANO-Antivirus Riskware.Win64.BtcMine.dtqkwd 20170509
Rising Malware.Undefined!8.C (cloud:jPS2JrdWF3E) 20170509
Symantec Trojan.Gen.2 20170509
ViRobot Trojan.Win32.Z.Bitcoinminer.3876968[h] 20170509
Webroot W32.Virus.Win64.Bitcoinminer 20170509
Yandex Riskware.BitCoinMiner! 20170504
ZoneAlarm by Check Point not-a-virus:RiskTool.Win64.BitCoinMiner.tb 20170509
AegisLab 20170509
Alibaba 20170509
ALYac 20170509
Avast 20170509
AVware 20170508
Baidu 20170503
ClamAV 20170509
CMC 20170509
Comodo 20170509
CrowdStrike Falcon (ML) 20170130
Cyren 20170509
F-Prot 20170509
F-Secure 20170509
Fortinet 20170509
Kingsoft 20170509
Malwarebytes 20170509
Microsoft 20170509
nProtect 20170509
Palo Alto Networks (Known Signatures) 20170509
Panda 20170509
Qihoo-360 20170509
SentinelOne (Static ML) 20170330
Sophos AV 20170509
SUPERAntiSpyware 20170509
Symantec Mobile Insight 20170509
Tencent 20170509
TheHacker 20170508
TotalDefense 20170509
TrendMicro 20170509
Trustlook 20170509
VBA32 20170506
VIPRE 20170509
WhiteArmor 20170502
Zillya 20170505
Zoner 20170509
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem that targets 64bit architectures.
Authenticode signature block and FileVersionInfo properties
Signature verification A certificate was explicitly revoked by its issuer.
Signing date 11:21 PM 10/27/2014
Signers
[+] JProof LLC
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer DigiCert SHA2 Assured ID Code Signing CA
Valid from 1:00 AM 10/5/2014
Valid to 1:00 PM 10/11/2017
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 94D8455751A059350DA6DF1DB63DCAA6278D8936
Serial number 01 0A 67 23 CC 94 54 56 8F 41 F9 22 1A 61 B5 86
[+] DigiCert SHA2 Assured ID Code Signing CA
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 PM 10/22/2013
Valid to 1:00 PM 10/22/2028
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 92C1588E85AF2201CE7915E8538B492F605B80C6
Serial number 04 09 18 1B 5F D5 BB 66 75 53 43 B5 6F 95 50 08
[+] DigiCert
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 AM 11/10/2006
Valid to 1:00 AM 11/10/2031
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm sha1RSA
Thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial number 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
Counter signers
[+] DigiCert Timestamp Responder
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer DigiCert Assured ID CA-1
Valid from 1:00 AM 5/20/2014
Valid to 1:00 AM 6/3/2015
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 87A9E33E9B01B94F4ADA64D3763C94D9F22458F3
Serial number 06 64 01 46 E9 80 E0 0E 60 A1 4D 8F 44 4A 59 58
[+] DigiCert Assured ID CA-1
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 AM 11/10/2006
Valid to 1:00 AM 11/10/2021
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing
Algorithm sha1RSA
Thumbrint 19A09B5A36F4DD99727DF783C17A51231A56C117
Serial number 06 FD F9 03 96 03 AD EA 00 0A EB 3F 27 BB BA 1B
[+] DigiCert
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 AM 11/10/2006
Valid to 1:00 AM 11/10/2031
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm sha1RSA
Thumbrint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial number 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
PE header basic information
Target machine x64
Compilation timestamp 1970-08-18 18:08:16
Entry Point 0x000014D0
Number of sections 9
PE sections
Overlays
MD5 3ef184c05bb73ef665d3e51f0a1ca521
File type data
Offset 3869696
Size 7272
Entropy 7.15
PE imports
LookupPrivilegeValueA
RegisterEventSourceW
OpenProcessToken
DeregisterEventSource
ReportEventW
AdjustTokenPrivileges
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
GetStdHandle
EnterCriticalSection
GetLargePageMinimum
ReleaseMutex
GetSystemInfo
GetModuleFileNameW
WaitForSingleObject
SetEvent
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
QueueUserAPC
VirtualQuery
RtlAddFunctionTable
DeleteCriticalSection
GetCurrentProcess
SetUnhandledExceptionFilter
SystemTimeToFileTime
SetWaitableTimer
GetCurrentProcessId
ReleaseSemaphore
CreateIoCompletionPort
RtlUnwindEx
RtlVirtualUnwind
WideCharToMultiByte
UnhandledExceptionFilter
MultiByteToWideChar
SetThreadAffinityMask
GetProcAddress
RtlCaptureContext
TerminateThread
GetCurrentThread
IsDBCSLeadByteEx
RaiseException
CreateSemaphoreA
CreateThread
TlsFree
GetModuleHandleA
GetQueuedCompletionStatus
FormatMessageA
CreateSemaphoreW
RtlLookupFunctionEntry
GetStartupInfoA
CreateMutexW
CloseHandle
GetSystemTimeAsFileTime
CreateWaitableTimerA
DuplicateHandle
WaitForMultipleObjects
GetModuleHandleW
LocalFree
OpenEventA
TerminateProcess
ResumeThread
GetTimeZoneInformation
GetVersion
InitializeCriticalSection
PostQueuedCompletionStatus
VirtualFree
CreateEventA
TlsGetValue
Sleep
GetFileType
ResetEvent
TlsSetValue
HeapAlloc
GetCurrentThreadId
GetProcessHeap
VirtualAlloc
SleepEx
SetLastError
LeaveCriticalSection
GetDesktopWindow
MessageBoxW
GetProcessWindowStation
GetUserObjectInformationW
getaddrinfo
WSASocketA
WSARecv
accept
ioctlsocket
WSAStartup
freeaddrinfo
connect
getsockname
select
getsockopt
inet_addr
WSASend
WSAGetLastError
listen
__WSAFDIsSet
WSACleanup
WSASetLastError
closesocket
WSAIoctl
setsockopt
bind
__lconv_init
wcsftime
___lc_codepage_func
fclose
_time64
_snwprintf
strtoul
fflush
fsetpos
_fmode
strtol
fputc
fwrite
_environ
fputs
_fstat64
isspace
iswctype
wcscoll
_aligned_free
__dllonexit
_wfopen
_write
strcoll
memcpy
memmove
signal
strcmp
memchr
strncmp
memset
strcat
putwc
fgets
__pioinfo
strchr
fgetpos
isxdigit
ftell
exit
sprintf
_acmdln
ferror
free
ungetc
_aligned_malloc
__getmainargs
ungetwc
__C_specific_handler
_lseeki64
putchar
isalnum
_read
fseek
wcsxfrm
strcpy
__mb_cur_max
islower
_initterm
isupper
strftime
rand
setlocale
realloc
strxfrm
__doserrno
calloc
printf
fopen
_vsnwprintf
strncpy
_cexit
raise
puts
qsort
_onexit
wcslen
putc
memcmp
__setusermatherr
_gmtime64
srand
_fdopen
getenv
vfprintf
localeconv
strerror
wcscpy
_beginthreadex
_localtime64
_strnicmp
_setmode
malloc
fread
abort
fprintf
getwc
towupper
ispunct
feof
_amsg_exit
_errno
strlen
_lock
__initenv
towlower
_fileno
tolower
_unlock
fwprintf
setbuf
_exit
__iob_func
_filelengthi64
wcsstr
getc
setvbuf
__set_app_type
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows command line

MachineType
AMD AMD64

TimeStamp
1970:08:18 19:08:16+01:00

FileType
Win64 EXE

PEType
PE32+

CodeSize
3051008

LinkerVersion
2.24

FileTypeExtension
exe

InitializedDataSize
3868672

SubsystemVersion
5.2

EntryPoint
0x14d0

OSVersion
4.0

ImageVersion
0.0

UninitializedDataSize
14848

Execution parents
Compressed bundles
File identification
MD5 e40d9cfee95e0b13421065dbd7df9718
SHA1 f48100199d7067273e98e6fc288fc14f8b11b394
SHA256 e506af6e3d8b1ace5a352f7f825c95cb82e323e48a13f1a07ee4384dbcc69719
ssdeep
49152:9fTBAHExnkbGUDwbsF+Z1396uPaAW4C7ziRGka8OEfFNz6L/1oXvC:5TqbcaIC7V2XvC

authentihash be77c86091bfaad8a05d5aa75ff0d9f7e2d1ec41707a6bfffc254b236a17797b
imphash 3ea6b00babe13b0d6946712b48042caf
File size 3.7 MB ( 3876968 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (console) Mono/.Net assembly

TrID Win64 Executable (generic) (82.0%)
OS/2 Executable (generic) (6.0%)
Generic Win/DOS Executable (5.9%)
DOS Executable Generic (5.9%)
VXD Driver (0.0%)
Tags
peexe assembly overlay revoked-cert signed 64bits

VirusTotal metadata
First submission 2014-10-28 01:51:16 UTC ( 4 years, 3 months ago )
Last submission 2018-03-11 08:58:56 UTC ( 11 months, 2 weeks ago )
File names svchost.exe
svchost1.exe
svchos.exe
svchost.exe
svchost.exe
svchost.exe
svchost.suck.exe
svchost.exe
svchost.exe_
svchost.exe
svchost.exe
svchost.exe
yam64-barcelona.exe
svchost.exe
yam.exe
svchost.exe1
tpx.exe
svchost.exe
svchost.exe
svchost.exe
chtoeto.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R00XC0EEQ16.

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!