_9dyl.exe

Butterberge

Daniel Atallah

The application _9dyl.exe by Daniel Atallah has been detected as a potentially unwanted program by 27 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Inbsoft’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
Daniel Atallah  (signed and verified)

Product:
Butterberge

Description:
Reiseabsichten

Version:
8.02.0002

MD5:
7fa3ffdd67f91750ff8768215f61f95c

SHA-1:
1f5136666ea289646741013040b63156db18ce79

SHA-256:
21c2f0f612691473e7a18d0712331539a6b84238be083428c15f855eec121d61

Scanner detections:
27 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 5:46:29 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Symmi.48380
281

Agnitum Outpost
Trojan.Boaxxe
7.1.1

AhnLab V3 Security
Trojan/Win32.Foreign
2014.12.19

Avira AntiVirus
TR/Dropper.VB.23681
7.11.196.146

avast!
Win32:Malware-gen
2014.9-160428

AVG
Dropper.Generic9
2017.0.2759

Bitdefender
Gen:Variant.Symmi.48380
1.0.20.595

Bkav FE
W32.ReujaD.Trojan
1.3.0.6267

Comodo Security
UnclassifiedMalware
20405

Dr.Web
Trojan.Siggen6.23087
9.0.1.0119

Emsisoft Anti-Malware
Gen:Variant.Symmi.48380
8.16.04.28.08

ESET NOD32
Win32/Boaxxe.BR
10.10897

Fortinet FortiGate
W32/Injector.BPDI!tr
4/28/2016

G Data
Gen:Variant.Symmi.48380
16.4.24

IKARUS anti.virus
Trojan.Win32.Boaxxe
t3scan.1.8.5.0

K7 AntiVirus
Unwanted-Program
13.188.14380

Malwarebytes
Spyware.Zbot.ED
v2016.04.28.08

McAfee
GenericATG-FATY!7FA3FFDD67F9
5600.6415

Microsoft Security Essentials
Trojan:Win32/Miuref
1.11302

MicroWorld eScan
Gen:Variant.Symmi.48380
17.0.0.357

NANO AntiVirus
Trojan.Win32.Siggen6.djieoq
0.28.6.64267

Quick Heal
Trojan.Miuref.r3
4.16.14.00

Rising Antivirus
PE:Malware.XPACK-HIE/Heur!1.9C48
23.00.65.16426

Sophos
Troj/VB-HWR
4.98

Total Defense
Win32/Tnega.MDHBXCB
37.0.11337

Trend Micro House Call
Suspicious_GEN.F47V1129
7.2.119

VIPRE Antivirus
Trojan.Win32.Generic
35834

File size:
141.8 KB (145,208 bytes)

Product version:
8.02.0002

Copyright:
Blutfahne

Trademarks:
Kriegstelegramme

Original file name:
Isolation.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\inbsoft\_9dyl.exe

Digital Signature
Signed by:

Authority:
StartCom Ltd.

Valid from:
9/19/2012 10:48:58 AM

Valid to:
9/21/2014 12:56:51 AM

Subject:
E=datallah@pidgin.im, CN=Daniel Atallah, L=Holland, S=Michigan, C=US, Description=FWg32Q3ZaA4V01lM

Issuer:
CN=StartCom Class 2 Primary Intermediate Object CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL

Serial number:
075E

File PE Metadata
Compilation timestamp:
10/2/2014 3:26:01 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:37MTelGlUO+flY+oH+ob5YRXFTWJnp8YE:37AyGlUO6O+ZGGRVTWJnFE

Entry address:
0x1344

Entry point:
68, 3C, 16, 41, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 91, 5D, E9, 26, AC, 61, 5B, 44, 9A, 8D, 24, D2, CA, 85, C6, EB, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 46, 61, 68, 72, 62, 65, 72, 69, 63, 68, 74, 73, 38, 00, 00, 00, 00, 00, 00, 00, FF, CC, 31, 00, 03, 71, F1, D8, 9F, 56, 28, 27, 49, 92, BF, 95, B3, 80, DD, 60, BB, D7, 7D, 43, 3E, B0, 76, EF, 41, BC, C6, EB, C4, 24, D7, FE, 5A, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00...
 
[+]

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
116 KB (118,784 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Inbsoft

Command:
C:\users\{user}\appdata\local\inbsoft\_9dyl.exe


Remove _9dyl.exe - Powered by Reason Core Security