» amohadd.exe
Overview
Analysis
File Details
Behaviors (1)
Network (24)

amohadd.exe

Maskasaft Visual Studio 2010

Maskasaft Corporation

The executable amohadd.exe, “Maskasaft Visual Studie 2010” has been detected as malware by 35 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

amohadd.exe

Publisher:

Maskasaft Corporation

Product:

Maskasaft® Visual Studio® 2010

Description:

Maskasaft Visual Studie 2010

Version:

1.9.43074.5121 built by: SP1Rel

MD5:

fe97db06f60f41dfd83710b9e7502049

SHA-1:

67e6a8ccb40ce95a4cd98f37841f46138b9aeb0c

SHA-256:

0fcc26e3fdfe2127da9961a4d99de7af47f422dc02817a04e907804dfd29e4fa

Scanner detections:

35 / 68

Status:

Malware

Analysis date:

11/5/2024 10:33:44 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.1776354

905

Agnitum Outpost

Trojan.Kryptik

7.1.1

AhnLab V3 Security

Trojan/Win32.ZBot

2014.08.04

Avira AntiVirus

TR/Crypt.XPACK.Gen7

7.11.165.30

avast!

Win32:Malware-gen

2014.9-140813

AVG

Trojan horse Zbot

2015.0.3383

Baidu Antivirus

Trojan.Win32.Katusha

4.0.3.141027

Bitdefender

Trojan.GenericKD.1776354

1.0.20.1125

Bkav FE

W32.GenericGamarueW.Trojan

1.3.0.4959

Dr.Web

Trojan.Siggen6.15132

9.0.1.0225

Emsisoft Anti-Malware

Gen:Variant.Kazy.421046

8.14.08.13.10

ESET NOD32

Win32/Kryptik.CHMR trojan

8.7.0.302.0

Fortinet FortiGate

W32/Kryptik.CGEJ!tr

8/13/2014

F-Secure

Gen:Variant.Kazy.421046

11.2014-13-08_4

G Data

Trojan.GenericKD.1776354

14.8.24

IKARUS anti.virus

Trojan.Win32.Kryptik

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.182.12926

Kaspersky

Packed.Win32.Katusha

14.0.0.3410

Malwarebytes

Spyware.Zbot.MSXGen

v2014.08.13.11

McAfee

PWSZbot-FAAV!E9AEB47FAA20

5600.7039

Microsoft Security Essentials

PWS:Win32/Zbot

1.10802

MicroWorld eScan

Trojan.GenericKD.1776354

15.0.0.675

NANO AntiVirus

Trojan.Win32.Katusha.dcuezx

0.28.2.61148

Norman

Kryptik.CEDE

11.20141027

nProtect

Trojan.GenericKD.1776354

14.08.03.01

Panda Antivirus

Trj/Genetic.gen

14.08.13.11

Qihoo 360 Security

HEUR/Malware.QVM20.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.9.15.11

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.14811

Sophos

Troj/Agent-AIDA

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-FalComp

10423

Total Defense

Win32/Zbot.MYaZNOB

37.0.11118

Trend Micro House Call

Suspicious_GEN.F47V0726

7.2.225

Trend Micro

TSPY_ZBOT.SMZH

10.465.13

VIPRE Antivirus

Trojan.Win32.Generic

31904

File size:

421.7 KB (431,813 bytes)

Product version:

1.9.43074.5121

Original file name:

devenv.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\eqnuboav\amohadd.exe

File PE Metadata

Compilation timestamp:

4/2/2012 9:25:14 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

6144:cPUDpE/Q7YOh6reRNVs6rUc5fPsrrqds9dqKhEFe:GUlQQ77Qms6z8rrqu84

Entry address:

0xC044

Entry point:

55, 8B, EC, 81, EC, 94, 01, 00, 00, BA, C4, 00, 00, 00, 89, 95, 6C, FF, FF, FF, 53, 03, D2, EB, 15, 83, C7, 28, 8B, DF, EB, 0E, 81, F2, 00, 00, 23, 89, 8B, CA, 89, 8D, 74, FE, FF, FF, 56, 3B, D1, 75, 0C, 8B, 85, 6C, FF, FF, FF, 89, 85, 6C, FF, FF, FF, 57, 03, C1, 89, 85, 6C, FF, FF, FF, 23, C2, 8B, BD, 6C, FF, FF, FF, 3B, BD, 18, FF, FF, FF, 74, 0F, 33, C7, EB, 0B, 8B, 15, 8C, 80, 44, 00, 33, D3, 89, 55, F0, 8D, 45, 84, 50, FF, 15, 54, 65, 44, 00, EB, 22, BF, 09, 00, 00, 00, 89, 8D, C8, FE, FF, FF, EB, 15... 
[+]

Entropy:

7.2244

Developed / compiled with:

Microsoft Visual C++

Code size:

139.5 KB (142,848 bytes)

Scheduled Task

Task name:

Security Center Update - 2875229475

Trigger:

Daily (Runs daily at 10:00 PM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to vip1.g.cachefly.net (205.234.175.175:443)

TCP (HTTP):

Connects to ox-173-241-242-12.xv.dc.openx.org (173.241.242.12:80)

TCP (HTTP):

Connects to media.dc6.vcmedia.com (8.18.45.90:80)

TCP (HTTP):

Connects to lga15s43-in-f30.1e100.net (74.125.226.62:80)

TCP (HTTP):

Connects to lga15s42-in-f8.1e100.net (74.125.226.8:80)

TCP (HTTP SSL):

Connects to lga15s42-in-f4.1e100.net (74.125.226.4:443)

TCP (HTTP):

Connects to lga15s42-in-f25.1e100.net (74.125.226.25:80)

TCP (HTTP):

Connects to lga15s34-in-f13.1e100.net (173.194.43.13:80)

TCP (HTTP):

Connects to float.664.bm-impbus.prod.nym2.adnexus.net (68.67.152.207:80)

TCP (HTTP):

Connects to edge-star-shv-10-iad1.facebook.com (31.13.69.80:80)

TCP (HTTP):

Connects to ec2-54-243-171-86.compute-1.amazonaws.com (54.243.171.86:80)

TCP (HTTP):

Connects to ec2-54-235-141-53.compute-1.amazonaws.com (54.235.141.53:80)

TCP (HTTP):

Connects to ec2-54-183-32-60.us-west-1.compute.amazonaws.com (54.183.32.60:80)

TCP (HTTP):

Connects to ec2-23-23-223-135.compute-1.amazonaws.com (23.23.223.135:80)

TCP (HTTP):

Connects to ec2-107-23-151-87.compute-1.amazonaws.com (107.23.151.87:80)

TCP (HTTP):

Connects to ec2-107-21-29-47.compute-1.amazonaws.com (107.21.29.47:80)

TCP (HTTP):

Connects to ec2-107-20-179-108.compute-1.amazonaws.com (107.20.179.108:80)

TCP (HTTP):

Connects to a23-67-244-34.deploy.static.akamaitechnologies.com (23.67.244.34:80)

TCP (HTTP):

Connects to a23-67-244-122.deploy.static.akamaitechnologies.com (23.67.244.122:80)

TCP (HTTP):

Connects to a23-67-244-113.deploy.static.akamaitechnologies.com (23.67.244.113:80)

Remove amohadd.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.