amohadd.exe

Maskasaft Visual Studio 2010

Maskasaft Corporation

The executable amohadd.exe, “Maskasaft Visual Studie 2010” has been detected as malware by 35 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
Maskasaft Corporation

Product:
Maskasaft® Visual Studio® 2010

Description:
Maskasaft Visual Studie 2010

Version:
1.9.43074.5121 built by: SP1Rel

MD5:
fe97db06f60f41dfd83710b9e7502049

SHA-1:
67e6a8ccb40ce95a4cd98f37841f46138b9aeb0c

SHA-256:
0fcc26e3fdfe2127da9961a4d99de7af47f422dc02817a04e907804dfd29e4fa

Scanner detections:
35 / 68

Status:
Malware

Analysis date:
11/23/2024 6:31:08 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1776354
905

Agnitum Outpost
Trojan.Kryptik
7.1.1

AhnLab V3 Security
Trojan/Win32.ZBot
2014.08.04

Avira AntiVirus
TR/Crypt.XPACK.Gen7
7.11.165.30

avast!
Win32:Malware-gen
2014.9-140813

AVG
Trojan horse Zbot
2015.0.3383

Baidu Antivirus
Trojan.Win32.Katusha
4.0.3.141027

Bitdefender
Trojan.GenericKD.1776354
1.0.20.1125

Bkav FE
W32.GenericGamarueW.Trojan
1.3.0.4959

Dr.Web
Trojan.Siggen6.15132
9.0.1.0225

Emsisoft Anti-Malware
Gen:Variant.Kazy.421046
8.14.08.13.10

ESET NOD32
Win32/Kryptik.CHMR trojan
8.7.0.302.0

Fortinet FortiGate
W32/Kryptik.CGEJ!tr
8/13/2014

F-Secure
Gen:Variant.Kazy.421046
11.2014-13-08_4

G Data
Trojan.GenericKD.1776354
14.8.24

IKARUS anti.virus
Trojan.Win32.Kryptik
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.182.12926

Kaspersky
Packed.Win32.Katusha
14.0.0.3410

Malwarebytes
Spyware.Zbot.MSXGen
v2014.08.13.11

McAfee
PWSZbot-FAAV!E9AEB47FAA20
5600.7039

Microsoft Security Essentials
PWS:Win32/Zbot
1.10802

MicroWorld eScan
Trojan.GenericKD.1776354
15.0.0.675

NANO AntiVirus
Trojan.Win32.Katusha.dcuezx
0.28.2.61148

Norman
Kryptik.CEDE
11.20141027

nProtect
Trojan.GenericKD.1776354
14.08.03.01

Panda Antivirus
Trj/Genetic.gen
14.08.13.11

Qihoo 360 Security
HEUR/Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.9.15.11

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14811

Sophos
Troj/Agent-AIDA
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-FalComp
10423

Total Defense
Win32/Zbot.MYaZNOB
37.0.11118

Trend Micro House Call
Suspicious_GEN.F47V0726
7.2.225

Trend Micro
TSPY_ZBOT.SMZH
10.465.13

VIPRE Antivirus
Trojan.Win32.Generic
31904

File size:
421.7 KB (431,813 bytes)

Product version:
1.9.43074.5121

Copyright:
© Maskasaft Corporation. All rights reserved.

Original file name:
devenv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\eqnuboav\amohadd.exe

File PE Metadata
Compilation timestamp:
4/2/2012 9:25:14 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:cPUDpE/Q7YOh6reRNVs6rUc5fPsrrqds9dqKhEFe:GUlQQ77Qms6z8rrqu84

Entry address:
0xC044

Entry point:
55, 8B, EC, 81, EC, 94, 01, 00, 00, BA, C4, 00, 00, 00, 89, 95, 6C, FF, FF, FF, 53, 03, D2, EB, 15, 83, C7, 28, 8B, DF, EB, 0E, 81, F2, 00, 00, 23, 89, 8B, CA, 89, 8D, 74, FE, FF, FF, 56, 3B, D1, 75, 0C, 8B, 85, 6C, FF, FF, FF, 89, 85, 6C, FF, FF, FF, 57, 03, C1, 89, 85, 6C, FF, FF, FF, 23, C2, 8B, BD, 6C, FF, FF, FF, 3B, BD, 18, FF, FF, FF, 74, 0F, 33, C7, EB, 0B, 8B, 15, 8C, 80, 44, 00, 33, D3, 89, 55, F0, 8D, 45, 84, 50, FF, 15, 54, 65, 44, 00, EB, 22, BF, 09, 00, 00, 00, 89, 8D, C8, FE, FF, FF, EB, 15...
 
[+]

Entropy:
7.2244

Developed / compiled with:
Microsoft Visual C++

Code size:
139.5 KB (142,848 bytes)

Scheduled Task
Task name:
Security Center Update - 2875229475

Trigger:
Daily (Runs daily at 10:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to vip1.g.cachefly.net  (205.234.175.175:443)

TCP (HTTP):
Connects to ox-173-241-242-12.xv.dc.openx.org  (173.241.242.12:80)

TCP (HTTP):
Connects to media.dc6.vcmedia.com  (8.18.45.90:80)

TCP (HTTP):
Connects to lga15s43-in-f30.1e100.net  (74.125.226.62:80)

TCP (HTTP):
Connects to lga15s42-in-f8.1e100.net  (74.125.226.8:80)

TCP (HTTP SSL):
Connects to lga15s42-in-f4.1e100.net  (74.125.226.4:443)

TCP (HTTP):
Connects to lga15s42-in-f25.1e100.net  (74.125.226.25:80)

TCP (HTTP):
Connects to lga15s34-in-f13.1e100.net  (173.194.43.13:80)

TCP (HTTP):
Connects to float.664.bm-impbus.prod.nym2.adnexus.net  (68.67.152.207:80)

TCP (HTTP):
Connects to edge-star-shv-10-iad1.facebook.com  (31.13.69.80:80)

TCP (HTTP):
Connects to ec2-54-243-171-86.compute-1.amazonaws.com  (54.243.171.86:80)

TCP (HTTP):
Connects to ec2-54-235-141-53.compute-1.amazonaws.com  (54.235.141.53:80)

TCP (HTTP):
Connects to ec2-54-183-32-60.us-west-1.compute.amazonaws.com  (54.183.32.60:80)

TCP (HTTP):
Connects to ec2-23-23-223-135.compute-1.amazonaws.com  (23.23.223.135:80)

TCP (HTTP):
Connects to ec2-107-23-151-87.compute-1.amazonaws.com  (107.23.151.87:80)

TCP (HTTP):
Connects to ec2-107-21-29-47.compute-1.amazonaws.com  (107.21.29.47:80)

TCP (HTTP):
Connects to ec2-107-20-179-108.compute-1.amazonaws.com  (107.20.179.108:80)

TCP (HTTP):

TCP (HTTP):
Connects to a23-67-244-122.deploy.static.akamaitechnologies.com  (23.67.244.122:80)

TCP (HTTP):
Connects to a23-67-244-113.deploy.static.akamaitechnologies.com  (23.67.244.113:80)

Remove amohadd.exe - Powered by Reason Core Security