aon.exe

The executable aon.exe has been detected as malware by 38 anti-virus scanners. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address ip123.ip-198-27-99.net on port 80 using the HTTP protocol.
MD5:
e5150542c41486598920f7db67da3fde

SHA-1:
86ddfdf0c8488965ebd9819a4583cefe42f7019e

SHA-256:
255cd70169094ddfd8eb01984b21c79880f73029dcc0e2fd59978b20907417c8

Scanner detections:
38 / 68

Status:
File is infected by a Virus

Explanation:
The file is infected by a polymorphic file infector virus.

Analysis date:
11/23/2024 2:59:46 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Ramnit.N
-19

AegisLab AV Signature
W32.Nimnul.mjEl
2.1.4+

AhnLab V3 Security
Win32/Ramnit.G
3.8.3.16

Avira AntiVirus
W32/Ramnit.C
8.3.3.4

Arcabit
Win32.Ramnit.N
1.0.0.795

avast!
Win32:RmnDrp
2014.9-170222

AVG
Win32/Zbot.F
2018.0.2459

Baidu Antivirus
Win32.Virus.Nimnul
4.0.3.17222

Bitdefender
Win32.Ramnit.N
1.0.20.265

Bkav FE
W32.Tmgrtext.PE
1.3.0.8871

Clam AntiVirus
Win.Trojan.Ramnit-1847
0.99.211

Comodo Security
Virus.Win32.Ramnit.K
26635

Dr.Web
Win32.Rmnet.8
9.0.1.053

Emsisoft Anti-Malware
Win32.Ramnit.N
8.17.02.22.04

ESET NOD32
Win32/Ramnit
11.14973

Fortinet FortiGate
W32/Ramnit.A
2/22/2017

F-Prot
W32/Ramnit.B!Generic
v6.4.7.1.166

F-Secure
Win32.Ramnit.N
11.2017-22-02_4

G Data
Win32.Ramnit
17.2.25

IKARUS anti.virus
Virus.Win32.Ramnit
0.2.1.2

K7 AntiVirus
Virus
13.10.1.22497

Kaspersky
Virus.Win32.Nimnul
14.0.0.-1208

McAfee
W32/Ramnit.a
5600.6115

Microsoft Security Essentials
Virus:Win32/Ramnit.J
1.1.13407.0

MicroWorld eScan
Win32.Ramnit.N
18.0.0.159

NANO AntiVirus
Virus.Win32.Nimnul.bqjjnb
1.0.70.15190

nProtect
Virus/W32.SpyEye
17.02.21.02

Panda Antivirus
W32/Cosmu.E
17.02.22.04

Qihoo 360 Security
Virus.Win32.Ramnit.A
1.0.0.1120

Quick Heal
W32.Ramnit.BA
2.17.14.00

Rising Antivirus
Virus.Mgr!1.9AD0 (classic)
23.00.65.17220

Sophos
W32/Ramnit-A
4.98

Trend Micro House Call
PE_RAMNIT.DEN
7.2.53

Trend Micro
PE_RAMNIT.DEN
10.465.22

Vba32 AntiVirus
Virus.Win32.Nimnul.b
3.12.26.4

VIPRE Antivirus
Virus.Win32.Ramnit.b
56144

ViRobot
Win32.Nimnul.A[h]
2014.3.20.0

Zillya! Antivirus
Virus.Nimnul.Win32.1
2.0.0.3211

File size:
2.2 MB (2,343,257 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
2/11/2010 4:35:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x101D000

Entry point:
60, E8, 00, 00, 00, 00, 5D, 8B, C5, 81, ED, A8, A6, 01, 20, 2B, 85, 0F, AE, 01, 20, 89, 85, 0B, AE, 01, 20, B0, 00, 86, 85, 40, B0, 01, 20, 3C, 01, 0F, 85, BC, 01, 00, 00, 83, BD, 3B, AF, 01, 20, 00, 74, 33, 83, BD, 3F, AF, 01, 20, 00, 74, 2A, 8B, 85, 0B, AE, 01, 20, 2B, 85, 3B, AF, 01, 20, 8B, 00, 89, 85, 78, AF, 01, 20, 8B, 85, 0B, AE, 01, 20, 2B, 85, 3F, AF, 01, 20, 8B, 00, 89, 85, 7C, AF, 01, 20, EB, 61, 83, BD, 43, AF, 01, 20, 00, 74, 58, 8B, 85, 0B, AE, 01, 20, 2B, 85, 43, AF, 01, 20, FF, 30, 8D, 85...
 
[+]

Packer / compiler:
ASPack v1.08.04

Code size:
1.8 MB (1,884,160 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to projects.sourceforge.net  (216.34.181.96:80)

TCP (HTTP):
Connects to ip123.ip-198-27-99.net  (198.27.99.123:80)

TCP:
Connects to ip80.ip-144-217-210.net  (144.217.210.80:8281)

Remove aon.exe - Powered by Reason Core Security