banaduy.exe

Maskaseft Visual Studio 2010

Maskaseft Corporation

The executable banaduy.exe, “Maskaseft Visual Studie 2010” has been detected as malware by 37 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address alb51.clearspring.com on port 80 using the HTTP protocol.
Publisher:
Maskaseft Corporation

Product:
Maskaseft® Visual Studio® 2010

Description:
Maskaseft Visual Studie 2010

Version:
1.9.43074.5121 built by: SP1Rel

MD5:
df3df77c347be68113d138e97bc5d197

SHA-1:
4f53cb36391173fef078d6ab5b4e17aeb5bdc4f5

SHA-256:
d33c80fd7a443f274b1ae0aa6c7c45c6205530311934094247f918c2f5a73255

Scanner detections:
37 / 68

Status:
Malware

Analysis date:
11/2/2024 3:32:46 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Backdoor.Bot.78115
894

Agnitum Outpost
TrojanSpy.Zbot
7.1.1

AhnLab V3 Security
Trojan/Win32.Zbot
2014.08.25

Avira AntiVirus
TR/Crypt.XPACK.Gen7
7.11.168.254

avast!
Win32:Dropper-gen [Drp]
140813-1

AVG
Trojan horse SHeur4.BZIT
2014.0.3986

Baidu Antivirus
Trojan.Win32.Kryptik
4.0.3.14911

Bitdefender
Backdoor.Bot.78115
1.0.20.1180

Bkav FE
HW32.CDB
1.3.0.4959

Comodo Security
TrojWare.Win32.Kryptik.CHPD
19302

Dr.Web
Trojan.KillProc.32251
9.0.1.05190

Emsisoft Anti-Malware
Backdoor.Bot.78115
8.14.08.24.02

ESET NOD32
Win32/Kryptik.CHTD trojan
7.0.302.0

Fortinet FortiGate
W32/Zbot.CHTD!tr
8/24/2014

F-Secure
Backdoor.Bot.78115
11.2014-24-08_1

G Data
Backdoor.Bot.78115
14.8.24

IKARUS anti.virus
Trojan.Win32.Spy
t3scan.1.7.5.0

K7 AntiVirus
Trojan
13.183.13139

Kaspersky
Trojan-Spy.Win32.Zbot
15.0.0.494

Malwarebytes
Trojan.Zbot.gen
v2014.08.24.02

McAfee
PWSZbot-FAAV!DF3DF77C347B
5600.7028

Microsoft Security Essentials
Trojan:Win32/Peaac.gen!A
1.10904

MicroWorld eScan
Backdoor.Bot.78115
15.0.0.708

NANO AntiVirus
Trojan.Win32.Zbot.ddbrxh
0.28.2.61721

nProtect
Backdoor.Bot.78115
14.08.24.01

Panda Antivirus
Trj/Zbot.M
14.08.24.02

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.9.11.0

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14822

Sophos
Mal/EncPk-AMJ
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-FalComp
10402

Total Defense
Win32/Zbot.GSeUOLC
37.0.11140

Trend Micro House Call
TSPY_ZBOT.SMLAK
7.2.236

Trend Micro
TSPY_ZBOT.SMLAK
10.465.24

Vba32 AntiVirus
TrojanSpy.Zbot
3.12.26.3

VIPRE Antivirus
Threat.4150696
32210

Zillya! Antivirus
Trojan.Zbot.Win32.162775
2.0.0.1900

File size:
296.7 KB (303,803 bytes)

Product version:
1.9.43074.5121

Copyright:
© Maskaseft Corporation. All rights reserved.

Original file name:
devonv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\numizus\banaduy.exe

File PE Metadata
Compilation timestamp:
7/7/2010 10:45:31 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:0f7SENuYbvwvkaO2lopv7MMwavZSfOsk8cl+DYgtb:0fWM9bikoMv7MMwPc8cg5

Entry address:
0xC988

Entry point:
55, 8B, EC, 81, EC, 0C, 01, 00, 00, BA, 37, 00, 00, 00, 81, C2, 00, 91, 02, 00, 89, 95, 08, FF, FF, FF, 53, 89, 95, 08, FF, FF, FF, 56, 03, D2, EB, 19, B9, 69, 00, 00, 00, 81, E9, 00, 18, 74, 20, 52, 68, 00, 15, 4A, 78, E8, 8A, 1F, 00, 00, 83, C4, 08, 57, 83, F8, 96, 74, 0F, 68, 00, C5, 58, 14, 6A, 7C, E8, AB, 17, 00, 00, 83, C4, 08, 50, E8, BB, 18, 00, 00, 83, C4, 04, 8D, 7D, D0, 57, FF, 15, 08, 49, 42, 00, 8B, BD, 08, FF, FF, FF, 83, F7, A9, 89, 85, 08, FF, FF, FF, 68, 00, 5D, 4B, C0, E8, 46, 1F, 00, 00...
 
[+]

Entropy:
7.8412

Developed / compiled with:
Microsoft Visual C++

Code size:
138 KB (141,312 bytes)

Scheduled Task
Task name:
Security Center Update - 3534691338

Trigger:
Daily (Runs daily at 8:00:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to yts2.yql.vip.sg3.yahoo.com  (106.10.137.175:443)

TCP (HTTP):
Connects to server-54-230-151-104.sin2.r.cloudfront.net  (54.230.151.104:80)

TCP (HTTP):
Connects to server-54-230-150-76.sin2.r.cloudfront.net  (54.230.150.76:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (207.171.163.213:80)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (54.231.1.129:80)

TCP (HTTP):
Connects to raphael.datablocks.net  (199.212.255.139:80)

TCP (HTTP):
Connects to rack6u8.hispaweb.net  (93.189.35.249:80)

TCP (HTTP):
Connects to rack1u42.hispaweb.net  (109.70.128.160:80)

TCP (HTTP SSL):
Connects to r2.ycpi.vip.sg3.yahoo.net  (106.10.199.11:443)

TCP (HTTP SSL):
Connects to r-199-59-149-200.twttr.com  (199.59.149.200:443)

TCP (HTTP SSL):
Connects to r1.ycpi.vip.sg3.yahoo.net  (106.10.199.10:443)

TCP (HTTP):
Connects to ox-173-241-248-153.xf.dc.openx.org  (173.241.248.153:80)

TCP (HTTP):
Connects to mpr1.ngd.vip.sg3.yahoo.com  (106.10.198.33:80)

TCP (HTTP):
Connects to mc.yandex.ru  (87.250.250.119:80)

TCP (HTTP):
Connects to mallet9.wikipolo.com  (46.244.10.228:80)

TCP (HTTP):
Connects to li86-109.members.linode.com  (74.207.244.109:8080)

TCP (HTTP SSL):
Connects to l1.ycs.vip.sg3.yahoo.com  (106.10.199.78:443)

TCP (HTTP):
Connects to kul06s06-in-f27.1e100.net  (173.194.126.123:80)

TCP (HTTP):
Connects to kul01s07-in-f27.1e100.net  (173.194.126.27:80)

TCP (HTTP):
Connects to kul01s07-in-f25.1e100.net  (173.194.126.25:80)

Remove banaduy.exe - Powered by Reason Core Security