duuvri.exe

Maskiseft Visual Studio 2010

Maskiseft Corporation

The executable duuvri.exe, “Maskiseft Visual Studie 2010” has been detected as malware by 30 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address float.2064.bm-impbus.prod.nym2.adnexus.net on port 80 using the HTTP protocol.
Publisher:
Maskiseft Corporation

Product:
Maskiseft® Visual Studio® 2010

Description:
Maskiseft Visual Studie 2010

Version:
1.9.43074.5121 built by: SP1Rel

MD5:
2df562be56fcf82a37e240618080e2db

SHA-1:
f0333bb78d16541dda4594a84475ea93c9202d4d

SHA-256:
126a96ef174dac8f207cf99a8fd4990b9d7ce2d46d9707c377dcfca2ae45111b

Scanner detections:
30 / 68

Status:
Malware

Analysis date:
11/23/2024 9:34:53 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.429305
901

Agnitum Outpost
Trojan.Injector
7.1.1

AhnLab V3 Security
Trojan/Win32.ZBot
2014.08.18

Avira AntiVirus
TR/Crypt.XPACK.Gen
7.11.30.172

avast!
Win32:Malware-gen
140813-1

AVG
Trojan horse Inject2.AQVH
2014.0.4007

Bitdefender
Gen:Variant.Kazy.429305
1.0.20.1145

Bkav FE
W32.KryptikFciogF.Trojan
1.3.0.4959

Dr.Web
Trojan.Packed.28434
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Kazy.429305
9.0.0.4324

ESET NOD32
Win32/Kryptik.CIOG trojan
7.0.302.0

Fortinet FortiGate
W32/Kryptik.CIOG!tr
8/17/2014

F-Secure
Gen:Variant.Kazy.429305
11.2014-17-08_1

G Data
Gen:Variant.Kazy.429305
14.8.24

K7 AntiVirus
Trojan
13.183.13054

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.3392

Malwarebytes
Trojan.Zbot.gen
v2014.08.17.02

McAfee
PWSZbot-FABW!2DF562BE56FC
5600.7035

Microsoft Security Essentials
Threat.Undefined
1.179.3249.0

MicroWorld eScan
Gen:Variant.Kazy.429305
15.0.0.687

NANO AntiVirus
Trojan.Win32.XPACK.ddsdno
0.28.2.61519

Panda Antivirus
Trj/Genetic.gen
14.08.17.02

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14815

Sophos
Troj/Agent-AIIM
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-FalComp
10416

Total Defense
Win32/Zbot.UTcTOZ
37.0.11126

Trend Micro House Call
TSPY_ZBOT.SMLAK
7.2.229

Trend Micro
TSPY_ZBOT.SMLAK
10.465.17

VIPRE Antivirus
Threat.4789469
32210

File size:
298.1 KB (305,228 bytes)

Product version:
1.9.43074.5121

Copyright:
© Maskiseft Corporation. All rights reserved.

Original file name:
divonv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\actykidu\duuvri.exe

File PE Metadata
Compilation timestamp:
12/23/2012 9:43:49 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:Og/yVmlxfINWvYwBuCp0mwxfwduXBtBZBkUv1P86yIaVL2MdD8c4:X/yYlxfGWA2uCpinf/Bw6yJSc4

Entry address:
0xC97C

Entry point:
55, 8B, EC, 81, EC, E0, 00, 00, 00, B9, 80, 41, C1, 83, 68, 00, B9, 8C, 27, 68, 00, 77, BD, C7, 51, E8, 7D, 17, 00, 00, 83, C4, 0C, 53, B8, C9, 00, 00, 00, 89, 45, E8, 56, 2D, 00, 00, 11, 21, EB, 06, 89, B5, 44, FF, FF, FF, 57, 8B, 45, E8, 6A, BB, 6A, A6, 50, 68, 00, 9B, 75, 4B, 50, E8, 8D, 1A, 00, 00, 83, C4, 14, 83, E8, 63, 3B, 05, A8, CA, 42, 00, 75, 15, 8B, 4D, E8, 89, 45, F8, F7, C1, 3A, 00, 00, 00, 75, 07, 8B, D9, 33, D8, 89, 5D, E8, 6A, 00, 6A, 00, 68, CD, 00, 00, 00, 68, 3C, CA, 42, 00, FF, 15, 8C...
 
[+]

Entropy:
7.8307

Developed / compiled with:
Microsoft Visual C++

Code size:
137.5 KB (140,800 bytes)

Scheduled Task
Task name:
Security Center Update - 1413650274

Trigger:
Daily (Runs daily at 2:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to yv-in-f149.1e100.net  (74.125.21.149:443)

TCP (HTTP SSL):
Connects to yv-in-f148.1e100.net  (74.125.21.148:443)

TCP (HTTP):
Connects to yv-in-f138.1e100.net  (74.125.21.138:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-08-ord1.fbcdn.net  (31.13.74.119:443)

TCP (HTTP):
Connects to www.dailymotion.com  (195.8.215.136:80)

TCP (HTTP):
Connects to wordpress.com  (76.74.255.123:80)

TCP (HTTP):
Connects to s-prd-ads01-adcom_nwa_blue.evip.aol.com  (149.174.67.65:80)

TCP:
Connects to server-54-239-173-56.atl50.r.cloudfront.net  (54.239.173.56:1935)

TCP (HTTP):
Connects to server-54-239-172-220.atl50.r.cloudfront.net  (54.239.172.220:80)

TCP (HTTP):
Connects to server-54-239-172-169.atl50.r.cloudfront.net  (54.239.172.169:80)

TCP (HTTP):
Connects to server-54-230-207-53.atl50.r.cloudfront.net  (54.230.207.53:80)

TCP (HTTP):
Connects to server-54-230-207-123.atl50.r.cloudfront.net  (54.230.207.123:80)

TCP (HTTP):
Connects to server-54-230-207-106.atl50.r.cloudfront.net  (54.230.207.106:80)

TCP (HTTP):
Connects to server-54-230-206-92.atl50.r.cloudfront.net  (54.230.206.92:80)

TCP (HTTP):
Connects to server-54-230-206-252.atl50.r.cloudfront.net  (54.230.206.252:80)

TCP (HTTP):
Connects to server-54-230-206-226.atl50.r.cloudfront.net  (54.230.206.226:80)

TCP (HTTP):
Connects to server-54-230-205-122.atl50.r.cloudfront.net  (54.230.205.122:80)

TCP (HTTP):
Connects to server-54-230-205-106.atl50.r.cloudfront.net  (54.230.205.106:80)

TCP (HTTP):
Connects to server-54-230-204-81.atl50.r.cloudfront.net  (54.230.204.81:80)

TCP (HTTP):
Connects to server-54-230-204-253.atl50.r.cloudfront.net  (54.230.204.253:80)

Remove duuvri.exe - Powered by Reason Core Security