» eduroam-w7-tub.exe
Overview
Analysis
File Details
Downloads (2)

eduroam-w7-tub.exe

The executable eduroam-w7-tub.exe has been detected as malware by 2 anti-virus scanners. The program is a setup application that uses the Nullsoft Install System installer, however the file is not signed with an authenticode signature from a trusted source. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. The file has been seen being downloaded from www.tubit.tu-berlin.de and multiple other hosts.

File name:

eduroam-w7-tub.exe

MD5:

34cb6a0f007bd01a834b7d50a7381a2b

SHA-1:

c9a99aa5a56a6159989c368cba26023375b260fc

SHA-256:

2a4622a3efbd0ed02cebf8c1515ee1a7ecb7c61db41c943c1fe1e7d79ca3eda2

Scanner detections:

2 / 68

Status:

Malware

Explanation:

This is part of the Crossrider Internet browser extension framework which may modify the user's web browser settings including changing the home and search pages.

Note:

Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application.

Analysis date:

1/13/2025 6:34:31 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Threat.Win.Reputation.IMP

16.12.11.18

Rising Antivirus

Trojan.Spy.Win32.Zbot.gct

23.00.65.16509

File size:

539.9 KB (552,880 bytes)

File type:

Executable application (Win32 EXE)

Installer:

Nullsoft Install System

Common path:

C:\users\{user}\downloads\eduroam-w7-tub.exe

File PE Metadata

Compilation timestamp:

1/5/2012 7:20:39 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.22

CTPH (ssdeep):

12288:8+LpOYYogsBQnHW52sOMbrG90Jjj5b47Jk6a:8+dpRBQHxshnr

Entry address:

0x4105

Entry point:

55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 83, 7A, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 84, 7A, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 84, 7A, 00, 56, A3, 6C, 63, 7A, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8B, 3B, 00, 00, A3, C8, 63, 7A, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A9, B2, 40, 00, FF, 15, AC, 84, 7A, 00, 83, EC, 14, C7, 44, 24, 04, AA, B2, 40, 00, C7... 
[+]

Code size:

32.5 KB (33,280 bytes)

The file eduroam-w7-tub.exe has been seen being distributed by the following 2 URLs.

http://www.tubit.tu-berlin.de/fileadmin/a40000000/tubIT/KD/.../eduroam-W7-TUB.exe

https://www.tubit.tu-berlin.de/fileadmin/a40000000/tubIT/KD/.../eduroam-W7-TUB.exe

Remove eduroam-w7-tub.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.