eseme.exe

The executable eseme.exe has been detected as malware by 19 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
MD5:
c4a321eb8f93dcdb9e91f222351d8c0b

SHA-1:
a0edc6c41d6e7ffd4cc5f6492f56dd11f09b0f99

SHA-256:
df5aef03cf7874c0e5abfdc75fde1ebd60367ff3300a87dd5aad50c45caa6f7b

Scanner detections:
19 / 68

Status:
Malware

Analysis date:
12/24/2024 12:55:15 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Spy.Zbot.FOF
823

AegisLab AV Signature
Troj.W32.Gen
2.1.4+

AhnLab V3 Security
Trojan/Win32.Necurs
2014.11.04

avast!
Win32:Malware-gen
141025-0

AVG
SHeur4
2015.0.3301

Bitdefender
Trojan.Spy.Zbot.FOF
1.0.20.1535

Bkav FE
HW32.Packed
1.3.0.6185

Clam AntiVirus
Win.Trojan.Zbot-37702
0.98/19586

Dr.Web
Trojan.Siggen6.22973
9.0.1.05190

Emsisoft Anti-Malware
Trojan.Spy.Zbot.FOF
8.14.11.03.03

ESET NOD32
Win32/Spy.Zbot.ABP
8.10664

F-Prot
W32/Skintrim.1!Generic
4.6.5.141

F-Secure
Trojan.Spy.Zbot.FOF
11.2014-08-11_7

G Data
Trojan.Spy.Zbot.FOF
14.11.24

Kaspersky
Trojan-Spy.Win32.Zbot
14.0.0.2976

Malwarebytes
Spyware.Zbot.ED
v2014.11.03.03

Microsoft Security Essentials
PWS:Win32/Zbot
1.11104

Qihoo 360 Security
Malware.QVM07.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.11.8.21

File size:
282 KB (288,731 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\bemeqoof\eseme.exe

File PE Metadata
Compilation timestamp:
6/8/1992 3:06:30 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:KsXeMUkYZkDX+ii/JvvD3b+e3tWnOahz7ms48BhvCg:pOzksk74Bv7rdOFM8Z

Entry address:
0x8BA2

Entry point:
55, 8B, EC, 6A, FF, 68, A0, AB, 40, 00, 68, 90, 8D, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 50, 90, 40, 00, 59, 83, 0D, 1C, F2, 5B, 00, FF, 83, 0D, 20, F2, 5B, 00, FF, FF, 15, 4C, 90, 40, 00, 8B, 0D, 18, F2, 5B, 00, 89, 08, FF, 15, 68, 90, 40, 00, 8B, 0D, 14, F2, 5B, 00, 89, 08, A1, 48, 90, 40, 00, 8B, 00, A3, 24, F2, 5B, 00, E8, 28, 01, 00, 00, 39, 1D, FC, C1, 40, 00, 75, 0C, 68, 36, 8D, 40, 00, FF, 15, 44, 90...
 
[+]

Entropy:
7.7234

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
32 KB (32,768 bytes)

Scheduled Task
Task name:
Security Center Update - 3208473233

Trigger:
Daily (Runs daily at 3:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to utsapi-adcom-mtc.evip.aol.com  (64.12.68.22:80)

TCP (HTTP):
Connects to qc-in-f95.1e100.net  (173.194.76.95:80)

TCP (HTTP):
Connects to qc-in-f154.1e100.net  (173.194.76.154:80)

TCP (HTTP):
Connects to m-nb.xplusone.com  (199.38.164.155:80)

TCP (HTTP SSL):
Connects to iad23s06-in-f3.1e100.net  (74.125.228.35:443)

TCP (HTTP):
Connects to iad23s05-in-f28.1e100.net  (74.125.228.28:80)

TCP (HTTP):
Connects to iad23s05-in-f27.1e100.net  (74.125.228.27:80)

TCP (HTTP):
Connects to iad23s05-in-f26.1e100.net  (74.125.228.26:80)

TCP (HTTP):
Connects to iad23s05-in-f1.1e100.net  (74.125.228.1:80)

TCP (HTTP SSL):
Connects to iad23s05-in-f0.1e100.net  (74.125.228.0:443)

TCP (HTTP):

TCP (HTTP):
Connects to a23-66-230-163.deploy.static.akamaitechnologies.com  (23.66.230.163:80)

TCP (HTTP):
Connects to a23-66-230-162.deploy.static.akamaitechnologies.com  (23.66.230.162:80)

TCP (HTTP):
Connects to a23-66-230-129.deploy.static.akamaitechnologies.com  (23.66.230.129:80)

TCP (HTTP):
Connects to a23-66-230-128.deploy.static.akamaitechnologies.com  (23.66.230.128:80)

TCP (HTTP):
Connects to a23-66-230-107.deploy.static.akamaitechnologies.com  (23.66.230.107:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):

Remove eseme.exe - Powered by Reason Core Security