» firewallcg.exe
Overview
Analysis
File Details
Behaviors (1)

firewallcg.exe

Unmature

Malwarebytes Corporation

The executable firewallcg.exe has been detected as malware by 28 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘PC’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

firewallcg.exe

Publisher:

Inhsallcaiesa (signed by Malwarebytes Corporation)

Product:

Unmature

Description:

Verdour beggar

Version:

1.08.0006

MD5:

3cc69306323e70f3c13710e4d9b6a867

SHA-1:

c9ed519666570fe61f255a6d862c185277fca248

Scanner detections:

28 / 68

Status:

Malware

Analysis date:

11/27/2024 1:41:07 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.12432396

133

Avira AntiVirus

TR/Crypt.Xpack.120032

7.11.198.210

avast!

Win32:Malware-gen

2014.9-160923

AVG

Win32/VBCrypt

2017.0.2611

Baidu Antivirus

Backdoor.Win32.DarkKomet

4.0.3.16923

Bitdefender

Trojan.Generic.12432396

1.0.20.1335

Bkav FE

HW32.Packed

1.3.0.6267

Emsisoft Anti-Malware

Trojan.Generic.12432396

8.16.09.23.05

ESET NOD32

Win32/Injector.BOLD (variant)

10.10948

Fortinet FortiGate

W32/Injector.BJGR!tr

9/23/2016

F-Secure

Trojan.Generic.12432396

11.2016-23-09_6

G Data

Trojan.Generic.12432396

16.9.24

IKARUS anti.virus

Trojan.Win32.Injector

t3scan.1.8.5.0

Kaspersky

Backdoor.Win32.DarkKomet

14.0.0.-449

Malwarebytes

Trojan.Passwords.OB

v2016.09.23.05

McAfee

Generic-FAUW!3CC69306323E

5600.6267

Microsoft Security Essentials

Worm:Win32/Rebhip.A

1.11302

MicroWorld eScan

Trojan.Generic.12432396

17.0.0.801

nProtect

Trojan.Generic.12432396

14.12.31.01

Panda Antivirus

Trj/Genetic.gen

16.09.23.05

Qihoo 360 Security

Win32/Trojan.03f

1.0.0.1015

Quick Heal

TrojanPWS.Zbot.S3

9.16.14.00

Rising Antivirus

PE:Trojan.Win32.Generic.17E0D9AE!400611758

23.00.65.16921

Sophos

Mal/VB-ANI

4.98

Total Defense

Win32/Rebhip.ECaZBSC

37.0.11360

Trend Micro House Call

TROJ_GEN.R028C0DLR14

7.2.267

Trend Micro

TROJ_GEN.R028C0DLR14

10.465.23

VIPRE Antivirus

Trojan.Win32.Generic

36242

File size:

393.3 KB (402,769 bytes)

Product version:

1.08.0006

Original file name:

Nonpheno.exe

File type:

Executable application (Win32 EXE)

Language:

Chinesisch (Taiwan)

Common path:

C:\Documents and Settings\{user}\AppData\firewallcg.exe

Digital Signature

Signed by:

Malwarebytes Corporation

Authority:

VeriSign, Inc.

Valid from:

6/4/2010 2:00:00 AM

Valid to:

6/5/2011 1:59:59 AM

Subject:

CN=Malwarebytes Corporation, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Malwarebytes Corporation, L=San Jose, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

22A3557A2217CB2D89BAE979B554EF4D

File PE Metadata

Compilation timestamp:

10/30/2014 2:09:56 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

6144:Swp+MK1y7g0k/jN0n7Yg9vYxcE/mqi8/4UcZZb52bQjhCH4aEHqzr85L:42ENCYgh5EeqiIzcj9VjhCAIiL

Entry address:

0x1454

Entry point:

68, 24, 17, 40, 00, E8, F0, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, B7, 3B, A9, 3D, D9, 0B, A5, 4D, 92, 7A, 33, 14, 33, BC, 5A, 49, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 43, 58, 22, 0D, 0A, 42, 62, 61, 6B, 65, 72, 73, 68, 65, 65, 74, 73, 00, 20, 63, 61, 72, 00, 00, 00, 00, FF, CC, 31, 00, 0B, 6A, D8, 43, 95, B3, 91, 79, 43, 9D, 8B, 61, 33, 10, F2, 39, 36, 62, AB, F1, 8B, B9, B8, BD, 4D, BA, 3D, 48, C5, 66, BD, A9, CF, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00... 
[+]

Developed / compiled with:

Microsoft Visual Basic v5.0

Code size:

372 KB (380,928 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Command:

C:\Documents and Settings\{user}\AppData\firewallcg.exe

Remove firewallcg.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.