ihcaacc.exe

Mesrisift Visaal Studio 2010

Mesrisift Corporatien

The executable ihcaacc.exe, “Mesrisift Visaal Studie 2010” has been detected as malware by 28 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address 173.193.254.202-static.reverse.softlayer.com on port 80 using the HTTP protocol.
Publisher:
Mesrisift Corporatien

Product:
Mesrisift® Visaal Studio® 2010

Description:
Mesrisift Visaal Studie 2010

Version:
1.9.43074.5121 built by: SP1Rel

MD5:
33b6792b8ff2e74f72af87a53a1de700

SHA-1:
be97fd6d7eaecc5a3926bfcccd1f71c86cd59bcc

SHA-256:
b24ce46f8a136ff8783ac5ce9e1b89e66a944a4476a5dd4fddae33018f3a0642

Scanner detections:
28 / 68

Status:
Malware

Analysis date:
11/23/2024 9:42:12 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.11622707
895

Agnitum Outpost
TrojanSpy.Zbot
7.1.1

AhnLab V3 Security
Trojan/Win32.Zbot
2014.08.24

Avira AntiVirus
TR/Crypt.ZPACK.Gen2
7.11.30.172

avast!
Win32:Malware-gen
140813-1

AVG
Zbot
2015.0.3373

Bitdefender
Trojan.Generic.11622707
1.0.20.1175

Bkav FE
HW32.CDB
1.3.0.4959

Dr.Web
Trojan.Packed
9.0.1.0235

Emsisoft Anti-Malware
Trojan.Generic.11622707
8.14.08.23.09

ESET NOD32
Win32/Spy.Zbot.ABA
8.10304

Fortinet FortiGate
W32/Kryptik.CJED!tr
8/23/2014

F-Secure
Trojan.Generic.11622707
11.2014-23-08_7

G Data
Trojan.Generic.11622707
14.8.24

K7 AntiVirus
Riskware
13.183.13160

Kaspersky
Trojan-Spy.Win32.Zbot
15.0.0.494

Malwarebytes
Trojan.Zbot.gen
v2014.08.23.09

McAfee
PWSZbot-FABW!33B6792B8FF2
5600.7029

Microsoft Security Essentials
PWS:Win32/Zbot
1.10904

MicroWorld eScan
Trojan.Generic.11622707
15.0.0.705

NANO AntiVirus
Trojan.Win32.Zbot.decnmn
0.28.2.61721

nProtect
Trojan.Generic.11622707
14.08.25.01

Panda Antivirus
Trj/Genetic.gen
14.08.23.09

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.9.2.18

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14821

SUPERAntiSpyware
Trojan.Agent/Gen-Falcomp[i]
10383

VIPRE Antivirus
Threat.4789469
32210

File size:
299 KB (306,201 bytes)

Product version:
1.9.43074.5121

Copyright:
© Mesrisift Corporatien. All rights reserved.

Original file name:
divanv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\kasanogu\ihcaacc.exe

File PE Metadata
Compilation timestamp:
4/27/2011 11:35:44 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:frpraQi2XLoc6Lry04hUzCmbgPWhpFqDDVrTIfHybEi+fHF6us:DprY3c6fyfUzCPPW1qDxgyI3HF3s

Entry address:
0xCA20

Entry point:
55, 8B, EC, 81, EC, 80, 01, 00, 00, EB, 2F, 33, DA, 8B, C7, 68, 00, 30, CD, 12, E8, A1, 20, 00, 00, 83, C4, 04, E8, 18, 1F, 00, 00, 89, 45, D4, EB, 14, 6A, B3, 51, 6A, EE, 6A, E4, 68, 00, 69, 97, B2, E8, DC, 16, 00, 00, 83, C4, 14, 53, 89, 85, C4, FE, FF, FF, 56, 03, C0, 8B, 95, C4, FE, FF, FF, 83, FA, 02, 74, 21, 33, C2, 8B, B5, C4, FE, FF, FF, 3B, 85, 90, FE, FF, FF, 75, 11, 89, 85, C4, FE, FF, FF, 8B, CE, 3B, CE, 74, 05, E8, B1, 15, 00, 00, 57, 89, B5, C4, FE, FF, FF, 83, F6, 2A, 8B, 15, 0C, CA, 42, 00...
 
[+]

Entropy:
7.8596

Developed / compiled with:
Microsoft Visual C++

Code size:
139.5 KB (142,848 bytes)

Scheduled Task
Task name:
Security Center Update - 2735594540

Trigger:
Daily (Runs daily at 10:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-38-99.jfk1.r.cloudfront.net  (54.230.38.99:80)

TCP (HTTP):
Connects to server-54-230-36-42.jfk1.r.cloudfront.net  (54.230.36.42:80)

TCP (HTTP):
Connects to reserved-98.euroclick.com  (193.149.47.98:80)

TCP (HTTP):
Connects to ord08s07-in-f27.1e100.net  (74.125.225.91:80)

TCP (HTTP):
Connects to ord08s07-in-f26.1e100.net  (74.125.225.90:80)

TCP (HTTP):
Connects to ord08s07-in-f25.1e100.net  (74.125.225.89:80)

TCP (HTTP):
Connects to ord08s07-in-f13.1e100.net  (74.125.225.77:80)

TCP (HTTP):
Connects to network.realmedia.com  (208.71.122.192:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.10:80)

TCP (HTTP):
Connects to ig-in-f82.1e100.net  (74.125.193.82:80)

TCP (HTTP):
Connects to iad23s26-in-f13.1e100.net  (173.194.121.45:80)

TCP (HTTP):
Connects to iad23s24-in-f8.1e100.net  (74.125.228.232:80)

TCP (HTTP):
Connects to edge-star-shv-03-lga1.facebook.com  (31.13.71.33:80)

TCP (HTTP):
Connects to ec2-54-243-253-201.compute-1.amazonaws.com  (54.243.253.201:80)

TCP (HTTP):
Connects to ec2-54-235-101-147.compute-1.amazonaws.com  (54.235.101.147:80)

TCP (HTTP):
Connects to ec2-54-225-189-91.compute-1.amazonaws.com  (54.225.189.91:80)

TCP (HTTP):
Connects to ec2-54-210-22-106.compute-1.amazonaws.com  (54.210.22.106:80)

TCP (HTTP):
Connects to ec2-54-208-233-181.compute-1.amazonaws.com  (54.208.233.181:80)

TCP (HTTP):
Connects to ec2-54-208-138-245.compute-1.amazonaws.com  (54.208.138.245:80)

TCP (HTTP):
Connects to ec2-54-197-48-245.compute-1.amazonaws.com  (54.197.48.245:80)

Remove ihcaacc.exe - Powered by Reason Core Security