home

installer.exe

The executable installer.exe has been detected as malware by 37 anti-virus scanners. This is a self-extracting archive and installer, however the file is not signed with an authenticode signature from a trusted source. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. The file has been seen being downloaded from tradestore.ws.
MD5:
7a12a207ee1cfa9a6c284ca119076320

SHA-1:
7faa31232a72b04523b06469b0c5930dc745c6ba

SHA-256:
2f7081941bab1655f9ea6ca8f3b959274d7f5a6dd0297218031df9a227deea84

Scanner detections:
37 / 68

Status:
Malware

Analysis date:
11/16/2024 7:21:21 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Encpk.Gen.4
344

Agnitum Outpost
Backdoor.Androm
7.1.1

AhnLab V3 Security
Trojan/Win32.Zbot
2015.09.14

Avira AntiVirus
TR/Spy.ZBot.rhr
8.3.2.2

Arcabit
Trojan.Encpk.Gen.4
1.0.0.526

avast!
Win32:Zbot-SKQ [Trj]
2014.9-160225

AVG
BackDoor.Generic18
2017.0.2822

Baidu Antivirus
Trojan.Win32.Injector
4.0.3.16225

Bitdefender
Trojan.Encpk.Gen.4
1.0.20.280

Comodo Security
TrojWare.Win32.Injector.AVXY
23229

Dr.Web
BackDoor.Andromeda.22
9.0.1.056

Emsisoft Anti-Malware
Trojan.Encpk.Gen
8.16.02.25.07

ESET NOD32
Win32/Injector.AVYY (variant)
10.12247

Fortinet FortiGate
W32/Tepfer.AAX!tr.pws
2/25/2016

F-Secure
Trojan.Encpk.Gen.4
11.2016-25-02_5

G Data
Trojan.Encpk.Gen
16.2.25

IKARUS anti.virus
Trojan-PWS.Win32.Fareit
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.210.17197

Kaspersky
Backdoor.Win32.Androm
14.0.0.606

Malwarebytes
Trojan.Crypt.NKN
v2016.02.25.07

McAfee
PWS-Zbot-FAQD!7A12A207EE1C
5600.6478

Microsoft Security Essentials
Worm:Win32/Gamarue
1.1.12002.0

MicroWorld eScan
Trojan.Encpk.Gen.4
17.0.0.168

NANO AntiVirus
Trojan.Win32.Zbot.cssfrh
0.30.24.3283

nProtect
Trojan.Encpk.Gen.4
15.09.11.02

Panda Antivirus
Trj/Genetic.gen
16.02.25.07

Qihoo 360 Security
HEUR/Malware.QVM05.Gen
1.0.0.1015

Quick Heal
Worm.Gamarue.I5
2.16.14.00

Rising Antivirus
PE:Trojan.Injector!1.9DEE[F1]
23.00.65.16223

Sophos
Mal/Generic-S
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-FalComp
9301

Total Defense
Win32/Inject.C!generic
37.1.62.1

Trend Micro House Call
TSPY_ZBOT.SM51
7.2.56

Trend Micro
TSPY_ZBOT.SM51
10.465.25

Vba32 AntiVirus
Backdoor.Androm
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Tepfer.aax
43730

Zillya! Antivirus
Backdoor.Androm.Win32.5899
2.0.0.2397

File size:
57.7 KB (59,035 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\installer.exe

File PE Metadata
Compilation timestamp:
8/28/1973 5:18:44 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.54

CTPH (ssdeep):
1536:Y+NzqWMhNprLs758/qfCYb43jpfu1JoBcmaz1t:EOotu1Ocms

Entry address:
0x1000

Entry point:
68, 34, 0F, 00, 00, 68, 00, 00, 00, 00, 68, C0, 9A, 40, 00, E8, 5C, 30, 00, 00, 83, C4, 0C, 68, 00, 00, 00, 00, E8, 55, 30, 00, 00, A3, C4, 9A, 40, 00, 68, 00, 00, 00, 00, 68, 00, 10, 00, 00, 68, 00, 00, 00, 00, E8, 42, 30, 00, 00, A3, C0, 9A, 40, 00, E8, BC, 2F, 00, 00, E8, 27, 63, 00, 00, E8, D6, 61, 00, 00, E8, 6D, 4C, 00, 00, E8, F8, 46, 00, 00, E8, D8, 46, 00, 00, E8, 98, 46, 00, 00, E8, 0A, 46, 00, 00, E8, 58, 3D, 00, 00, E8, A0, 3B, 00, 00, E8, 13, 3A, 00, 00, E8, 68, 39, 00, 00, E8, 5C, 38, 00, 00...
 
[+]

Packer / compiler:
PKLITE32, 0x1.1

Code size:
385.5 KB (394,758 bytes)

The file installer.exe has been seen being distributed by the following URL.

http://tradestore.ws/download.php

Remove installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.