» kyoxrio.exe
Overview
Analysis
File Details
Behaviors (1)
Network (30)

kyoxrio.exe

The executable kyoxrio.exe has been detected as malware by 31 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address 114.37.198-178.dc74.net on port 80 using the HTTP protocol.

File name:

kyoxrio.exe

MD5:

7d4c8ff557c12ecc1285aaeafd5bb661

SHA-1:

4b48d82280551eacc35e59febe8cf6ba836e0b79

SHA-256:

cf758530b6b6671f0e846786448ae62c86ca602bfa6aa98187a6b70fafd140ea

Scanner detections:

31 / 68

Status:

Malware

Analysis date:

11/16/2024 1:00:58 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Kazy.486541

828

Agnitum Outpost

Trojan.Kryptik

7.1.1

AhnLab V3 Security

Trojan/Win32.ZBot

2014.10.31

Avira AntiVirus

TR/Crypt.ZPACK.Gen

7.11.30.172

avast!

Win32:Dropper-gen [Drp]

141025-0

AVG

Win32/Cryptor

2014.0.4040

Bitdefender

Gen:Variant.Kazy.486541

1.0.20.1515

Bkav FE

HW32.Packed

1.3.0.6185

Clam AntiVirus

Win.Trojan.Agent-808490

0.98/21411

Comodo Security

TrojWare.Win32.Kryptik.COAW

19942

Dr.Web

Trojan.Siggen6.22973

9.0.1.0322

Emsisoft Anti-Malware

Gen:Variant.Kazy.486541

8.14.10.30.10

ESET NOD32

Win32/Kryptik.COUB (variant)

8.10644

Fortinet FortiGate

W32/Kryptik.CJJL!tr

10/30/2014

F-Prot

W32/A-2a902b6a

v6.4.7.1.166

F-Secure

Trojan.Agent.BGHR

11.2014-18-11_3

G Data

Trojan.Agent.BGHR

14.11.24

K7 AntiVirus

Trojan

13.185.13943

Kaspersky

HEUR:Trojan.Win32.Generic

14.0.0.3023

Malwarebytes

Trojan.FakeMS

v2014.10.30.10

McAfee

PWSZbot-FADO!7D4C8FF557C1

5600.6962

Microsoft Security Essentials

Threat.Undefined

1.187.1631.0

NANO AntiVirus

Trojan.Win32.Siggen6.dhzdga

0.28.6.62995

Norman

Kryptik.CEOE

11.20141118

nProtect

Trojan.Agent.BGHR

14.11.06.01

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.11.18.2

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.141028

SUPERAntiSpyware

Trojan.Agent/Gen-Kryptik

10231

Total Defense

Win32/Zbot.PdaJYNC

37.0.11269

VIPRE Antivirus

Trojan.Win32.Generic

34626

File size:

284.6 KB (291,431 bytes)

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\enseod\kyoxrio.exe

File PE Metadata

Compilation timestamp:

1/15/2012 11:44:03 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

6144:RsvK8nvqAMlIuEt/JAHrWMtNIGKUTbI+BRGzBlwbvbua6oCtwtqcZ5aL:RsvXny59EtKLWGNmOTymtqWAL

Entry address:

0xD6B4

Entry point:

55, 8B, EC, 81, EC, 20, 01, 00, 00, B9, 6D, 00, 00, 00, 68, 00, 64, 52, CD, 51, 6A, C8, E8, 8D, 19, 00, 00, 83, C4, 0C, 53, B8, 8C, 00, 00, 00, EB, 2A, 83, FF, C6, 74, 25, 33, DE, 81, FB, 98, 6E, 00, 00, 74, 1B, 83, F3, 22, E8, 6B, 19, 00, 00, 8B, 35, C4, 4A, 43, 00, 83, FB, 83, 74, 08, 33, DE, 89, 9D, E8, FE, FF, FF, 56, 0B, C3, 83, F8, A5, 75, 2D, 83, F0, 4D, BA, 49, 00, 00, 00, EB, 23, 83, F6, 82, F7, C6, AF, 00, 00, 00, 74, 18, 81, C6, 00, 22, 00, EF, 8B, 05, 2C, 4A, 43, 00, 89, B5, 7C, FF, FF, FF, 89... 
[+]

Entropy:

7.8681

Developed / compiled with:

Microsoft Visual C++

Code size:

100 KB (102,400 bytes)

Scheduled Task

Task name:

Security Center Update - 3664625686

Trigger:

Daily (Runs daily at 10:00 AM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-54-230-50-160.jfk5.r.cloudfront.net (54.230.50.160:80)

TCP (HTTP):

Connects to m-nb.xplusone.com (199.38.164.155:80)

TCP (HTTP):

Connects to iad23s05-in-f27.1e100.net (74.125.228.27:80)

TCP (HTTP):

Connects to iad23s05-in-f13.1e100.net (74.125.228.13:80)

TCP (HTTP):

Connects to ec2-54-88-159-203.compute-1.amazonaws.com (54.88.159.203:80)

TCP (HTTP):

Connects to ec2-54-85-58-177.compute-1.amazonaws.com (54.85.58.177:80)

TCP (HTTP):

Connects to ec2-54-165-6-167.compute-1.amazonaws.com (54.165.6.167:80)

TCP (HTTP):

Connects to castaclip.static.ds1.syseleven.net (109.68.230.135:80)

TCP (HTTP):

Connects to a96-17-161-121.deploy.akamaitechnologies.com (96.17.161.121:80)

TCP (HTTP):

Connects to a96-17-161-107.deploy.akamaitechnologies.com (96.17.161.107:80)

TCP (HTTP):

Connects to a23-64-100-174.deploy.static.akamaitechnologies.com (23.64.100.174:80)

TCP (HTTP):

Connects to a23-62-236-185.deploy.static.akamaitechnologies.com (23.62.236.185:80)

TCP (HTTP):

Connects to a23-62-236-177.deploy.static.akamaitechnologies.com (23.62.236.177:80)

TCP (HTTP):

Connects to a23-62-236-112.deploy.static.akamaitechnologies.com (23.62.236.112:80)

TCP (HTTP):

Connects to a23-44-124-64.deploy.static.akamaitechnologies.com (23.44.124.64:80)

TCP (HTTP):

Connects to a23-44-116-94.deploy.static.akamaitechnologies.com (23.44.116.94:80)

TCP (HTTP):

Connects to a23-44-116-38.deploy.static.akamaitechnologies.com (23.44.116.38:80)

TCP (HTTP):

Connects to a23-37-21-109.deploy.static.akamaitechnologies.com (23.37.21.109:80)

TCP (HTTP):

Connects to a23-37-20-174.deploy.static.akamaitechnologies.com (23.37.20.174:80)

TCP (HTTP):

Connects to a23-218-227-56.deploy.static.akamaitechnologies.com (23.218.227.56:80)

Remove kyoxrio.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.