home

moyrap.exe

Maskiseft Visaal Studio 2010

Maskiseft Corporatien

The executable moyrap.exe, “Maskiseft Visaal Studie 2010” has been detected as malware by 36 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address float.1389.bm-impbus.prod.nym2.adnexus.net on port 80 using the HTTP protocol.
Publisher:
Maskiseft Corporatien

Product:
Maskiseft® Visaal Studio® 2010

Description:
Maskiseft Visaal Studie 2010

Version:
1.9.43074.5121 built by: SP1Rel

MD5:
66eae46da974b65f2005175d17f39c93

SHA-1:
42e5dc349b6d9c05f888a73fa1f4561d8ea9d50a

SHA-256:
a51a44647e000ff0ae8a5870007b62c8e7b4496fd197d6c9353a48c7df3a4684

Scanner detections:
36 / 68

Status:
Malware

Analysis date:
12/26/2024 8:11:29 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.430697
904

Agnitum Outpost
TrojanSpy.Zbot
7.1.1

AhnLab V3 Security
Trojan/Win32.Necurs
2014.08.30

Avira AntiVirus
TR/Crypt.XPACK.Gen
7.11.30.172

avast!
Win32:Dropper-gen [Drp]
2014.9-140814

AVG
Trojan horse Crypt3
2015.0.3382

Bitdefender
Gen:Variant.Kazy.430697
1.0.20.1130

Bkav FE
HW32.CDB
1.3.0.4959

Comodo Security
TrojWare.Win32.Injector.BJMY
19353

Emsisoft Anti-Malware
Gen:Variant.Kazy.430697
8.14.08.14.02

ESET NOD32
Win32/Kryptik.CIPT (variant)
8.10238

Fortinet FortiGate
W32/Kryptik.CHDI!tr
8/14/2014

F-Prot
W32/A-40b3da6c
v6.4.7.1.166

F-Secure
Gen:Variant.Kazy.430697
11.2014-14-08_5

G Data
Gen:Variant.Kazy.430697
14.8.24

IKARUS anti.virus
Trojan.Win32.Kryptik
t3scan.1.7.5.0

K7 AntiVirus
Trojan
13.183.13198

Kaspersky
Trojan-Spy.Win32.Zbot
14.0.0.3407

Malwarebytes
Trojan.Zbot.gen
v2014.08.14.04

McAfee
Trojan.Artemis!B87E1D69A3D0
5600.7038

Microsoft Security Essentials
Threat.Undefined
1.183.900.0

MicroWorld eScan
Gen:Variant.Kazy.430697
15.0.0.678

NANO AntiVirus
Trojan.Win32.XPACK.ddtjvr
0.28.2.61861

Norman
ZBot.UYZK
11.20140902

Panda Antivirus
Trj/Genetic.gen
14.08.14.04

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.9.2.17

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14812

Sophos
Troj/Agent-AIIL
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-FalComp
10384

Total Defense
Win32/Zbot.dGVFFBC
37.0.11150

Trend Micro House Call
TROJ_NECURS.SMJ7
7.2.245

Trend Micro
TROJ_NECURS.SMJ7
10.465.02

Vba32 AntiVirus
TrojanSpy.Zbot
3.12.26.3

VIPRE Antivirus
Threat.4789469
31208

Zillya! Antivirus
Trojan.Zbot.Win32.163589
2.0.0.1906

File size:
298.7 KB (305,828 bytes)

Product version:
1.9.43074.5121

Copyright:
© Maskiseft Corporatien. All rights reserved.

Original file name:
divonv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\etygryh\moyrap.exe

File PE Metadata
Compilation timestamp:
11/20/2011 3:28:08 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:VcMoS+Cta65gMj0tex2fWyYW0+/zFhXu/UORgaspaA9Pm:WMoFCtp6XYgO9v+PXlQgaspXtm

Entry address:
0xC97C

Entry point:
55, 8B, EC, 81, EC, F0, 00, 00, 00, 8B, 0D, B0, CA, 42, 00, 83, E9, 99, EB, 03, 89, 55, B0, 53, B9, 73, 00, 00, 00, 89, 8D, 14, FF, FF, FF, 56, BE, BA, 7F, 00, 00, 89, B5, 14, FF, FF, FF, 57, 83, C1, 73, 8B, 15, 68, CA, 42, 00, EB, 16, 6A, B1, 6A, D3, 68, 00, 1E, DC, 5D, 68, 00, 5F, 3F, 1D, E8, 4E, 18, 00, 00, 83, C4, 10, 05, 00, 01, 0C, 0F, 8B, D0, 89, 95, 14, FF, FF, FF, 6A, 00, 6A, 00, 6A, 44, 68, 68, CA, 42, 00, FF, 15, A0, 4D, 42, 00, 83, C0, D0, 89, 85, 14, FF, FF, FF, 8D, 85, 64, FF, FF, FF, 50, FF...
 
[+]

Entropy:
7.8422

Developed / compiled with:
Microsoft Visual C++

Code size:
138 KB (141,312 bytes)

Scheduled Task
Task name:
Security Center Update - 3993556175

Trigger:
Daily (Runs daily at 12:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-23-101.ewr2.r.cloudfront.net  (54.230.23.101:80)

TCP (HTTP):
Connects to sea09s16-in-f8.1e100.net  (173.194.33.104:80)

TCP (HTTP):
Connects to reserved-99.euroclick.com  (193.149.47.99:80)

TCP (HTTP SSL):
Connects to qg-in-f139.1e100.net  (74.125.29.139:443)

TCP (HTTP):
Connects to qg-in-f113.1e100.net  (74.125.29.113:80)

TCP (HTTP):
Connects to m-prd-ads04-adcom-mtc-b.evip.aol.com  (149.174.28.132:80)

TCP (HTTP):
Connects to lga15s43-in-f8.1e100.net  (74.125.226.40:80)

TCP (HTTP):
Connects to lga15s43-in-f28.1e100.net  (74.125.226.60:80)

TCP (HTTP):
Connects to lga15s43-in-f27.1e100.net  (74.125.226.59:80)

TCP (HTTP):
Connects to lga15s43-in-f13.1e100.net  (74.125.226.45:80)

TCP (HTTP SSL):
Connects to lga15s43-in-f1.1e100.net  (74.125.226.33:443)

TCP (HTTP):
Connects to float.977.bm-impbus.prod.nym2.adnexus.net  (68.67.152.169:80)

TCP (HTTP):
Connects to float.976.bm-impbus.prod.nym2.adnexus.net  (68.67.152.188:80)

TCP (HTTP):
Connects to float.685.bm-impbus.prod.nym2.adnexus.net  (68.67.153.110:80)

TCP (HTTP):
Connects to float.673.bm-impbus.prod.nym2.adnexus.net  (68.67.153.114:80)

TCP (HTTP):
Connects to float.670.bm-impbus.prod.nym2.adnexus.net  (68.67.152.193:80)

TCP (HTTP):
Connects to float.659.bm-impbus.prod.nym2.adnexus.net  (68.67.152.186:80)

TCP (HTTP):
Connects to float.655.bm-impbus.prod.nym2.adnexus.net  (68.67.152.204:80)

TCP (HTTP):
Connects to float.647.bm-impbus.prod.nym2.adnexus.net  (68.67.152.241:80)

TCP (HTTP):
Connects to float.646.bm-impbus.prod.nym2.adnexus.net  (68.67.152.249:80)

Remove moyrap.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.