msiexec.exe

Küstenebene5

Daniel Atallah

The executable msiexec.exe, “Besserwisserischem6” has been detected as malware by 8 anti-virus scanners. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
Daniel Atallah  (signed and verified)

Product:
Küstenebene5

Description:
Besserwisserischem6

Version:
3.04

MD5:
9915204b4a2d66efb1148534c3544b91

SHA-1:
950c83897df2e967640bb2ef2eee751b852b7c5b

SHA-256:
31a4da025cb9e5bb9499ccbedd49b762943a81b1150926d1bad491b327faf7f5

Scanner detections:
8 / 68

Status:
Malware

Analysis date:
12/25/2024 5:54:25 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.Foreign
2014.11.26

Avira AntiVirus
TR/Dropper.VB.24121
7.11.188.194

Baidu Antivirus
Trojan.Win32.Injector
4.0.3.16222

ESET NOD32
Win32/Injector.BQAW (variant)
10.10778

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.622

Malwarebytes
Spyware.Zbot.ED
v2016.02.22.12

Qihoo 360 Security
Win32/Trojan.Multi.daf
1.0.0.1015

Rising Antivirus
PE:Malware.XPACK-HIE/Heur!1.9C48
23.00.65.16220

File size:
173.8 KB (177,976 bytes)

Product version:
3.04

Copyright:
lokalisiertes

Trademarks:
Flughafencode

Original file name:
Reaktivem8 bespottet.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\windows genuine advantage\{a1475e54-bcd5-4803-9b40-c2308dc5677a}\msiexec.exe

Digital Signature
Signed by:

Authority:
StartCom Ltd.

Valid from:
9/19/2012 5:48:58 AM

Valid to:
9/20/2014 7:56:51 PM

Subject:
E=datallah@pidgin.im, CN=Daniel Atallah, L=Holland, S=Michigan, C=US, Description=FWg32Q3ZaA4V01lM

Issuer:
CN=StartCom Class 2 Primary Intermediate Object CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL

Serial number:
075E

File PE Metadata
Compilation timestamp:
11/24/2014 9:57:39 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:JBgxUtXFq9068qsiW0kyrosexikveLwn+b6olyM7IReQtadnhTH6TwWOZTWgjMrF:JU0viW0kOzqAlIRTtkhTacWObjAYE

Entry address:
0x109C

Entry point:
68, 68, CB, 41, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 48, 00, 00, 00, 00, 00, 00, 00, BD, 65, 2D, 73, D8, EE, 71, 44, 95, C9, 1A, 0E, 09, 63, 1E, B1, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 42, 00, 02, 50, 83, 01, 4C, 61, 6E, 64, 73, 63, 68, 61, 66, 74, 73, 68, 6F, 72, 69, 7A, 6F, 6E, 74, 65, 31, 00, F6, 02, 00, 00, 00, 00, FF, CC, 31, 00, 09, 28, A1, 77, 1B, BC, 81, 86, 48, A6, 33, 9B, 45, 2C, 2D, D2, C7, 7B, 89, 44, 64, CE, 43, 49, 49, AB, 62, 98, AD, B7, 00, 86, CF, 3A, 4F, AD...
 
[+]

Developed / compiled with:
Microsoft Visual Basic v5.0/v6.0

Code size:
152 KB (155,648 bytes)

Remove msiexec.exe - Powered by Reason Core Security