neabas.exe

Maskiseft Visaal Studio 2010

Maskiseft Corporatien

The executable neabas.exe, “Maskiseft Visaal Studie 2010” has been detected as malware by 38 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Bizinyupibz’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
Maskiseft Corporatien

Product:
Maskiseft® Visaal Studio® 2010

Description:
Maskiseft Visaal Studie 2010

Version:
1.9.43074.5121 built by: SP1Rel

MD5:
e140840b4f336a12cdf2b30034c61cfa

SHA-1:
9f94c039ef6b5e0a2e297f4f132e114d59f97f65

SHA-256:
4fab6d9ed2baf8d2d17347b72585bf816e416819c751545605356f5f5433a2c3

Scanner detections:
38 / 68

Status:
Malware

Analysis date:
12/25/2024 2:00:48 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.431295
902

Agnitum Outpost
TrojanSpy.Zbot
7.1.1

AhnLab V3 Security
Trojan/Win32.Necurs
2014.08.17

Avira AntiVirus
TR/Crypt.XPACK.Gen
7.11.30.172

avast!
Win32:Malware-gen
140813-1

AVG
SHeur4
2015.0.3380

Bitdefender
Gen:Variant.Kazy.431295
1.0.20.1140

Bkav FE
HW32.CDB
1.3.0.4959

Comodo Security
TrojWare.Win32.Injector.BJMY
19459

Dr.Web
Trojan.Siggen6.22973
9.0.1.0253

Emsisoft Anti-Malware
Gen:Variant.Kazy.431295
9.0.0.4324

ESET NOD32
Win32/Kryptik.CISY trojan
7.0.302.0

Fortinet FortiGate
W32/Kryptik.CISY!tr
9/10/2014

F-Prot
W32/A-330a1a90
v6.4.7.1.166

F-Secure
Gen:Variant.Kazy.431295
11.2014-16-08_7

G Data
Gen:Variant.Kazy.431295
14.8.24

IKARUS anti.virus
Trojan.Win32.Kryptik
t3scan.1.7.5.0

K7 AntiVirus
Trojan
13.183.13054

Kaspersky
Trojan-Spy.Win32.Zbot
15.0.0.494

Malwarebytes
Trojan.Zbot.gen
v2014.08.16.12

McAfee
Trojan-FEOM!E140840B4F33
5600.7036

Microsoft Security Essentials
Threat.Undefined
1.179.3144.0

MicroWorld eScan
Gen:Variant.Kazy.431295
15.0.0.684

NANO AntiVirus
Trojan.Win32.XPACK.ddtiuj
0.28.2.61519

Norman
ZBot.UYZK
11.20140816

nProtect
Trojan-Spy/W32.ZBot.307245
14.09.07.01

Panda Antivirus
Trj/Genetic.gen
14.08.16.12

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.9.10.23

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14814

Sophos
Troj/Agent-AIIM
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-FalComp
10418

Total Defense
Win32/Zbot.TQRIBbD
37.0.11124

Trend Micro House Call
TROJ_NECURS.SMJ7
7.2.253

Trend Micro
TROJ_NECURS.SMJ7
10.465.10

Vba32 AntiVirus
TrojanSpy.Zbot
3.12.26.3

VIPRE Antivirus
Threat.4789469
32210

Zillya! Antivirus
Trojan.Zbot.Win32.163712
2.0.0.1915

File size:
300 KB (307,245 bytes)

Product version:
1.9.43074.5121

Copyright:
© Maskiseft Corporatien. All rights reserved.

Original file name:
divonv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\ilsiamco\neabas.exe

File PE Metadata
Compilation timestamp:
3/23/2010 9:18:30 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:xgPkckh1YJTik6ptEX97rF0gyX9QV/QbMsFpkO/mBbly:xnckh1YJsQ9Wg+9QZQFR/Kbo

Entry address:
0xC984

Entry point:
55, 8B, EC, 81, EC, C4, 00, 00, 00, E9, AE, 00, 00, 00, 23, F1, F7, C6, CC, 00, 00, 00, 0F, 84, A0, 00, 00, 00, 2B, F3, E9, 99, 00, 00, 00, 2B, D1, 8B, F8, 83, FF, 68, 0F, 84, 8C, 00, 00, 00, B8, 08, 52, 01, 08, 89, 85, 50, FF, FF, FF, F7, C2, 45, AF, 00, 00, 74, 79, 83, FA, C2, 74, 74, 8B, 85, 50, FF, FF, FF, 23, D1, 89, 85, 50, FF, FF, FF, 3B, D0, 75, 62, 83, F7, B1, 89, 95, 50, FF, FF, FF, 6A, 8F, 6A, 6A, 68, 00, B4, 2A, 1A, 53, 68, 00, 73, 92, BC, E8, FB, 18, 00, 00, 83, C4, 14, 8B, B5, 50, FF, FF, FF...
 
[+]

Entropy:
7.8401

Developed / compiled with:
Microsoft Visual C++

Code size:
140.5 KB (143,872 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Bizinyupibz

Command:
C:\users\{user}\appdata\roaming\ilsiamco\neabas.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to yv-in-f95.1e100.net  (74.125.21.95:80)

TCP (HTTP SSL):
Connects to yv-in-f149.1e100.net  (74.125.21.149:443)

TCP (HTTP):
Connects to yv-in-f141.1e100.net  (74.125.21.141:80)

TCP (HTTP):
Connects to yk-in-f95.1e100.net  (74.125.196.95:80)

TCP (HTTP):
Connects to yh-in-f154.1e100.net  (74.125.137.154:80)

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to t.mookie1.com  (208.71.121.1:80)

TCP (HTTP):
Connects to server-54-230-207-224.atl50.r.cloudfront.net  (54.230.207.224:80)

TCP (HTTP):
Connects to server-54-230-207-103.atl50.r.cloudfront.net  (54.230.207.103:80)

TCP (HTTP):
Connects to presentation-atl1.turn.com  (50.116.194.21:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.10:80)

TCP (HTTP):
Connects to m.xp1.ru4.com  (199.38.165.155:80)

TCP (HTTP):
Connects to li543-212.members.linode.com  (198.58.101.212:80)

TCP (HTTP):
Connects to ip-209.212.145.84.servernap.net  (209.212.145.84:80)

TCP (HTTP):
Connects to fivemin-cs-shared-dtc-c.evip.aol.com  (205.188.41.3:80)

TCP (HTTP):
Connects to ec2-54-85-76-73.compute-1.amazonaws.com  (54.85.76.73:80)

TCP (HTTP):
Connects to ec2-54-84-148-104.compute-1.amazonaws.com  (54.84.148.104:80)

TCP (HTTP):
Connects to ec2-54-243-96-230.compute-1.amazonaws.com  (54.243.96.230:80)

TCP (HTTP):
Connects to ec2-54-243-72-162.compute-1.amazonaws.com  (54.243.72.162:80)

TCP (HTTP):
Connects to ec2-54-243-59-241.compute-1.amazonaws.com  (54.243.59.241:80)

Remove neabas.exe - Powered by Reason Core Security