noihcye.exe

The executable noihcye.exe has been detected as malware by 22 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
MD5:
5195e5b0f04e2e991db854383992cbe1

SHA-1:
a42d6f484830579023942e20ec0b2f2b25fe7ba7

SHA-256:
95cf72e0ed787467f79e1c92bc5081723f22f7ea3a722505bc67aecf4fa61c6c

Scanner detections:
22 / 68

Status:
Malware

Analysis date:
12/25/2024 12:07:15 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.362778
1036

Avira AntiVirus
TR/Crypt.ZPACK.37879
7.11.141.72

avast!
Win32:Kryptik-NQJ [Trj]
2014.9-140405

AVG
Crypt3
2015.0.3514

Bitdefender
Gen:Variant.Kazy.362778
1.0.20.475

Bkav FE
HW32.CDB
1.3.0.4959

Emsisoft Anti-Malware
Gen:Variant.Kazy.362778
8.14.04.05.01

ESET NOD32
Win32/Kryptik.BUVK (variant)
8.9639

Fortinet FortiGate
W32/Zbot.HGR!tr
4/5/2014

F-Secure
Gen:Variant.Kazy.362778
11.2014-05-04_7

G Data
Gen:Variant.Kazy.362778
14.4.24

K7 AntiVirus
Trojan
13.176.11663

Kaspersky
Trojan-Spy.Win32.Zbot
14.0.0.4065

Malwarebytes
Trojan.Spy.Zbot
v2014.04.05.01

McAfee
PWSZbot-FLM!5195E5B0F04E
5600.7170

Microsoft Security Essentials
PWS:Win32/Zbot.gen!AP
1.10401

MicroWorld eScan
Gen:Variant.Kazy.362778
15.0.0.285

Norman
Kryptic.AW
11.20140405

Panda Antivirus
Trj/Genetic.gen
14.04.05.01

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Sophos
Troj/Zbot-IAL
4.98

VIPRE Antivirus
Trojan.Win32.Generic
28036

File size:
278 KB (284,711 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\asvetuiq\noihcye.exe

File PE Metadata
Compilation timestamp:
11/21/2012 10:23:19 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:mWXTy51u4tgIhSJ/JQJ5P54wHvEiXvMCGFfe8Jz76ce7MA/GvNBIeZvx:mWDy517hSJhQJ5P54wHciXxlI7k7MA+n

Entry address:
0x5000

Entry point:
55, 8B, EC, 81, EC, E0, 00, 00, 00, EB, 0E, 8B, CB, 6A, 50, 53, 56, E8, 32, 1F, 00, 00, 83, C4, 0C, 53, 3B, 45, D0, 74, 06, 89, 85, 78, FF, FF, FF, 56, EB, 20, BA, ED, 00, 00, 00, 68, 00, C7, 45, 10, 68, 00, 64, 74, 14, 68, 00, 97, E2, 38, 6A, 75, 6A, E1, E8, 8E, 1C, 00, 00, 83, C4, 14, 57, 3B, 85, 78, FF, FF, FF, 74, 08, EB, 06, 83, C3, 79, 89, 5D, 9C, 89, 9D, 4C, FF, FF, FF, FF, 15, 08, BA, 42, 00, 8B, BD, 4C, FF, FF, FF, 3B, F8, 74, 28, 8B, 8D, 4C, FF, FF, FF, F7, C7, 3F, 00, 00, 00, 75, 1A, 83, EF, 4D...
 
[+]

Entropy:
7.9018

Developed / compiled with:
Microsoft Visual C++

Code size:
24.5 KB (25,088 bytes)

Scheduled Task
Task name:
Security Center Update - 115763021

Trigger:
Daily (Runs daily at 9:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to vip-113.lax.adconion.com  (207.171.14.113:80)

TCP (HTTP):
Connects to vip-112.lax.adconion.com  (207.171.14.112:80)

TCP (HTTP SSL):
Connects to vip1.g.cachefly.net  (205.234.175.175:443)

TCP (HTTP):
Connects to video.dc6.vcmedia.com  (8.18.45.89:80)

TCP (HTTP):
Connects to v-2-do13-d1175-109.webazilla.com  (78.140.150.109:80)

TCP (HTTP):
Connects to unknown.carohosting.net  (69.59.16.4:80)

TCP (HTTP SSL):
Connects to students.petinsurance.com  (64.209.138.40:443)

TCP (HTTP):
Connects to server-54-230-7-245.dfw3.r.cloudfront.net  (54.230.7.245:80)

TCP (HTTP):
Connects to server-54-230-7-235.dfw3.r.cloudfront.net  (54.230.7.235:80)

TCP (HTTP):
Connects to server-54-230-7-163.dfw3.r.cloudfront.net  (54.230.7.163:80)

TCP (HTTP):
Connects to server-54-230-7-120.dfw3.r.cloudfront.net  (54.230.7.120:80)

TCP (HTTP SSL):
Connects to server-54-230-6-21.dfw3.r.cloudfront.net  (54.230.6.21:443)

TCP (HTTP):
Connects to server-54-230-6-114.dfw3.r.cloudfront.net  (54.230.6.114:80)

TCP (HTTP SSL):
Connects to server-54-230-5-130.dfw3.r.cloudfront.net  (54.230.5.130:443)

TCP (HTTP):
Connects to server-54-230-4-38.dfw3.r.cloudfront.net  (54.230.4.38:80)

TCP (HTTP):
Connects to server-216-137-43-65.dfw3.r.cloudfront.net  (216.137.43.65:80)

TCP (HTTP):
Connects to server-216-137-43-171.dfw3.r.cloudfront.net  (216.137.43.171:80)

TCP (HTTP):
Connects to server-216-137-43-100.dfw3.r.cloudfront.net  (216.137.43.100:80)

TCP:
Connects to server-204-246-181-105.dfw3.r.cloudfront.net  (204.246.181.105:1935)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (205.251.243.169:80)

Remove noihcye.exe - Powered by Reason Core Security