» nuroyrc.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

nuroyrc.exe

The executable nuroyrc.exe has been detected as malware by 30 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

nuroyrc.exe

Version:

11.39.37531.20829

MD5:

bf0d758e87219bbd50aaa9bdca41cab0

SHA-1:

1f6971c9d83dafb4ef5b049d65a735e543859b1f

SHA-256:

6d7c33c960170a259946b977eb4df52db6734c5cfa13fdfcad8eebfafeb76cfd

Scanner detections:

30 / 68

Status:

Malware

Analysis date:

11/23/2024 10:37:04 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Kazy.491002

811

Agnitum Outpost

Trojan.Kryptik

7.1.1

AhnLab V3 Security

Trojan/Win32.Agent

2014.11.16

Avira AntiVirus

TR/Crypt.ZPACK.107196

7.11.186.88

avast!

Win32:Malware-gen

141025-0

AVG

Win32/Cryptor

2014.0.4189

Bitdefender

Gen:Variant.Kazy.491002

1.0.20.1595

Bkav FE

HW32.Packed

1.3.0.4959

Comodo Security

TrojWare.Win32.Spy.Zbot.UNB

20093

Dr.Web

Trojan.Siggen6.22973

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Kazy.491002

8.14.11.15.02

ESET NOD32

Win32/Kryptik.CPQU (variant)

8.10729

Fortinet FortiGate

W32/Kryptik.CJJL!tr

11/15/2014

F-Secure

Gen:Variant.Kazy.491002

11.2014-15-11_7

K7 AntiVirus

Trojan

13.185.14021

Kaspersky

Trojan.Win32.Yakes

15.0.0.494

Malwarebytes

Spyware.Passwords.ED

v2014.11.15.02

McAfee

MysticCompressor!BF0D758E8721

5600.6945

Microsoft Security Essentials

Threat.Undefined

1.187.2279.0

MicroWorld eScan

Gen:Variant.Kazy.491002

15.0.0.957

NANO AntiVirus

Trojan.Win32.Yakes.dijshu

0.28.6.63362

Norman

Heur.I

11.20141115

Panda Antivirus

Trj/Genetic.gen

14.11.15.02

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.11.18.21

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.141113

SUPERAntiSpyware

Trojan.Agent/Gen-Yakes

10236

Total Defense

Win32/Zbot.QWAXJ

37.0.11281

VIPRE Antivirus

Threat.4150696

34232

Zillya! Antivirus

Trojan.Yakes.Win32.26473

2.0.0.1983

File size:

288.6 KB (295,539 bytes)

Product version:

11.39.37531.20829

Original file name:

maosuk.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\fyyhaw\nuroyrc.exe

File PE Metadata

Compilation timestamp:

10/16/2012 1:04:53 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

CTPH (ssdeep):

6144:haiS8AMBC34Ssb/ZeE0Pv4pY0RZUx8iNfS/5o1PRF6MoxsosCUJ:haixQ34vdeEqMZUx8sq/UPrry8C2

Entry address:

0xE09C

Entry point:

55, 8B, EC, 81, EC, 8C, 01, 00, 00, 8B, 05, 68, 1A, 42, 00, E8, DA, 1F, 00, 00, 53, 89, 85, A4, FE, FF, FF, 56, EB, 59, 03, C6, BA, 4F, 00, 00, 00, 3D, 81, BB, 00, 00, 74, 4B, 8B, CB, 0B, D7, 89, 95, D0, FE, FF, FF, 3B, B5, E4, FE, FF, FF, 75, 39, BF, CE, 19, 00, 00, 83, C8, AB, EB, 2F, 3B, 9D, D0, FE, FF, FF, 74, 27, 2B, D3, 83, FA, 1B, 74, 20, 8B, 35, B4, 1A, 42, 00, 03, D7, 3B, 15, B4, 1A, 42, 00, 74, 0A, B8, 0E, 00, 00, 00, E8, AA, 20, 00, 00, 89, B5, 78, FF, FF, FF, 57, 23, F0, 8B, 95, A4, FE, FF, FF... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

106.5 KB (109,056 bytes)

Scheduled Task

Task name:

Security Center Update - 3661186546

Trigger:

Daily (Runs daily at 20:00)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to we-in-f94.1e100.net (173.194.66.94:443)

TCP (HTTP SSL):

Connects to mrs04s10-in-f24.1e100.net (173.194.32.120:443)

Remove nuroyrc.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.