nuroyrc.exe

The executable nuroyrc.exe has been detected as malware by 30 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Version:
11.39.37531.20829

MD5:
bf0d758e87219bbd50aaa9bdca41cab0

SHA-1:
1f6971c9d83dafb4ef5b049d65a735e543859b1f

SHA-256:
6d7c33c960170a259946b977eb4df52db6734c5cfa13fdfcad8eebfafeb76cfd

Scanner detections:
30 / 68

Status:
Malware

Analysis date:
12/25/2024 5:39:03 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.491002
811

Agnitum Outpost
Trojan.Kryptik
7.1.1

AhnLab V3 Security
Trojan/Win32.Agent
2014.11.16

Avira AntiVirus
TR/Crypt.ZPACK.107196
7.11.186.88

avast!
Win32:Malware-gen
141025-0

AVG
Win32/Cryptor
2014.0.4189

Bitdefender
Gen:Variant.Kazy.491002
1.0.20.1595

Bkav FE
HW32.Packed
1.3.0.4959

Comodo Security
TrojWare.Win32.Spy.Zbot.UNB
20093

Dr.Web
Trojan.Siggen6.22973
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Kazy.491002
8.14.11.15.02

ESET NOD32
Win32/Kryptik.CPQU (variant)
8.10729

Fortinet FortiGate
W32/Kryptik.CJJL!tr
11/15/2014

F-Secure
Gen:Variant.Kazy.491002
11.2014-15-11_7

K7 AntiVirus
Trojan
13.185.14021

Kaspersky
Trojan.Win32.Yakes
15.0.0.494

Malwarebytes
Spyware.Passwords.ED
v2014.11.15.02

McAfee
MysticCompressor!BF0D758E8721
5600.6945

Microsoft Security Essentials
Threat.Undefined
1.187.2279.0

MicroWorld eScan
Gen:Variant.Kazy.491002
15.0.0.957

NANO AntiVirus
Trojan.Win32.Yakes.dijshu
0.28.6.63362

Norman
Heur.I
11.20141115

Panda Antivirus
Trj/Genetic.gen
14.11.15.02

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.11.18.21

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.141113

SUPERAntiSpyware
Trojan.Agent/Gen-Yakes
10236

Total Defense
Win32/Zbot.QWAXJ
37.0.11281

VIPRE Antivirus
Threat.4150696
34232

Zillya! Antivirus
Trojan.Yakes.Win32.26473
2.0.0.1983

File size:
288.6 KB (295,539 bytes)

Product version:
11.39.37531.20829

Original file name:
maosuk.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\fyyhaw\nuroyrc.exe

File PE Metadata
Compilation timestamp:
10/16/2012 1:04:53 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

CTPH (ssdeep):
6144:haiS8AMBC34Ssb/ZeE0Pv4pY0RZUx8iNfS/5o1PRF6MoxsosCUJ:haixQ34vdeEqMZUx8sq/UPrry8C2

Entry address:
0xE09C

Entry point:
55, 8B, EC, 81, EC, 8C, 01, 00, 00, 8B, 05, 68, 1A, 42, 00, E8, DA, 1F, 00, 00, 53, 89, 85, A4, FE, FF, FF, 56, EB, 59, 03, C6, BA, 4F, 00, 00, 00, 3D, 81, BB, 00, 00, 74, 4B, 8B, CB, 0B, D7, 89, 95, D0, FE, FF, FF, 3B, B5, E4, FE, FF, FF, 75, 39, BF, CE, 19, 00, 00, 83, C8, AB, EB, 2F, 3B, 9D, D0, FE, FF, FF, 74, 27, 2B, D3, 83, FA, 1B, 74, 20, 8B, 35, B4, 1A, 42, 00, 03, D7, 3B, 15, B4, 1A, 42, 00, 74, 0A, B8, 0E, 00, 00, 00, E8, AA, 20, 00, 00, 89, B5, 78, FF, FF, FF, 57, 23, F0, 8B, 95, A4, FE, FF, FF...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
106.5 KB (109,056 bytes)

Scheduled Task
Task name:
Security Center Update - 3661186546

Trigger:
Daily (Runs daily at 20:00)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to we-in-f94.1e100.net  (173.194.66.94:443)

TCP (HTTP SSL):
Connects to mrs04s10-in-f24.1e100.net  (173.194.32.120:443)

Remove nuroyrc.exe - Powered by Reason Core Security