home

pepimu.exe

Meskisift Visaal Studio 2010

Meskisift Corporatien

The executable pepimu.exe, “Meskisift Visaal Studie 2010” has been detected as malware by 26 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address adtech-ads-shared-frr.evip.aol.com on port 80 using the HTTP protocol.
Publisher:
Meskisift Corporatien

Product:
Meskisift® Visaal Studio® 2010

Description:
Meskisift Visaal Studie 2010

Version:
1.9.43074.5121 built by: SP1Rel

MD5:
f2d9e597beee7ad1a8f69b02570fbf6b

SHA-1:
3611b7dfd8c9b1861a2914b0d9eaf462a2d71c27

SHA-256:
0c06c44225cde32eeb333399a62f1327741b73fe0e6b166a4c4512cc0a203391

Scanner detections:
26 / 68

Status:
Malware

Analysis date:
11/8/2024 11:04:55 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.433863
898

Agnitum Outpost
TrojanSpy.Zbot
7.1.1

AhnLab V3 Security
Trojan/Win32.ZBot
2014.08.21

Avira AntiVirus
TR/Crypt.XPACK.Gen2
7.11.30.172

avast!
Win32:Zbot-UJX [Trj]
140813-1

AVG
Trojan horse Zbot.MTL
2014.0.4007

Bitdefender
Gen:Variant.Kazy.433863
1.0.20.1160

Bkav FE
HW32.CDB
1.3.0.4959

Comodo Security
TrojWare.Win32.Injector.BJMY
19261

Dr.Web
Trojan.Packed
9.0.1.0232

Emsisoft Anti-Malware
Gen:Variant.Kazy.433863
8.14.08.20.09

ESET NOD32
Win32/Spy.Zbot.ABA
8.10287

F-Secure
Gen:Variant.Kazy.433863
11.2014-20-08_4

G Data
Gen:Variant.Kazy.433863
14.8.24

K7 AntiVirus
Riskware
13.183.13113

Kaspersky
Trojan-Spy.Win32.Zbot
15.0.0.494

Malwarebytes
Trojan.Zbot.gen
v2014.08.20.09

McAfee
PWSZbot-FABW!F2D9E597BEEE
5600.7032

Microsoft Security Essentials
Threat.Undefined
1.181.222.0

MicroWorld eScan
Gen:Variant.Kazy.433863
15.0.0.696

NANO AntiVirus
Trojan.Win32.Zbot.ddwhob
0.28.2.61721

Panda Antivirus
Trj/Genetic.gen
14.08.20.09

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14818

Sophos
Mal/Agent-APH
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Falcomp[i]
10409

VIPRE Antivirus
Threat.4789469
32210

File size:
299.7 KB (306,919 bytes)

Product version:
1.9.43074.5121

Copyright:
© Meskisift Corporatien. All rights reserved.

Original file name:
divanv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\xuacih\pepimu.exe

File PE Metadata
Compilation timestamp:
1/9/2010 6:25:10 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:YOih/O7DXk2W3kwc07erVPHBqCGxwPZg4xBbZ3KEzFAdLhn+JM:YfYvQR7KAcbJKEzFAdlnGM

Entry address:
0xC988

Entry point:
55, 8B, EC, 81, EC, A4, 01, 00, 00, 8B, 0D, 5C, CA, 42, 00, EB, 15, EB, 13, 68, 00, 61, 16, 25, 56, 68, 00, F9, 74, 65, E8, 15, 1B, 00, 00, 83, C4, 0C, 53, B9, D3, 00, 00, 00, 89, 8D, 60, FE, FF, FF, 56, 89, 85, 60, FE, FF, FF, 57, 83, F1, 03, 8B, 05, 20, CA, 42, 00, EB, 1C, 33, CF, BA, 92, A1, 00, 00, 81, F9, 9A, 0E, 00, 00, 75, 0D, 83, F1, B2, 6A, 52, E8, DA, 1A, 00, 00, 83, C4, 04, B9, 52, 00, 00, 00, 0B, C8, 3B, C8, 74, 5A, 8B, 85, 60, FE, FF, FF, 3B, 4D, 94, 75, 4F, 83, E9, 80, 8B, 95, 60, FE, FF, FF...
 
[+]

Entropy:
7.8621

Developed / compiled with:
Microsoft Visual C++

Code size:
139 KB (142,336 bytes)

Scheduled Task
Task name:
Security Center Update - 3455449055

Trigger:
Daily (Runs daily at 5:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to utsapi-adcom-mtc.evip.aol.com  (64.12.68.22:80)

TCP (HTTP):
Connects to server-54-230-193-100.iad53.r.cloudfront.net  (54.230.193.100:80)

TCP (HTTP):
Connects to server-54-230-103-204.iad2.r.cloudfront.net  (54.230.103.204:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.14.140:80)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (54.231.11.49:80)

TCP (HTTP SSL):
Connects to qg-in-f84.1e100.net  (74.125.29.84:443)

TCP (HTTP):
Connects to m-prd-pxl-adcom-mtc.evip.aol.com  (64.12.106.9:80)

TCP (HTTP):
Connects to m-prd-ads04-adcom-mtc-c.evip.aol.com  (149.174.28.195:80)

TCP (HTTP):
Connects to media.dc6.vcmedia.com  (8.18.45.90:80)

TCP (HTTP):
Connects to mail.brochard.co.uk  (88.208.192.185:80)

TCP (HTTP):
Connects to iad23s26-in-f26.1e100.net  (173.194.121.58:80)

TCP (HTTP):
Connects to iad23s26-in-f13.1e100.net  (173.194.121.45:80)

TCP (HTTP):
Connects to iad23s25-in-f28.1e100.net  (173.194.121.28:80)

TCP (HTTP):
Connects to iad23s25-in-f26.1e100.net  (173.194.121.26:80)

TCP (HTTP):
Connects to iad23s25-in-f13.1e100.net  (173.194.121.13:80)

TCP (HTTP SSL):
Connects to iad23s25-in-f10.1e100.net  (173.194.121.10:443)

TCP (HTTP):
Connects to iad23s24-in-f28.1e100.net  (74.125.228.252:80)

TCP (HTTP):
Connects to iad23s24-in-f27.1e100.net  (74.125.228.251:80)

TCP (HTTP):
Connects to iad23s07-in-f26.1e100.net  (74.125.228.90:80)

TCP (HTTP):
Connects to iad23s05-in-f27.1e100.net  (74.125.228.27:80)

Remove pepimu.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.