home

photo_020.jpeg-www.facebook.exe

The executable photo_020.jpeg-www.facebook.exe has been detected as malware by 37 anti-virus scanners. This is a setup program which is used to install the application. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. The file has been seen being downloaded from grandilund.se and multiple other hosts.
MD5:
4a3b3059f6da45b350e4bd3f3033363e

SHA-1:
105072be7a8e1ebebea1f77812217348eaae62dc

SHA-256:
761adbac272a958db0619e21d356f0d498a62ef9840e4e8c23479cb78bed418f

Scanner detections:
37 / 68

Status:
Malware

Analysis date:
2/27/2025 12:17:29 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Agent.BDVI
368

Agnitum Outpost
TrojanSpy.Zbot
7.1.1

AhnLab V3 Security
Dropper/Win32.Necurs
2015.10.06

Arcabit
Trojan.Agent.BDVI
1.0.0.568

avast!
Win32:Injector-BWA [Trj]
2014.9-160202

AVG
SHeur4
2017.0.2846

Bitdefender
Trojan.Agent.BDVI
1.0.20.165

Bkav FE
HW32.Packed
1.3.0.7237

Comodo Security
UnclassifiedMalware
23361

Dr.Web
Trojan.DownLoad3.33737
9.0.1.033

Emsisoft Anti-Malware
Trojan.Agent.BDVI
8.16.02.02.06

ESET NOD32
Win32/Injector.BHBO
10.12361

Fortinet FortiGate
W32/Injector.BHBO!tr
2/2/2016

F-Prot
W32/Zbot.QW.gen
v6.4.7.1.166

F-Secure
Trojan.Agent.BDVI
11.2016-02-02_3

G Data
Trojan.Agent.BDVI
16.2.25

IKARUS anti.virus
Trojan-Spy.Win32.Zbot
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.210.17432

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.724

Malwarebytes
Spyware.Zbot.ED
v2016.02.02.06

McAfee
Generic-FAUT!4A3B3059F6DA
5600.6502

Microsoft Security Essentials
VirTool:Win32/CeeInject.gen!KK
1.1.12101.0

MicroWorld eScan
Trojan.Agent.BDVI
17.0.0.99

NANO AntiVirus
Trojan.Win32.Zbot.dbyqjw
0.30.26.3725

nProtect
Trojan.Agent.BDVI
15.10.05.01

Panda Antivirus
Trj/Chgt.C
16.02.02.06

Qihoo 360 Security
HEUR/Malware.QVM07.Gen
1.0.0.1015

Quick Heal
VirTool.CeeInject.S4
2.16.14.00

Rising Antivirus
PE:Malware.RDM.00!5.6[F1]
23.00.65.16131

Sophos
Mal/Zbot-TJ
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Napolar
9348

Total Defense
Win32/Tnega.HJKeWM
37.1.62.1

Trend Micro House Call
TROJ_SPNR.28GA14
7.2.33

Trend Micro
TROJ_SPNR.28GA14
10.465.02

Vba32 AntiVirus
TrojanSpy.Zbot
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
44320

Zillya! Antivirus
Downloader.Agent.Win32.200306
2.0.0.2429

File size:
172 KB (176,136 bytes)

File type:
Executable application (Win64 EXE)

Common path:
C:\users\{user}\downloads\photo_020.jpeg-www.facebook.exe

File PE Metadata
Compilation timestamp:
6/22/2014 12:27:44 PM

OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
7.0

CTPH (ssdeep):
3072:sJQU3z/bvx/lDVMAZHNr+JF+gvu/Nrok24q9wKMb/ZPI10gkrg7hluW1sNWZgUFC:Qtqtvu/Cl4iwbbhPbHchluW1ssNpKqw

Entry address:
0x5686

Entry point:
4D, 5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 08, 01, 00, 00, 0E, 1F, BA, 0E, 00, B4, 09, CD, 21, B8, 01, 4C, CD, 21, 54, 68, 69, 73, 20, 70, 72, 6F, 67, 72, 61, 6D, 20, 63, 61, 6E, 6E, 6F, 74, 20, 62, 65, 20, 72, 75, 6E, 20, 69, 6E, 20, 44, 4F, 53, 20, 6D, 6F, 64, 65, 2E, 0D, 0D, 0A, 24, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.6127

Code size:
20 KB (20,480 bytes)

The file photo_020.jpeg-www.facebook.exe has been seen being distributed by the following 2 URLs.

http://grandilund.se/?juw22ge=091ae4

http://grandilund.se/?sp2x2js5rq=2e89914db429ed3e03de4

Remove photo_020.jpeg-www.facebook.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.