piykcau.exe

The executable piykcau.exe has been detected as malware by 30 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
MD5:
f231ef93f3f95af2014d74f682e5e882

SHA-1:
2299023f685123a0f3414c9ed93ad5d3d4de1671

SHA-256:
996a5c164e97f060d6f3f82413d45ea5276dbed2481dbb175d8b84f33a08908c

Scanner detections:
30 / 68

Status:
Malware

Analysis date:
12/26/2024 3:01:26 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1812082
887

Agnitum Outpost
Trojan.Blocker
7.1.1

AhnLab V3 Security
Trojan/Win32.Necurs
2014.08.21

Avira AntiVirus
TR/Rogue.368640.15
7.11.168.126

avast!
Win32:Malware-gen
140813-1

AVG
Zbot
2015.0.3365

Bitdefender
Trojan.GenericKD.1812082
1.0.20.1215

Dr.Web
Trojan.KillProc.32475
9.0.1.0243

Emsisoft Anti-Malware
Trojan.GenericKD.1812082
8.14.08.31.02

ESET NOD32
Win32/Spy.Zbot.ABA
8.10275

Fortinet FortiGate
W32/Blocker.ABA!tr
8/31/2014

F-Secure
Trojan.GenericKD.1812082
11.2014-31-08_1

G Data
Trojan.GenericKD.1812082
14.8.24

IKARUS anti.virus
Trojan.Win32.Spy
t3scan.1.7.5.0

K7 AntiVirus
Riskware
13.183.13125

Kaspersky
Trojan-Ransom.Win32.Blocker
14.0.0.3322

Malwarebytes
Spyware.Password
v2014.08.31.02

McAfee
RDN/Generic PWS.y!b2s
5600.7021

Microsoft Security Essentials
PWS:Win32/Zbot
1.10903

MicroWorld eScan
Trojan.GenericKD.1812082
15.0.0.729

NANO AntiVirus
Trojan.Win32.Blocker.ddyizn
0.28.2.61721

nProtect
Trojan.GenericKD.1812082
14.08.21.01

Panda Antivirus
Trj/Chgt.D
14.08.31.02

Qihoo 360 Security
Win32/Trojan.Multi.daf
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.8.31.14

Rising Antivirus
PE:Malware.XPACK-HIE/Heur!1.9C48
23.00.65.14816

Sophos
Troj/Zbot-IUD
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Zbot
10388

Trend Micro House Call
TROJ_GEN.R0CBB01HK14
7.2.243

VIPRE Antivirus
Trojan.Win32.Generic
32412

File size:
360 KB (368,640 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\viopmiu\piykcau.exe

File PE Metadata
Compilation timestamp:
8/18/2014 10:41:30 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:6QY5HwTG1DMbjziVSVTz9fj4CgURV4KQcXCz/lzb/7Gxzcfswg0:lTG1DBSPjVicS5zb/79+

Entry address:
0x656B

Entry point:
E8, 7D, 44, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, AC, E6, 43, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 3C, E1, 43, 00, C9, C2, 08, 00, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, A0, 77, 45, 00, 89, 0D, 9C, 77, 45, 00, 89, 15, 98, 77, 45, 00, 89, 1D, 94, 77, 45, 00, 89, 35, 90, 77, 45, 00, 89, 3D...
 
[+]

Entropy:
7.5798

Code size:
242 KB (247,808 bytes)

Scheduled Task
Task name:
Security Center Update - 2941043376

Trigger:
Daily (Runs daily at 4:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-38-215.jfk1.r.cloudfront.net  (54.230.38.215:80)

TCP (HTTP):
Connects to server-205-251-251-104.jfk5.r.cloudfront.net  (205.251.251.104:80)

TCP (HTTP):
Connects to reserved-99.euroclick.com  (193.149.47.99:80)

TCP (HTTP):
Connects to ox-173-241-242-12.xv.dc.openx.org  (173.241.242.12:80)

TCP (HTTP):
Connects to mc.yandex.ru  (87.250.250.119:80)

TCP (HTTP):
Connects to lga15s43-in-f26.1e100.net  (74.125.226.58:80)

TCP (HTTP):
Connects to lga15s43-in-f13.1e100.net  (74.125.226.45:80)

TCP (HTTP):
Connects to lga15s35-in-f28.1e100.net  (173.194.43.60:80)

TCP (HTTP):
Connects to lga15s35-in-f13.1e100.net  (173.194.43.45:80)

TCP (HTTP):
Connects to ip188.67-202-66.static.steadfastdns.net  (67.202.66.188:80)

TCP (HTTP):
Connects to float.1963.bm-impbus.prod.nym2.adnexus.net  (68.67.152.89:80)

TCP (HTTP):
Connects to float.1960.bm-impbus.prod.nym2.adnexus.net  (68.67.153.82:80)

TCP (HTTP):
Connects to float.1938.bm-impbus.prod.nym2.adnexus.net  (68.67.153.56:80)

TCP (HTTP):
Connects to float.1937.bm-impbus.prod.nym2.adnexus.net  (68.67.153.66:80)

TCP (HTTP):
Connects to float.1387.bm-impbus.prod.nym2.adnexus.net  (68.67.152.83:80)

TCP (HTTP):
Connects to float.1376.bm-impbus.prod.nym2.adnexus.net  (68.67.152.72:80)

TCP (HTTP):
Connects to float.1251.bm-impbus.prod.nym2.adnexus.net  (68.67.152.116:80)

TCP (HTTP):
Connects to float.1242.bm-impbus.prod.nym2.adnexus.net  (68.67.152.107:80)

TCP (HTTP):
Connects to ec2-54-243-77-3.compute-1.amazonaws.com  (54.243.77.3:80)

TCP (HTTP):
Connects to ec2-54-243-208-111.compute-1.amazonaws.com  (54.243.208.111:80)

Remove piykcau.exe - Powered by Reason Core Security