» qacyex.exe
Overview
Analysis
File Details
Behaviors (1)
Network (6)

qacyex.exe

Nobemame Corporatu

The executable qacyex.exe has been detected as malware by 34 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address map2.hwcdn.net on port 80 using the HTTP protocol.

File name:

qacyex.exe

Publisher:

Nobemame Corporatu

Version:

3.43.16320.63551

MD5:

17d9d95261bfc8d163971f3885534f65

SHA-1:

86b0ee980b28bfe4dab234625d7abad52ac93101

SHA-256:

30c0680949d6afa93e102fd7cb141e104eebcce21739bf7db8b35bf2e9497df8

Scanner detections:

34 / 68

Status:

Malware

Analysis date:

11/18/2024 5:55:48 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Kazy.493074

814

Agnitum Outpost

TrojanSpy.Zbot

7.1.1

AhnLab V3 Security

Trojan/Win32.Necurs

2014.11.13

Avira AntiVirus

TR/Dropper.Gen

7.11.30.172

avast!

Win32:Malware-gen

141025-0

AVG

Win32/Cryptor

2014.0.4189

Bitdefender

Gen:Variant.Kazy.493074

1.0.20.1580

Bkav FE

HW32.Packed

1.3.0.4959

Clam AntiVirus

Win.Trojan.Agent-814583

0.98/19666

Comodo Security

TrojWare.Win32.Kryptik.ABFW

20067

Dr.Web

Trojan.Siggen6.22973

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Kazy.493074

8.14.11.12.03

ESET NOD32

Win32/Spy.Zbot.ABA

8.10714

Fortinet FortiGate

W32/Zbot.ABA!tr

11/27/2014

F-Prot

W32/A-7abca16d

v6.4.7.1.166

F-Secure

Gen:Variant.Kazy.493074

11.2014-12-11_4

G Data

Gen:Variant.Kazy.493074

14.11.24

K7 AntiVirus

Riskware

13.185.14071

Kaspersky

Trojan-Spy.Win32.Zbot

15.0.0.543

Malwarebytes

Spyware.Passwords.ED

v2014.11.12.03

McAfee

MysticCompressor!17D9D95261BF

5600.6948

Microsoft Security Essentials

Threat.Undefined

1.187.1993.0

MicroWorld eScan

Gen:Variant.Kazy.493074

15.0.0.948

NANO AntiVirus

Trojan.Win32.Zbot.dirriq

0.28.6.63474

Panda Antivirus

Trj/Genetic.gen

14.11.27.12

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.11.27.0

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.141110

Sophos

Mal/Kryptik-G

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-Zbot

10213

Total Defense

Win32/Zbot.UGMYMDD

37.0.11289

Vba32 AntiVirus

Heur.Trojan.Hlux

3.12.26.3

VIPRE Antivirus

Trojan.Win32.Generic

34732

Zillya! Antivirus

Trojan.Zbot.Win32.169981

2.0.0.1988

File size:

275.5 KB (282,139 bytes)

Product version:

3.43.16320.63551

Original file name:

bandicore.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\huemoxda\qacyex.exe

File PE Metadata

Compilation timestamp:

12/18/2011 5:15:02 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

CTPH (ssdeep):

6144:s9OeTVG2BdzaVs/sZhXgF/Zvo5N6g1wAYcByckzcNa6iHCt:gu2B0Vs/EwFFoD62QLcacdt

Entry address:

0xFC98

Entry point:

55, 8B, EC, 81, EC, 78, 02, 00, 00, BA, 97, 89, 00, 00, EB, 15, EB, 13, 83, C1, 7D, 8B, C1, 3B, 85, B0, FE, FF, FF, 75, 06, 89, 85, 74, FE, FF, FF, 53, 3B, 05, 38, 21, 42, 00, 74, 20, EB, 1E, 8B, 15, 50, 20, 42, 00, 03, D6, 3B, D6, 74, 12, 68, 00, 29, E5, B3, 68, 00, 81, 5C, E7, E8, CE, 28, 00, 00, 83, C4, 08, 56, 83, C0, 87, 89, 85, 94, FD, FF, FF, 57, 3B, 05, DC, 20, 42, 00, 75, 0C, 8B, 9D, 94, FD, FF, FF, 89, 9D, 94, FD, FF, FF, 03, DB, EB, 0D, 81, FB, DE, DA, 00, 00, 74, 05, E8, 34, 2C, 00, 00, 8D, 85... 
[+]

Entropy:

7.8894

Developed / compiled with:

Microsoft Visual C++

Code size:

116 KB (118,784 bytes)

Scheduled Task

Task name:

Security Center Update - 2734071320

Trigger:

Daily (Runs daily at 3:00 PM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to mpr2.ngd.vip.bf1.yahoo.com (98.139.225.43:80)

TCP (HTTP):

Connects to map2.hwcdn.net (205.185.216.42:80)

TCP (HTTP):

Connects to mallet9.wikipolo.com (46.244.10.228:80)

TCP (HTTP):

Connects to lga15s45-in-f31.1e100.net (74.125.226.191:80)

TCP (HTTP):

Connects to float.2273.bm-impbus.prod.nym2.adnexus.net (68.67.153.154:80)

TCP (HTTP):

Connects to ec2-107-20-228-181.compute-1.amazonaws.com (107.20.228.181:80)

Remove qacyex.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.