qacyex.exe

Nobemame Corporatu

The executable qacyex.exe has been detected as malware by 34 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address map2.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
Nobemame Corporatu

Version:
3.43.16320.63551

MD5:
17d9d95261bfc8d163971f3885534f65

SHA-1:
86b0ee980b28bfe4dab234625d7abad52ac93101

SHA-256:
30c0680949d6afa93e102fd7cb141e104eebcce21739bf7db8b35bf2e9497df8

Scanner detections:
34 / 68

Status:
Malware

Analysis date:
12/26/2024 3:26:30 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.493074
814

Agnitum Outpost
TrojanSpy.Zbot
7.1.1

AhnLab V3 Security
Trojan/Win32.Necurs
2014.11.13

Avira AntiVirus
TR/Dropper.Gen
7.11.30.172

avast!
Win32:Malware-gen
141025-0

AVG
Win32/Cryptor
2014.0.4189

Bitdefender
Gen:Variant.Kazy.493074
1.0.20.1580

Bkav FE
HW32.Packed
1.3.0.4959

Clam AntiVirus
Win.Trojan.Agent-814583
0.98/19666

Comodo Security
TrojWare.Win32.Kryptik.ABFW
20067

Dr.Web
Trojan.Siggen6.22973
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Kazy.493074
8.14.11.12.03

ESET NOD32
Win32/Spy.Zbot.ABA
8.10714

Fortinet FortiGate
W32/Zbot.ABA!tr
11/27/2014

F-Prot
W32/A-7abca16d
v6.4.7.1.166

F-Secure
Gen:Variant.Kazy.493074
11.2014-12-11_4

G Data
Gen:Variant.Kazy.493074
14.11.24

K7 AntiVirus
Riskware
13.185.14071

Kaspersky
Trojan-Spy.Win32.Zbot
15.0.0.543

Malwarebytes
Spyware.Passwords.ED
v2014.11.12.03

McAfee
MysticCompressor!17D9D95261BF
5600.6948

Microsoft Security Essentials
Threat.Undefined
1.187.1993.0

MicroWorld eScan
Gen:Variant.Kazy.493074
15.0.0.948

NANO AntiVirus
Trojan.Win32.Zbot.dirriq
0.28.6.63474

Panda Antivirus
Trj/Genetic.gen
14.11.27.12

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.11.27.0

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.141110

Sophos
Mal/Kryptik-G
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Zbot
10213

Total Defense
Win32/Zbot.UGMYMDD
37.0.11289

Vba32 AntiVirus
Heur.Trojan.Hlux
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic
34732

Zillya! Antivirus
Trojan.Zbot.Win32.169981
2.0.0.1988

File size:
275.5 KB (282,139 bytes)

Product version:
3.43.16320.63551

Original file name:
bandicore.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\huemoxda\qacyex.exe

File PE Metadata
Compilation timestamp:
12/18/2011 5:15:02 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

CTPH (ssdeep):
6144:s9OeTVG2BdzaVs/sZhXgF/Zvo5N6g1wAYcByckzcNa6iHCt:gu2B0Vs/EwFFoD62QLcacdt

Entry address:
0xFC98

Entry point:
55, 8B, EC, 81, EC, 78, 02, 00, 00, BA, 97, 89, 00, 00, EB, 15, EB, 13, 83, C1, 7D, 8B, C1, 3B, 85, B0, FE, FF, FF, 75, 06, 89, 85, 74, FE, FF, FF, 53, 3B, 05, 38, 21, 42, 00, 74, 20, EB, 1E, 8B, 15, 50, 20, 42, 00, 03, D6, 3B, D6, 74, 12, 68, 00, 29, E5, B3, 68, 00, 81, 5C, E7, E8, CE, 28, 00, 00, 83, C4, 08, 56, 83, C0, 87, 89, 85, 94, FD, FF, FF, 57, 3B, 05, DC, 20, 42, 00, 75, 0C, 8B, 9D, 94, FD, FF, FF, 89, 9D, 94, FD, FF, FF, 03, DB, EB, 0D, 81, FB, DE, DA, 00, 00, 74, 05, E8, 34, 2C, 00, 00, 8D, 85...
 
[+]

Entropy:
7.8894

Developed / compiled with:
Microsoft Visual C++

Code size:
116 KB (118,784 bytes)

Scheduled Task
Task name:
Security Center Update - 2734071320

Trigger:
Daily (Runs daily at 3:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mpr2.ngd.vip.bf1.yahoo.com  (98.139.225.43:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.42:80)

TCP (HTTP):
Connects to mallet9.wikipolo.com  (46.244.10.228:80)

TCP (HTTP):
Connects to lga15s45-in-f31.1e100.net  (74.125.226.191:80)

TCP (HTTP):
Connects to float.2273.bm-impbus.prod.nym2.adnexus.net  (68.67.153.154:80)

TCP (HTTP):
Connects to ec2-107-20-228-181.compute-1.amazonaws.com  (107.20.228.181:80)

Remove qacyex.exe - Powered by Reason Core Security