taskswatch.exe

M/s Tech AnB

The application taskswatch.exe by M/s Tech AnB has been detected as adware by 11 anti-malware scanners. This is a setup program which is used to install the application. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘TasksWatch’. This is a trojan Bot that uses IRC to communicate with a comand and control network. The Trojan drops other malicious software and opens a backdoor on the infected computer and will run automatically on each boot.
Publisher:
M/s Tech AnB  (signed and verified)

MD5:
306f9ab66da7d6ae9c4267b38055f425

SHA-1:
b4355ef01bfc1351877d7ae13ebd82fda432d5e4

SHA-256:
8ade0ebf334d6c250c767ca8cf3ad3041bc4187f13f908a5b4923808e3ae5abd

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Part of a backdoor IRC bot network.

Analysis date:
11/5/2024 4:44:58 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Symmi.39392
1059

Bitdefender
Gen:Variant.Symmi.39392
1.0.20.355

Emsisoft Anti-Malware
Gen:Variant.Symmi.39392
8.14.03.12.10

F-Secure
Gen:Variant.Symmi.39392
11.2014-12-03_4

G Data
Gen:Variant.Symmi.39392
14.3.24

MicroWorld eScan
Gen:Variant.Symmi.39392
15.0.0.213

Reason Heuristics
PUP.Startup.MsTechAnB.K
14.3.13.0

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.14310

Trend Micro House Call
TROJ_GEN.F47V0311
7.2.71

VIPRE Antivirus
Backdoor.Win32.Ircbot.gen
27288

XVirus List
Win.Detected
2.3.31

File size:
1.2 MB (1,251,968 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\taskswatch.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
2/10/2014 3:00:00 AM

Valid to:
2/11/2015 2:59:59 AM

Subject:
CN=M/s Tech AnB, O=M/s Tech AnB, STREET="Plot No. F-125,", STREET="Sector 74,", STREET="Industrial Area, Phase 8B", L=Mohali, S=Punjab, PostalCode=160071, C=IN

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00C12161D8036677E0A09B9580299D979F

File PE Metadata
Compilation timestamp:
2/26/2014 3:31:03 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:8ErKb7LlD7YUPAPTp4iMwWXO0ki5q2irCU5vikBWDj3PBS:/rKpDUdirXOdV2irCU5vlBYTPk

Entry address:
0x324000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 89, C3, 40, 2D, 00, 70, 12, 00, 2D, FF, 91, 0A, 10, 05, F4, 91, 0A, 10, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 98, C5, 93, 24, 68, 0A, E6, 0B, 30, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 89, E5, 50, 53, 51, 56, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, 85, C9, 74, 0A, 31, 06, 01, 1E, 83, C6, 04, 49, EB, F2, 5E, 59, 5B, 58, C9, C2, 10, 00, D1, A5, 78, 2A, 00, 07, B4, 20, C6, 2F, 51, 0A, 03, 28...
 
[+]

Entropy:
7.9048  (probably packed)

Code size:
33 KB (33,792 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
TasksWatch

Command:
"C:\users\{user}\appdata\local\temp\taskswatch.exe"


The file taskswatch.exe has been seen being distributed by the following URL.

Remove taskswatch.exe - Powered by Reason Core Security