ugikh.exe

Maskiseft Visual Studio 2010

Maskiseft Corporation

The executable ugikh.exe, “Maskiseft Visual Studie 2010” has been detected as malware by 27 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
Maskiseft Corporation

Product:
Maskiseft® Visual Studio® 2010

Description:
Maskiseft Visual Studie 2010

Version:
1.9.43074.5121 built by: SP1Rel

MD5:
bcc2d2b8a3cf308fd00ff364bc484c3b

SHA-1:
608ca11563ad83efe429448ff75a78ab2a3e8f23

SHA-256:
886a74a86305280339fadd6efbe1338d356439eceb929511f52e3ab2b9cd9889

Scanner detections:
27 / 68

Status:
Malware

Analysis date:
12/26/2024 3:10:00 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.429305
842

AhnLab V3 Security
Trojan/Win32.Necurs
2014.08.12

Avira AntiVirus
TR/Crypt.XPACK.Gen
7.11.30.172

avast!
Win32:Trojan-gen
2014.9-141016

AVG
Inject2
2015.0.3320

Baidu Antivirus
Trojan.Win32.Injector
4.0.3.141016

Bitdefender
Gen:Variant.Kazy.429305
1.0.20.1445

Bkav FE
HW32.CDB
1.3.0.4959

Emsisoft Anti-Malware
Gen:Variant.Kazy.429305
8.14.10.16.07

ESET NOD32
Win32/Injector.BJMY (variant)
8.10239

Fortinet FortiGate
W32/Zbot.TTAL!tr
10/16/2014

F-Secure
Gen:Variant.Kazy.429305
11.2014-16-10_5

G Data
Gen:Variant.Kazy.429305
14.10.24

K7 AntiVirus
Backdoor
13.183.13014

Kaspersky
Trojan-Spy.Win32.Zbot
14.0.0.3094

Malwarebytes
Spyware.Zbot.MSXGen
v2014.10.16.07

McAfee
Trojan.PWSZbot-FABW!F8C21E9983BB
5600.6976

Microsoft Security Essentials
Threat.Undefined
1.179.2746.0

MicroWorld eScan
Gen:Variant.Kazy.429305
15.0.0.867

NANO AntiVirus
Trojan.Win32.XPACK.ddsjgr
0.28.2.61519

Panda Antivirus
Trj/Genetic.gen
14.10.16.07

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.141014

Sophos
Mal/Inject-FK
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-FalComp
10296

Total Defense
Win32/Zbot.DcMHTfD
37.0.11114

VIPRE Antivirus
Threat.4789469
31208

File size:
301.7 KB (308,928 bytes)

Product version:
1.9.43074.5121

Copyright:
© Maskiseft Corporation. All rights reserved.

Original file name:
divonv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\elbexaep\ugikh.exe

File PE Metadata
Compilation timestamp:
6/26/2011 5:47:47 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:iAoa5bYXxW4v8SP05ZGXCaBshxtFhEtMFtnfe7VR28KGfXFQpgWgHu:zombmpJ06XCw6Fg7fXtpHu

Entry address:
0xCC3C

Entry point:
55, 8B, EC, 81, EC, 4C, 01, 00, 00, 8B, 15, 38, CA, 42, 00, 89, 95, 2C, FF, FF, FF, 53, 83, EA, 6C, 8B, 95, 2C, FF, FF, FF, 89, 95, 2C, FF, FF, FF, 56, 83, F2, 0B, B8, EB, 00, 00, 00, EB, 06, 89, BD, 00, FF, FF, FF, 57, 8B, BD, 2C, FF, FF, FF, EB, 26, 8B, FB, EB, 22, BE, 7E, 00, 00, 00, F7, C2, 68, 7C, 00, 00, 75, 15, 89, BD, B4, FE, FF, FF, 83, EE, 8D, 8B, B5, B4, FE, FF, FF, 89, B5, B4, FE, FF, FF, 89, B5, 2C, FF, FF, FF, 6A, 00, 6A, 00, 68, AA, 00, 00, 00, 68, 08, CA, 42, 00, FF, 15, 28, 4E, 42, 00, 23...
 
[+]

Entropy:
7.8663

Developed / compiled with:
Microsoft Visual C++

Code size:
139.5 KB (142,848 bytes)

Scheduled Task
Task name:
Security Center Update - 2075334044

Trigger:
Daily (Runs daily at 9:00 AM)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to vip-113.lax.adconion.com  (207.171.14.113:80)

TCP (HTTP):
Connects to server-54-230-50-92.jfk5.r.cloudfront.net  (54.230.50.92:80)

TCP (HTTP):
Connects to server-54-192-48-219.jfk5.r.cloudfront.net  (54.192.48.219:80)

TCP (HTTP):
Connects to rtbdserv-21.btrll.com  (162.208.21.163:80)

TCP (HTTP):
Connects to lga15s45-in-f27.1e100.net  (74.125.226.187:80)

TCP (HTTP):
Connects to lga15s45-in-f25.1e100.net  (74.125.226.185:80)

TCP (HTTP):
Connects to lga15s43-in-f27.1e100.net  (74.125.226.59:80)

TCP (HTTP):
Connects to lga15s42-in-f28.1e100.net  (74.125.226.28:80)

TCP (HTTP):
Connects to lga15s42-in-f13.1e100.net  (74.125.226.13:80)

TCP (HTTP):
Connects to lga15s35-in-f13.1e100.net  (173.194.43.45:80)

TCP (HTTP):
Connects to float.476.bm-impbus.prod.nym2.adnexus.net  (68.67.152.234:80)

TCP (HTTP):
Connects to float.1933.bm-impbus.prod.nym2.adnexus.net  (68.67.153.53:80)

TCP (HTTP):
Connects to float.1337.bm-impbus.prod.nym2.adnexus.net  (68.67.152.180:80)

TCP (HTTP):
Connects to float.1251.bm-impbus.prod.nym2.adnexus.net  (68.67.152.116:80)

TCP (HTTP):
Connects to ec2-54-84-148-104.compute-1.amazonaws.com  (54.84.148.104:80)

TCP (HTTP):
Connects to ec2-54-83-121-242.compute-1.amazonaws.com  (54.83.121.242:80)

TCP (HTTP):
Connects to ec2-54-243-177-111.compute-1.amazonaws.com  (54.243.177.111:80)

TCP (HTTP):
Connects to ec2-54-243-174-189.compute-1.amazonaws.com  (54.243.174.189:80)

TCP (HTTP):
Connects to ec2-54-243-153-54.compute-1.amazonaws.com  (54.243.153.54:80)

TCP (HTTP):
Connects to ec2-54-225-193-82.compute-1.amazonaws.com  (54.225.193.82:80)

Remove ugikh.exe - Powered by Reason Core Security