weapozqulfyp.exe

The executable weapozqulfyp.exe has been detected as malware by 14 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘weapozqulfyp’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address cluster010.ovh.net on port 80 using the HTTP protocol.
MD5:
544bc403f4772f3552b0da833523c360

SHA-1:
7fbc72a6e69439fda33b6983093fd2e178be64ab

SHA-256:
3b17c32b168f1a4f41f63cca4da0ec28d5742a199094ae1600219c5e66918e2c

Scanner detections:
14 / 68

Status:
Malware

Analysis date:
11/27/2024 3:54:14 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Buzus.KK.1486
7.11.144.234

avast!
Win32:Dropper-gen [Drp]
2014.9-140424

AVG
SHeur4
2015.0.3495

ESET NOD32
Win32/Injector.BCKC (variant)
8.9711

Kaspersky
Backdoor.Win32.Pushdo
14.0.0.3969

Malwarebytes
Spyware.Zbot.ED
v2014.04.24.05

Microsoft Security Essentials
VirTool:Win32/CeeInject.gen!KK
1.10502

Qihoo 360 Security
HEUR/Malware.QVM19.Gen
1.0.0.1015

Sophos
Mal/Generic-S
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Reveton
10647

Trend Micro House Call
TROJ_GEN.F47V0422
7.2.114

Trend Micro
PAK_Generic.001
10.465.24

VIPRE Antivirus
Trojan.Win32.Generic
28530

ViRobot
Trojan.Win32.Inject.114688.K
2011.4.7.4223

File size:
112 KB (114,688 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\monia\weapozqulfyp.exe

File PE Metadata
Compilation timestamp:
4/18/2014 6:34:28 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.0

CTPH (ssdeep):
3072:210n9OoxEkULy2NvhpM1MXwr/j5xdVGYGbKW:2w93u31he1MAr/3dBo9

Entry address:
0x1D0C

Entry point:
55, 8B, EC, 6A, FF, E9, E4, 1B, 00, 00, 68, 46, 35, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, 5F, 57, E8, F0, 18, 00, 00, 8B, CF, 83, 0D, 58, 64, 40, 00, FF, 83, 0D, 5C, 64, 40, 00, FF, E8, A5, 03, 00, 00, 90, 8B, 0D, 4C, 64, 40, 00, 89, 08, E8, 17, 08, 00, 00, 90, 8B, 0D, 48, 64, 40, 00, 89, 08, A1, 58, 42, 40, 00, 8B, 00, A3, 54, 64, 40, 00, E8, C6, 09, 00, 00, 39, 1D, E0, 60, 40, 00, 75, 0C, 68, 26, 11, 40, 00, 90, 90...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
16 KB (16,384 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
weapozqulfyp

Command:
C:\users\monia\weapozqulfyp.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to vme49ee.bsws.de  (81.209.182.37:80)

TCP (HTTP):
Connects to unknown.scnet.net  (204.93.213.45:80)

TCP (HTTP):
Connects to structives.com  (70.32.113.95:80)

TCP (HTTP):
Connects to static.115.86.76.144.clients.your-server.de  (144.76.86.115:80)

TCP (HTTP):
Connects to o-ho.ru  (78.47.135.34:80)

TCP (HTTP):
Connects to nina.juizi.com  (5.9.122.172:80)

TCP (HTTP):
Connects to nakedcumshots.com  (64.59.81.104:80)

TCP (HTTP):
Connects to msatest.com  (216.70.112.211:80)

TCP (HTTP):
Connects to msasys.com  (205.186.132.26:80)

TCP (HTTP):
Connects to mhintdin-unix.alicomitalia.it  (95.110.192.171:80)

TCP (HTTP):
Connects to ec2-54-229-116-65.eu-west-1.compute.amazonaws.com  (54.229.116.65:80)

TCP (HTTP):
Connects to cluster010.ovh.net  (213.186.33.19:80)

TCP (HTTP):
Connects to 173.192.210.69-static.reverse.softlayer.com  (173.192.210.69:80)

Remove weapozqulfyp.exe - Powered by Reason Core Security