zaevine.exe

Maskiseft Visual Studio 2010

Maskiseft Corporation

The executable zaevine.exe, “Maskiseft Visual Studie 2010” has been detected as malware by 36 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
Maskiseft Corporation

Product:
Maskiseft® Visual Studio® 2010

Description:
Maskiseft Visual Studie 2010

Version:
1.9.43074.5121 built by: SP1Rel

MD5:
2294bb585a3b3aa6a857cd1212c84489

SHA-1:
d8aee116a3583ff79f8a6f5cf60eb6aa497dcabd

SHA-256:
eb8146e8bf05c6b7803782df0e42965a6afb707146cba4cd634edf1e5786bef4

Scanner detections:
36 / 68

Status:
Malware

Analysis date:
12/23/2024 12:41:46 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.428451
904

Agnitum Outpost
Trojan.KillProc
7.1.1

AhnLab V3 Security
Trojan/Win32.Necurs
2014.08.16

Avira AntiVirus
TR/Crypt.XPACK.Gen
7.11.171.88

avast!
Win32:Malware-gen
2014.9-140815

AVG
Trojan horse SHeur4
2015.0.3382

Bitdefender
Gen:Variant.Kazy.428451
1.0.20.1135

Bkav FE
HW32.CDB
1.3.0.4959

Comodo Security
TrojWare.Win32.Injector.BJMY
19313

Dr.Web
Trojan.KillProc.32405
9.0.1.0227

Emsisoft Anti-Malware
Gen:Variant.Kazy.428451
8.14.08.15.08

ESET NOD32
Win32/Kryptik.CIOG trojan
8.7.0.302.0

Fortinet FortiGate
W32/Inject.CIOG!tr
8/15/2014

F-Prot
W32/A-1e0dfbb1
v6.4.7.1.166

F-Secure
Gen:Variant.Kazy.428451
11.2014-15-08_6

G Data
Gen:Variant.Kazy.428451
14.8.24

IKARUS anti.virus
Trojan.Win32.Crypt
t3scan.1.7.5.0

K7 AntiVirus
Trojan
13.183.13054

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.3403

Malwarebytes
Trojan.Zbot.gen
v2014.08.15.10

McAfee
PWSZbot-FABW!2294BB585A3B
5600.7038

Microsoft Security Essentials
Threat.Undefined
1.179.3048.0

MicroWorld eScan
Gen:Variant.Kazy.428451
15.0.0.681

NANO AntiVirus
Trojan.Win32.KillProc.ddtjwp
0.28.2.61519

Norman
Kryptik.CEEY
11.20140815

Panda Antivirus
Trj/Genetic.gen
14.08.15.10

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.9.2.17

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14813

Sophos
Troj/Agent-AIIM
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-FalComp
10420

Total Defense
Win32/Zbot.EJKFbYB
37.0.11121

Trend Micro House Call
TSPY_ZBOT.SMLAK
7.2.227

Trend Micro
TSPY_ZBOT.SMLAK
10.465.15

VIPRE Antivirus
Threat.4789469
32210

Zillya! Antivirus
Backdoor.PePatch.Win32.39497
2.0.0.1901

File size:
298.1 KB (305,283 bytes)

Product version:
1.9.43074.5121

Copyright:
© Maskiseft Corporation. All rights reserved.

Original file name:
divonv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\fuwukay\zaevine.exe

File PE Metadata
Compilation timestamp:
2/14/2010 8:05:42 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:iErZ8oP691BJtdfhSwVbmLCdu6uZsK/q9scL3T:iEreX11FhBVSLCdu6L

Entry address:
0xC97C

Entry point:
55, 8B, EC, 81, EC, DC, 00, 00, 00, 6A, A5, E8, B4, 18, 00, 00, 83, C4, 04, 53, 03, C0, 89, 85, 48, FF, FF, FF, 56, 89, 85, 48, FF, FF, FF, 57, A9, 36, 00, 00, 00, 75, 06, 89, 85, 48, FF, FF, FF, 8B, 95, 48, FF, FF, FF, 83, FA, BC, 75, 37, 03, D2, 8B, 8D, 48, FF, FF, FF, 89, 8D, 48, FF, FF, FF, 89, 85, 48, FF, FF, FF, 89, 8D, 48, FF, FF, FF, EB, 1B, 2B, F2, B9, 83, 91, 00, 00, 89, 75, 9C, 68, 00, 2C, 04, 21, 51, 6A, E8, 51, E8, A1, 17, 00, 00, 83, C4, 10, 6A, 00, 6A, 00, 6A, 54, 68, 30, CA, 42, 00, FF, 15...
 
[+]

Entropy:
7.8509

Developed / compiled with:
Microsoft Visual C++

Code size:
137.5 KB (140,800 bytes)

Scheduled Task
Task name:
Security Center Update - 1026502577

Trigger:
Daily (Runs daily at 9:00 AM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tps.sj2.fastclick.net  (64.156.167.98:80)

TCP (HTTP):
Connects to server-54-240-160-94.iad12.r.cloudfront.net  (54.240.160.94:80)

TCP (HTTP):
Connects to server-54-240-160-211.iad12.r.cloudfront.net  (54.240.160.211:80)

TCP (HTTP):
Connects to server-54-230-91-106.ind6.r.cloudfront.net  (54.230.91.106:80)

TCP (HTTP):
Connects to server-54-230-89-73.ind6.r.cloudfront.net  (54.230.89.73:80)

TCP (HTTP):
Connects to server-54-230-89-232.ind6.r.cloudfront.net  (54.230.89.232:80)

TCP (HTTP):
Connects to server-205-251-253-181.ind6.r.cloudfront.net  (205.251.253.181:80)

TCP (HTTP SSL):
Connects to server.iad.liveperson.net  (208.89.13.133:443)

TCP (HTTP SSL):
Connects to sa.ia7.scorecardresearch.com  (205.217.176.18:443)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (54.231.14.233:80)

TCP (HTTP):
Connects to origincache-xx-shv-07-ash2.fbcdn.net  (173.252.113.21:80)

TCP (HTTP):
Connects to origincache-xx-shv-05-frc3.fbcdn.net  (173.252.108.1:80)

TCP (HTTP SSL):
Connects to ord08s09-in-f9.1e100.net  (74.125.225.137:443)

TCP (HTTP SSL):
Connects to ord08s09-in-f7.1e100.net  (74.125.225.135:443)

TCP (HTTP):
Connects to ord08s09-in-f27.1e100.net  (74.125.225.155:80)

TCP (HTTP):
Connects to ord08s09-in-f26.1e100.net  (74.125.225.154:80)

TCP (HTTP):
Connects to ord08s09-in-f25.1e100.net  (74.125.225.153:80)

TCP (HTTP):
Connects to ord08s09-in-f14.1e100.net  (74.125.225.142:80)

TCP (HTTP SSL):
Connects to ord08s08-in-f28.1e100.net  (74.125.225.124:443)

TCP (HTTP):
Connects to ord08s08-in-f25.1e100.net  (74.125.225.121:80)

Remove zaevine.exe - Powered by Reason Core Security