zeulc.exe

Rady

Fastream Technologies

The executable zeulc.exe, “Ubusypi Quz Ebokyl” has been detected as malware by 19 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
Fastream Technologies

Product:
Rady

Description:
Ubusypi Quz Ebokyl

Version:
1, 2, 6

MD5:
02fd96b20e571072c5abb9f92bad3016

SHA-1:
c94912648d39a67ceb7d491c3d2a1cf3955b5ed5

SHA-256:
1360f63c5ea760b46b52653f2344ee8ff95d9e9fbc55c159e2a6850eb68ea7ed

Scanner detections:
19 / 68

Status:
Malware

Analysis date:
12/25/2024 3:56:00 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.147488
936

AhnLab V3 Security
Dropper/Win32.Necurs
2014.07.14

Avira AntiVirus
TR/Crypt.ZPACK.61802
7.11.160.154

avast!
Win32:Necurs-S [Trj]
140617-1

AVG
Trojan horse SHeur4.BYDT
2014.0.3986

Bitdefender
Gen:Variant.Graftor.147488
1.0.20.970

Bkav FE
HW32.CDB
1.3.0.4959

Dr.Web
Trojan.Siggen6.15132
9.0.1.05190

ESET NOD32
Win32/Kryptik.CGLR trojan
7.0.302.0

F-Secure
Gen:Variant.Graftor.147488
11.2014-13-07_1

G Data
Gen:Variant.Graftor.147488
14.7.24

Kaspersky
Trojan-Spy.Win32.Zbot
15.0.0.494

Malwarebytes
Spyware.Zbot.VXGen
v2014.07.13.08

Microsoft Security Essentials
Threat.Undefined
1.177.2397.0

MicroWorld eScan
Gen:Variant.Graftor.147488
15.0.0.582

NANO AntiVirus
Trojan.Win32.Zbot.dcefej
0.28.0.60698

Rising Antivirus
PE:Malware.XPACK-HIE/Heur!1.9C48
23.00.65.14711

Sophos
Mal/Ransom-CV
4.98

VIPRE Antivirus
Threat.4150696
31208

File size:
337 KB (345,088 bytes)

Product version:
1

Copyright:
1998

Trademarks:
Ujepoq Nity Olehyj Kasykyc Dudexyd Leve Yhyze Napahob

Original file name:
Axws++.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\ospyivme\zeulc.exe

File PE Metadata
Compilation timestamp:
8/9/2011 6:17:37 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.0

CTPH (ssdeep):
6144:rKvdNMSlWzN7XOfXnU7JNzLumSiHKRwKnqtjWOV6TLBtp3/h4V:rKl2zcXUNdSmSiCwagKa6vB94V

Entry address:
0x41F7C

Entry point:
49, 81, C7, 00, E3, 00, 00, 43, 3B, D7, 77, 32, EB, 30, 00, 00, 00, 00, 00, 00, B9, 00, 00, 00, 00, 00, 6A, 00, 00, 29, 00, 00, 00, 00, 00, 00, 00, C0, 00, 00, 00, 00, 00, 1A, 00, 00, 00, 00, 00, 00, 00, 9A, 00, 00, 00, 00, 00, 00, 00, 33, 00, 00, 89, 15, 94, FD, 44, 00, 81, 3D, B8, FD, 44, 00, 00, 13, 17, 5C, 77, 27, EB, 25, 00, 00, 00, 00, B4, 00, 00, 00, 00, 00, 07, 00, 00, 00, 2B, 00, 00, 00, 00, 00, 00, 00, 4A, 00, 00, 00, 00, 00, 00, 00, 71, 00, 00, 00, 00, 00, 7E, 3B, F3, 72, 29, EB, 59, 00, 00, 00...
 
[+]

Entropy:
7.2840

Code size:
277.5 KB (284,160 bytes)

Scheduled Task
Task name:
Security Center Update - 2005007516

Trigger:
Daily (Runs daily at 8:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to yts2.yql.vip.ne1.yahoo.com  (98.138.243.53:443)

TCP (HTTP SSL):
Connects to syndicate1.nads.vip.bf1.yahoo.com  (69.147.78.32:443)

TCP (HTTP):
Connects to server-54-230-20-194.ewr2.r.cloudfront.net  (54.230.20.194:80)

TCP (HTTP):
Connects to s3-1.amazonaws.com  (54.231.1.128:80)

TCP (HTTP):
Connects to phx2-ss-3-lb.cnet.com  (216.239.120.39:80)

TCP (HTTP):
Connects to phx2-dw-cbsi-xw-lb.cnet.com  (216.239.120.246:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.10:80)

TCP (HTTP):
Connects to iad23s26-in-f23.1e100.net  (173.194.121.55:80)

TCP (HTTP):
Connects to iad23s26-in-f13.1e100.net  (173.194.121.45:80)

TCP (HTTP):
Connects to iad23s24-in-f25.1e100.net  (74.125.228.249:80)

TCP (HTTP):
Connects to iad23s08-in-f31.1e100.net  (74.125.228.127:80)

TCP (HTTP):
Connects to iad23s08-in-f15.1e100.net  (74.125.228.111:80)

TCP (HTTP):
Connects to iad23s06-in-f9.1e100.net  (74.125.228.41:80)

TCP (HTTP):
Connects to float.1250.bm-impbus.prod.nym2.adnexus.net  (68.67.152.115:80)

TCP (HTTP SSL):
Connects to edge-star-shv-12-iad1.facebook.com  (31.13.69.160:443)

TCP (HTTP):
Connects to ec2-75-101-151-209.compute-1.amazonaws.com  (75.101.151.209:80)

TCP (HTTP):
Connects to ec2-54-84-35-63.compute-1.amazonaws.com  (54.84.35.63:80)

TCP (HTTP):
Connects to ec2-54-84-234-215.compute-1.amazonaws.com  (54.84.234.215:80)

TCP (HTTP):
Connects to ec2-23-23-168-121.compute-1.amazonaws.com  (23.23.168.121:80)

TCP (HTTP):
Connects to ec2-23-23-135-193.compute-1.amazonaws.com  (23.23.135.193:80)

Remove zeulc.exe - Powered by Reason Core Security