Troj/Zbot-HAE

Category: Viruses and Spyware Protection available since:26 Nov 2013 20:37:30 (GMT)
Type: Trojan Last Updated:26 Nov 2013 20:37:30 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Zbot-HAE include:

Example 1

File Information

Size
252K
SHA-1
2cad0842e0d409a35f6930c968570a51a18a1d7c
MD5
6485636254ad13ea39c5a247e67211bc
CRC-32
422d9372
File type
Windows executable
First seen
2013-11-26

Example 2

File Information

Size
252K
SHA-1
6d6236f41aa9e2f8a577b8b67a241cfc45765508
MD5
14b6e5ab7fd7dd5311ff60a49a79f95a
CRC-32
d6f2e08f
File type
Windows executable
First seen
2013-11-26

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Dacub\axyrm.lui
    Size
    477
    SHA-1
    defba3c4e9a406e08c112394bdaf95c6f16e3361
    MD5
    ca9ef2d257e4cd0c53089dab3ff48990
    CRC-32
    b503d3f0
    File type
    Unspecified binary - probably data
    First seen
    2013-11-26
  • c:\Documents and Settings\test user\Application Data\Dacub\axyrm.tmp
    Size
    563
    SHA-1
    502d27e4d7ccf3f6ef5395cdbb1362e76dd6ca0b
    MD5
    cb80c5436b448c5c8a15b5ae163e8542
    CRC-32
    a27169aa
    File type
    Unspecified binary - probably data
    First seen
    2013-11-26
  • c:\Documents and Settings\test user\Application Data\Eged\bowo.exe
    Size
    252K
    SHA-1
    2cad0842e0d409a35f6930c968570a51a18a1d7c
    MD5
    6485636254ad13ea39c5a247e67211bc
    CRC-32
    422d9372
    File type
    Windows executable
    First seen
    2013-11-26
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {E3268B9D-4181-A37C-AB46-B0086AB7B297}
    "c:\Documents and Settings\test user\Application Data\Eged\bowo.exe"
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCU\Software\Microsoft\Yksye
    Yxugmuw
    □T□0□□p□□09□□□□□□□p□□□□□□□□`□□`□□□□□□□□□□□p□□□□□□□□□□□□u□0□□□□□pw□p□□□□□□b□□2□□=□PT□□□□0□□□W□□□□□□□p}□□U□□□□□i□@□□p□□□□□ □□`e□□!□`□□□=□□a□□□□ s□`□□ □□□l□□o□0,□p□□□>□p□□□□□□□□
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    ca b0 d9 64 c2 ea ce 01
Processes Created
  • c:\Documents and Settings\test user\application data\eged\bowo.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://alibabatrade.al.funpic.de/manitoba/setting.bin
DNS Requests
  • alibabatrade.al.funpic.de

download Try Sophos products for free
Download now