Mal/Zbot-LE

Category: Viruses and Spyware Protection available since:17 Apr 2013 19:57:40 (GMT)
Type: Malicious behavior Last Updated:06 Oct 2015 06:29:45 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Zbot-LE include:

Example 1

File Information

Size
416K
SHA-1
2543ea831983e1d8fd07b442375016ea4ad961d7
MD5
6a3ddf654068d04e596857457d840763
CRC-32
5e088a70
File type
Windows executable
First seen
2013-04-11

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\SharedReg.exe
Dropped Files
  • c:\Documents and Settings\test user\Templates\bootres.exe
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    c:\Documents and Settings\test user\Application Data\apple\Aprilspread.exe
    c:\Documents and Settings\test user\Application Data\apple\Aprilspread.exe:*:Enabled:Windows Messanger
  • HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
    FOL56X3CVW
    April 11, 2013
  • HKCU\Software\VB and VBA Program Settings\SrvID\ID
    FOL56X3CVW
    APRILSEX
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    DoNotAllowExceptions
    0x00000000
Processes Created
  • c:\Documents and Settings\test user\templates\bootres.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\reg.exe
DNS Requests
  • 1h4xinc70.no-ip.org
  • 2h4xinc70.no-ip.org
  • 3h4xinc70.no-ip.org
  • 4h4xinc70.no-ip.org
  • 5h4xinc70.no-ip.org
  • 6h4xinc70.no-ip.org
  • h4xinc70.no-ip.org

Example 2

File Information

Size
430K
SHA-1
2639e3490641100b6f26a3fb40aa43f0db36afb3
MD5
6bfa55c35b9bd4a6bc7f6f00921977be
CRC-32
f1e5bdbb
File type
Windows executable
First seen
2013-04-16

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\SharedReg.exe
Dropped Files
  • c:\Documents and Settings\test user\Templates\bootres.exe
  • c:\Documents and Settings\test user\Application Data\dclogs\2013-04-17-4.dc
Processes Created
  • c:\Documents and Settings\test user\templates\bootres.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
DNS Requests
  • samurai1.no-ip.org

Example 3

File Information

Size
307K
SHA-1
271dae9ba6ad643f390b668bf6046407a26cebf8
MD5
911ff3809a8f51f2fb82b5ba5088f333
CRC-32
da766dc0
File type
Windows executable
First seen
2013-04-10

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\SharedReg.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\dclogs\2013-04-10-4.dc
  • c:\Documents and Settings\test user\Templates\bootres.exe
Processes Created
  • c:\Documents and Settings\test user\templates\bootres.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
DNS Requests
  • ifishalot.no-ip.info

download Try Sophos products for free
Download now