{395a7992-07ce-7b67-b550-8f92395a7992}.exe

MapEditor

The executable {395a7992-07ce-7b67-b550-8f92395a7992}.exe has been detected as malware by 16 anti-virus scanners. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. The file has been seen being downloaded from chelmonline.pl and multiple other hosts.
Product:
MapEditor

Description:
MapEditor

Version:
1, 0, 0, 1

MD5:
f0dd53d2e97f29c398e61bed402fb4c1

SHA-1:
f8c2dd32ec6b97df7cc97c0d77ff913fb84adead

SHA-256:
4c79fcea618d72ea80860fce2f01f250d1bc9b4b1e1cb501bfec85321fc37aac

Scanner detections:
16 / 68

Status:
Malware

Analysis date:
11/20/2017 2:55:57 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.140290
1005

AhnLab V3 Security
Trojan/Win32.Ransomlock
14.05.05

Bitdefender
Gen:Variant.Graftor.140290
1.0.20.625

Emsisoft Anti-Malware
Gen:Variant.Graftor.140290
8.14.05.05.03

ESET NOD32
Win32/Injector.BCYH (variant)
8.9747

F-Secure
Gen:Variant.Graftor.140290
11.2014-05-05_2

G Data
Gen:Variant.Graftor.140290
14.5.24

Kaspersky
Trojan.Win32.Reconyc
14.0.0.3912

Malwarebytes
Spyware.Zbot.ED
v2014.05.05.03

McAfee
Artemis!F0DD53D2E97F
5600.7139

McAfee Web Gateway
Artemis!F0DD53D2E97F
7.7139

Microsoft Security Essentials
VirTool:Win32/CeeInject.gen!KK
1.10502

MicroWorld eScan
Gen:Variant.Graftor.140290
15.0.0.375

Panda Antivirus
Trj/CI.A
14.05.05.03

Qihoo 360 Security
Win32/Trojan.Multi.daf
1.0.0.1015

Sophos
Troj/Wonton-CA
4.98

File size:
192 KB (196,608 bytes)

Product version:
1, 0, 0, 1

Copyright:
Copyright ? 2014

Original file name:
MapEditor.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, Singapore)

Common path:
C:\users\{user}\appdata\roaming\microsoft\windows\start menu\programs\startup\{395a7992-07ce-7b67-b550-8f92395a7992}.exe

File PE Metadata
Compilation timestamp:
5/1/2014 3:24:35 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:LegNMmunzpRCeb+V6hnm11DmPbE7LfNptfT96ZmBJhu9Fnk6Znc5:PSRCLtWKLfNptfcZUhu9Fk6I

Entry address:
0x1C70

Entry point:
55, 8B, EC, 6A, FF, 68, 78, 4B, 40, 00, 68, EA, 2F, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 88, 42, 40, 00, 59, 83, 0D, F4, 62, 40, 00, FF, 83, 0D, F8, 62, 40, 00, FF, FF, 15, 84, 42, 40, 00, 8B, 0D, E8, 62, 40, 00, 89, 08, FF, 15, 80, 42, 40, 00, 8B, 0D, E4, 62, 40, 00, 89, 08, A1, BC, 42, 40, 00, 8B, 00, A3, F0, 62, 40, 00, E8, 71, F5, FF, FF, 39, 1D, 00, 61, 40, 00, 75, 0C, 68, E6, 2F, 40, 00, FF, 15, 94, 42...
 
[+]

Entropy:
7.2870

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
12 KB (12,288 bytes)

User Start Menu Item
Name:
{395a7992-07ce-7b67-b550-8f92395a7992}.exe


The file {395a7992-07ce-7b67-b550-8f92395a7992}.exe has been seen being distributed by the following 5 URLs.

http://chelmonline.pl/?gz8l142axh95=ad16b39f75152

Remove {395a7992-07ce-7b67-b550-8f92395a7992}.exe - Powered by Reason Core Security