86febc8.tmp

The file 86febc8.tmp has been detected as malware by 43 anti-virus scanners. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address 50-57-88-236.static.cloud-ips.com on port 25.
MD5:
5da7291b1cb877926694247e607daae5

SHA-1:
51efc00a467959e278c9325a599316073dff92c7

Scanner detections:
43 / 68

Status:
Malware

Analysis date:
11/23/2017 2:09:47 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKDZ.19332
366

Agnitum Outpost
Trojan.Wigon
7.1.1

AhnLab V3 Security
Trojan/Win32.Agent
16.02.04

Avira AntiVirus
TR/Dropper.Gen
7.11.151.204

Antiy Labs AVL
Trojan[:HEUR]/Win32.Unknown
0.1.0.1

avast!
Win32:Kryptik-LUQ [Trj]
2014.9-160204

AVG
Crypt
2017.0.2844

Baidu Antivirus
Trojan.Win32.Generic
4.0.3.1624

Bitdefender
Trojan.GenericKDZ.19332
1.0.20.175

Bkav FE
W32.Clod01a.Trojan
1.3.0.4959

Commtouch SDK
W32/Trojan.MDDT-7883
5.4.1.7

Comodo Security
TrojWare.Win32.Kryptik.BAVK
18347

Dr.Web
BackDoor.Bulknet.893
9.0.1.035

Emsisoft Anti-Malware
Trojan.GenericKDZ.19332
8.16.02.04.02

ESET NOD32
Win32/Wigon.PH
10.9857

Fortinet FortiGate
W32/Pushdo.PYD!tr.bdr
2/4/2016

F-Secure
Trojan.GenericKDZ.19332
11.2016-04-02_5

G Data
Trojan.GenericKDZ.19332
16.2.24

IKARUS anti.virus
Trojan.CryptDTE
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.178.12212

K7 Gateway Antivirus
Trojan
13.178.12212

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.715

Kingsoft AntiVirus
Win32.HeurC.KVMH004.a.(kcloud)
331020.49267

Malwarebytes
Trojan.PPush
v2016.02.04.02

McAfee
Cutwail-FBYD!5DA7291B1CB8
5600.6500

McAfee Web Gateway
Cutwail-FBYD!5DA7291B1CB8
7.6500

Microsoft Security Essentials
TrojanDownloader:Win32/Cutwail.BS
1.10600

MicroWorld eScan
Trojan.GenericKDZ.19332
17.0.0.105

NANO AntiVirus
Trojan.Win32.Bulknet.brssna
0.28.0.59921

Norman
Troj_Generic.LPEDR
11.20160204

nProtect
Trojan/W32.Agent.41984.TE
14.05.27.01

Panda Antivirus
Trj/CI.A
16.02.04.02

Qihoo 360 Security
Win32/Trojan.e6d
1.0.0.1015

Quick Heal
TrojanPWS.Zbot.AZ4
2.16.14.00

Rising Antivirus
PE:Trojan.Win32.Generic.14AA7224!346714660
23.00.65.16202

Sophos
Troj/Cutwail-AM
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Kryptik
9345

Total Defense
Win32/Cutwail.XUFGcb
37.0.10963

Trend Micro House Call
BKDR_PUSHDO.SMK
7.2.35

Trend Micro
BKDR_PUSHDO.SMK
10.465.04

Vba32 AntiVirus
BScope.Trojan.Pushdo
3.12.26.0

VIPRE Antivirus
Trojan-Downloader.Win32.Cutwail.bx
29676

Zillya! Antivirus
Trojan.Wigon.Win32.3981
2.0.0.1803

File size:
41 KB (41,984 bytes)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\86febc8.tmp

File PE Metadata
Compilation timestamp:
5/13/2006 10:28:57 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:hjfoiNOBfTiOcCFaj9sDK5RH4wO0TWl8VoIr:YfTi0FusDKH4wO0T08Z

Entry address:
0x1400

Entry point:
85, C0, 33, C0, 50, 68, 09, 10, 10, 08, 50, 68, BD, 02, 00, 00, 50, E8, 3A, 00, 00, 00, 68, F5, 13, 10, 08, E8, 30, 00, 00, 00, E8, 2B, 00, 00, 00, E8, 1A, 00, 00, 00, 68, A3, 13, 10, 08, 50, E8, 33, FD, FF, FF, FF, D0, CC, FF, 25, 14, 20, 10, 08, FF, 25, 10, 20, 10, 08, FF, 25, 08, 20, 10, 08, FF, 25, 04, 20, 10, 08, FF, 25, 00, 20, 10, 08, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Code size:
1.5 KB (1,536 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.onebox.com  (204.11.168.221:80)

TCP (HTTP):
Connects to ws.pchome.com.tw  (220.130.119.180:80)

TCP (HTTP):
Connects to w2.src.vip.gq1.yahoo.com  (98.137.236.150:80)

TCP (HTTP):
Connects to uwsp.edu  (143.236.32.121:80)

TCP (SMTP):
Connects to mtsdatacentres.com  (199.27.222.110:25)

TCP (HTTP):
Connects to manage.embarq.synacor.com  (69.168.97.85:80)

TCP (HTTP):
Connects to mail.vail.net  (65.38.128.10:80)

TCP (HTTP):
Connects to localocracy.com  (64.12.89.186:80)

TCP (SMTP):
Connects to lb-182-210.above.com  (103.224.182.210:25)

TCP (SMTP):
Connects to ip-50-63-202-45.ip.secureserver.net  (50.63.202.45:25)

TCP (HTTP):
Connects to ip24.ip-198-27-118.net  (198.27.118.24:80)

TCP (HTTP):
Connects to ftp.nettally.com  (199.44.82.1:80)

TCP (SMTP):
Connects to ds1.surfglobal.net  (72.71.201.5:25)

TCP (HTTP):
Connects to ash.parking.local  (69.64.147.249:80)

TCP (HTTP):
Connects to webportal.synacor.com  (64.8.70.102:80)

TCP (SMTP):
Connects to nn1715.van.ca.siteprotect.com  (64.40.115.5:25)

TCP (SMTP):
Connects to www.t-online.de  (62.153.159.92:25)

TCP (SMTP):
Connects to www.earthlink.net  (209.86.62.44:25)

TCP (HTTP):
Connects to wcsu.edu  (149.152.50.41:80)

TCP (SMTP):
Connects to lb-182-242.above.com  (103.224.182.242:25)

Remove 86febc8.tmp - Powered by Reason Core Security