» 86febc8.tmp
Overview
Analysis
File Details
Network (25)

86febc8.tmp

The file 86febc8.tmp has been detected as malware by 38 anti-virus scanners. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address 50-57-88-236.static.cloud-ips.com on port 25.

File name:

86febc8.tmp

MD5:

5da7291b1cb877926694247e607daae5

SHA-1:

51efc00a467959e278c9325a599316073dff92c7

Scanner detections:

38 / 68

Status:

Malware

Analysis date:

4/18/2024 1:21:10 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKDZ.19332

366

Agnitum Outpost

Trojan.Wigon

7.1.1

AhnLab V3 Security

Trojan/Win32.Agent

16.02.04

Avira AntiVirus

TR/Dropper.Gen

7.11.151.204

avast!

Win32:Kryptik-LUQ [Trj]

2014.9-160204

AVG

Crypt

2017.0.2844

Baidu Antivirus

Trojan.Win32.Generic

4.0.3.1624

Bitdefender

Trojan.GenericKDZ.19332

1.0.20.175

Bkav FE

W32.Clod01a.Trojan

1.3.0.4959

Comodo Security

TrojWare.Win32.Kryptik.BAVK

18347

Dr.Web

BackDoor.Bulknet.893

9.0.1.035

Emsisoft Anti-Malware

Trojan.GenericKDZ.19332

8.16.02.04.02

ESET NOD32

Win32/Wigon.PH

10.9857

Fortinet FortiGate

W32/Pushdo.PYD!tr.bdr

2/4/2016

F-Secure

Trojan.GenericKDZ.19332

11.2016-04-02_5

G Data

Trojan.GenericKDZ.19332

16.2.24

IKARUS anti.virus

Trojan.CryptDTE

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.178.12212

Kaspersky

HEUR:Trojan.Win32.Generic

14.0.0.715

Malwarebytes

Trojan.PPush

v2016.02.04.02

McAfee

Cutwail-FBYD!5DA7291B1CB8

5600.6500

Microsoft Security Essentials

TrojanDownloader:Win32/Cutwail.BS

1.10600

MicroWorld eScan

Trojan.GenericKDZ.19332

17.0.0.105

NANO AntiVirus

Trojan.Win32.Bulknet.brssna

0.28.0.59921

Norman

Troj_Generic.LPEDR

11.20160204

nProtect

Trojan/W32.Agent.41984.TE

14.05.27.01

Panda Antivirus

Trj/CI.A

16.02.04.02

Qihoo 360 Security

Win32/Trojan.e6d

1.0.0.1015

Quick Heal

TrojanPWS.Zbot.AZ4

2.16.14.00

Rising Antivirus

PE:Trojan.Win32.Generic.14AA7224!346714660

23.00.65.16202

Sophos

Troj/Cutwail-AM

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-Kryptik

9345

Total Defense

Win32/Cutwail.XUFGcb

37.0.10963

Trend Micro House Call

BKDR_PUSHDO.SMK

7.2.35

Trend Micro

BKDR_PUSHDO.SMK

10.465.04

Vba32 AntiVirus

BScope.Trojan.Pushdo

3.12.26.0

VIPRE Antivirus

Trojan-Downloader.Win32.Cutwail.bx

29676

Zillya! Antivirus

Trojan.Wigon.Win32.3981

2.0.0.1803

File size:

41 KB (41,984 bytes)

Common path:

C:\Documents and Settings\{user}\Local settings\temp\86febc8.tmp

File PE Metadata

Compilation timestamp:

5/13/2006 10:28:57 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

5.12

CTPH (ssdeep):

768:hjfoiNOBfTiOcCFaj9sDK5RH4wO0TWl8VoIr:YfTi0FusDKH4wO0T08Z

Entry address:

0x1400

Entry point:

85, C0, 33, C0, 50, 68, 09, 10, 10, 08, 50, 68, BD, 02, 00, 00, 50, E8, 3A, 00, 00, 00, 68, F5, 13, 10, 08, E8, 30, 00, 00, 00, E8, 2B, 00, 00, 00, E8, 1A, 00, 00, 00, 68, A3, 13, 10, 08, 50, E8, 33, FD, FF, FF, FF, D0, CC, FF, 25, 14, 20, 10, 08, FF, 25, 10, 20, 10, 08, FF, 25, 08, 20, 10, 08, FF, 25, 04, 20, 10, 08, FF, 25, 00, 20, 10, 08, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Code size:

1.5 KB (1,536 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.onebox.com (204.11.168.221:80)

TCP (HTTP):

Connects to ws.pchome.com.tw (220.130.119.180:80)

TCP (HTTP):

Connects to w2.src.vip.gq1.yahoo.com (98.137.236.150:80)

TCP (HTTP):

Connects to uwsp.edu (143.236.32.121:80)

TCP (SMTP):

Connects to mtsdatacentres.com (199.27.222.110:25)

TCP (HTTP):

Connects to manage.embarq.synacor.com (69.168.97.85:80)

TCP (HTTP):

Connects to mail.vail.net (65.38.128.10:80)

TCP (HTTP):

Connects to localocracy.com (64.12.89.186:80)

TCP (SMTP):

Connects to lb-182-210.above.com (103.224.182.210:25)

TCP (SMTP):

Connects to ip-50-63-202-45.ip.secureserver.net (50.63.202.45:25)

TCP (HTTP):

Connects to ip24.ip-198-27-118.net (198.27.118.24:80)

TCP (HTTP):

Connects to ftp.nettally.com (199.44.82.1:80)

TCP (SMTP):

Connects to ds1.surfglobal.net (72.71.201.5:25)

TCP (HTTP):

Connects to ash.parking.local (69.64.147.249:80)

TCP (HTTP):

Connects to webportal.synacor.com (64.8.70.102:80)

TCP (SMTP):

Connects to nn1715.van.ca.siteprotect.com (64.40.115.5:25)

TCP (SMTP):

Connects to www.t-online.de (62.153.159.92:25)

TCP (SMTP):

Connects to www.earthlink.net (209.86.62.44:25)

TCP (HTTP):

Connects to wcsu.edu (149.152.50.41:80)

TCP (SMTP):

Connects to lb-182-242.above.com (103.224.182.242:25)

Remove 86febc8.tmp - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.