» biirq.exe
Overview
Analysis
File Details
Behaviors (1)
Network (14)

biirq.exe

Musrunafm Visatl Studio 2010

Musrunafm Corporatien

The executable biirq.exe, “Musrunafm Visatl Studie 2010” has been detected as malware by 8 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

biirq.exe

Publisher:

Musrunafm Corporatien

Product:

Musrunafm® Visatl Studio® 2010

Description:

Musrunafm Visatl Studie 2010

Version:

1.7.43074.5121 built by: SP1Rel

MD5:

2b87f61359a5b1feda8bbdbe1a946ff1

SHA-1:

aea579ac4420b866d007524cdce50f1df357a6f1

SHA-256:

fb1a5efd634e440abaa3764edcecb8f5b1234a5360f0bf75c4159cc8297a9527

Scanner detections:

8 / 68

Status:

Malware

Analysis date:

4/25/2024 9:24:26 AM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

TR/Crypt.ZPACK.Gen2

7.11.174.250

AVG

Trojan horse Zbot

2015.0.3266

Bkav FE

HW32.Paked

1.3.0.4959

Kaspersky

HEUR:Trojan.Win32.Generic

14.0.0.3185

Malwarebytes

Spyware.Zbot.MSXGen

v2014.09.28.02

Qihoo 360 Security

HEUR/Malware.QVM20.Gen

1.0.0.1015

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.14926

Trend Micro

TROJ_FORUCON.BMC

10.465.09

File size:

274.2 KB (280,751 bytes)

Product version:

1.7.43074.5121

Original file name:

daminr.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\xaydodh\biirq.exe

File PE Metadata

Compilation timestamp:

4/16/2011 5:53:16 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:06CR0rb284SJrpQh7sPEEdn6UiBrwFFPDVcWw+1+4oYx769Sf:Bki9pQCPEEdnBUgRU+VoM7698

Entry address:

0x8990

Entry point:

55, 8B, EC, 81, EC, 34, 01, 00, 00, BA, D1, 9D, 00, 00, 89, 95, 48, FF, FF, FF, 53, 89, 55, FC, 56, 89, 95, 48, FF, FF, FF, 57, EB, 0D, BF, BA, 00, 00, 00, 03, F8, 89, BD, 18, FF, FF, FF, 8B, 4D, FC, 83, F1, 27, 89, 4D, FC, 68, 44, 00, 41, 00, E8, F4, 61, 00, 00, 83, E8, 3E, 3B, 85, 18, FF, FF, FF, 75, 3D, 2D, 00, 24, 19, 2D, 8B, 55, FC, F7, C2, 85, 00, 00, 00, 75, 2D, 83, E8, 11, 8B, 35, 44, 00, 41, 00, 89, BD, 48, FF, FF, FF, 89, 85, 48, FF, FF, FF, 89, 95, E4, FE, FF, FF, 89, 95, E4, FE, FF, FF, 89, BD... 
[+]

Entropy:

7.8744

Developed / compiled with:

Microsoft Visual C++

Code size:

55.5 KB (56,832 bytes)

Scheduled Task

Task name:

Security Center Update - 3007856500

Trigger:

Daily (Runs daily at 2:00 AM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to utsapi-adcom-mtc.evip.aol.com (64.12.68.22:80)

TCP (HTTP):

Connects to server-54-230-80-192.mia50.r.cloudfront.net (54.230.80.192:80)

TCP (HTTP):

Connects to fivemin-cs-shared-mtc-c.evip.aol.com (64.12.245.3:80)

TCP (HTTP):

Connects to fivemin-cs-shared-dtc-c.evip.aol.com (205.188.41.3:80)

TCP (HTTP):

Connects to ec2-54-88-80-229.compute-1.amazonaws.com (54.88.80.229:80)

TCP (HTTP):

Connects to ec2-54-85-67-255.compute-1.amazonaws.com (54.85.67.255:80)

TCP (HTTP):

Connects to ec2-54-210-112-85.compute-1.amazonaws.com (54.210.112.85:80)

TCP (HTTP):

Connects to ec2-54-186-187-105.us-west-2.compute.amazonaws.com (54.186.187.105:80)

TCP (HTTP):

Connects to ec2-50-19-237-103.compute-1.amazonaws.com (50.19.237.103:80)

TCP (HTTP):

Connects to ec2-23-23-200-174.compute-1.amazonaws.com (23.23.200.174:80)

TCP (HTTP):

Connects to ec2-107-23-107-188.compute-1.amazonaws.com (107.23.107.188:80)

TCP (HTTP):

Connects to a23-78-223-195.deploy.static.akamaitechnologies.com (23.78.223.195:80)

TCP (HTTP):

Connects to a23-78-222-120.deploy.static.akamaitechnologies.com (23.78.222.120:80)

TCP (HTTP):

Connects to a23-56-228-174.deploy.static.akamaitechnologies.com (23.56.228.174:80)

Remove biirq.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.