bosadgypujuz.exe

The executable bosadgypujuz.exe has been detected as malware by 43 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘bosadgypujuz’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address 184-106-119-164.static.cloud-ips.com on port 80 using the HTTP protocol.
MD5:
72527e877ed56465123a17f0310e1608

SHA-1:
f07e437e5fbc6bd271f352f1a5c7ab568257d1a0

SHA-256:
10cb9657d65b1ee59d7d5fcac48d81fde97ada7c6f78eacf1914cba7834de9e6

Scanner detections:
43 / 68

Status:
Malware

Analysis date:
8/15/2018 5:13:50 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Encpk.Gen.4
264

Agnitum Outpost
Trojan.Inject
7.1.1

AhnLab V3 Security
Trojan/Win32.Zbot
2015.09.24

Avira AntiVirus
TR/Injector.2576884
8.3.2.2

Antiy Labs AVL
Trojan[Backdoor]/Win32.Androm
1.0.0.1

Arcabit
Trojan.Encpk.Gen.4
1.0.0.567

avast!
Win32:Injector-BID [Trj]
2014.9-160515

AVG
Generic34
2017.0.2742

Baidu Antivirus
Trojan.Win32.Inject
4.0.3.16515

Bitdefender
Trojan.Encpk.Gen.4
1.0.20.680

Bkav FE
W32.DocuritV.Trojan
1.3.0.7237

Comodo Security
TrojWare.Win32.Monder.GEN
23286

Dr.Web
Trojan.MulDrop4.57162
9.0.1.0136

Emsisoft Anti-Malware
Trojan.Encpk.Gen
8.16.05.15.01

ESET NOD32
Win32/Injector.AKNU
10.12296

Fortinet FortiGate
W32/Kryptik.ADF!tr
5/15/2016

F-Secure
Trojan.Encpk.Gen.4
11.2016-15-05_1

G Data
Trojan.Encpk.Gen
16.5.25

IKARUS anti.virus
Trojan.Inject
t3scan.1.9.5.0

Jiangmin
Trojan/Inject.bajq
KV160515

K7 AntiVirus
Trojan
13.210.17303

K7 Gateway Antivirus
Trojan
13.210.17303

Kaspersky
Trojan.Win32.Inject
14.0.0.207

Kingsoft AntiVirus
Win32.Heur.KVMF58.hy.(kcloud)
331020.49267

Malwarebytes
Trojan.Inject
v2016.05.15.01

McAfee
Generic-FANR!72527E877ED5
5600.6398

McAfee Web Gateway
Generic-FANR!72527E877ED5
7.6398

Microsoft Security Essentials
TrojanDownloader:Win32/Cutwail
1.1.12101.0

NANO AntiVirus
Trojan.Win32.Bulknet.cseoyd
0.30.24.3283

nProtect
Trojan.Encpk.Gen.4
15.09.23.01

Panda Antivirus
Trj/CI.A
16.05.15.01

Qihoo 360 Security
Win32/Trojan.2b2
1.0.0.1015

Quick Heal
TrojanPWS.Tepfer.014011
5.16.14.00

Rising Antivirus
PE:Malware.Generic/QRS!1.9E2D[F1]
23.00.65.16513

Sophos
Troj/Agent-ADBJ
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Dropper
9142

The Hacker
Posible_Worm32
6.8.0.5.677

Trend Micro House Call
TROJ_SPNR.14HA13
7.2.136

Trend Micro
TROJ_SPNR.14HA13
10.465.15

Vba32 AntiVirus
Trojan.Inject
3.12.26.4

VIPRE Antivirus
TrojanPWS.Win32.Fareit.aa
43988

ViRobot
Trojan.Win32.Zbot.61563[h]
2014.3.20.0

Zillya! Antivirus
Trojan.Inject.Win32.61180
2.0.0.2409

File size:
60.1 KB (61,563 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\m.gerardson\bosadgypujuz.exe

File PE Metadata
Compilation timestamp:
8/5/2013 4:09:33 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.50

CTPH (ssdeep):
1536:DfSynouy86rqM1L+LtHXE3R6eJbcPRQdonc3yThcd20iuJNojgeQ0:DfSqout6rfqLt03oMcJQdoc3yThcdPr0

Entry address:
0x8870

Entry point:
60, BE, 15, 70, 40, 00, 8D, BE, EB, 9F, FF, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, A6, 62, 00, 00, 57, 83, C3, 04, 53, 68, 56, 18, 00, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Entropy:
7.9066  (probably packed)

Code size:
12 KB (12,288 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
bosadgypujuz

Command:
C:\users\m.gerardson\bosadgypujuz.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to cluster005.ovh.net  (213.186.33.16:80)

TCP (HTTP):
Connects to cluster003.ovh.net  (213.186.33.4:80)

TCP (HTTP):
Connects to www11.aname.net  (89.221.250.11:80)

TCP (HTTP):
Connects to vultur.fullspace.ru  (185.72.144.129:80)

TCP (HTTP):
Connects to uvps48210.mycweb.net  (209.222.48.210:80)

TCP (HTTP):
Connects to url.hover.com  (64.98.145.30:80)

TCP (HTTP):
Connects to sv942.xserver.jp  (157.112.152.43:80)

TCP (HTTP):
Connects to server33.extremeserv.net  (180.147.250.18:80)

TCP (HTTP):
Connects to redireccion.configbox.com  (80.93.92.146:80)

TCP (HTTP):
Connects to ns339617.ip-176-31-248.eu  (176.31.248.197:80)

TCP (HTTP):
Connects to li963-234.members.linode.com  (45.33.9.234:80)

TCP (HTTP):
Connects to just61.justhost.com  (173.254.28.61:80)

TCP (HTTP):
Connects to ip-23-229-128-225.ip.secureserver.net  (23.229.128.225:80)

TCP (HTTP SSL):
Connects to full-cdn-01.cluster006.ovh.net  (213.186.33.97:443)

TCP (HTTP):
Connects to d6.84.adb8.ip4.static.sl-reverse.com  (184.173.132.214:80)

TCP (HTTP):
Connects to custip-1101.sedoparking.com  (91.195.240.101:80)

TCP (HTTP):
Connects to cp5.domains.co.za  (169.239.218.15:80)

TCP (HTTP):
Connects to clienteservidor.es  (217.160.230.171:80)

TCP (HTTP):
Connects to c2s4-3m-mel.hosting-services.net.au  (223.130.24.220:80)

TCP (HTTP):
Connects to box801.bluehost.com  (66.147.244.101:80)

Remove bosadgypujuz.exe - Powered by Reason Core Security