home

chk.exe

KRS Forming Rebuilding Sooftware

AlmicoSoftware

The executable chk.exe, “KRS Keeper Rebuilding Sooftware” has been detected as malware by 7 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘AdobeChk’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
AlmicoSoftware

Product:
KRS Forming Rebuilding Sooftware

Description:
KRS Keeper Rebuilding Sooftware

Version:
1.0.4.0

MD5:
42e844df5f940c6e1975ff7ebf4ba26a

SHA-1:
62a4bd84f4a82ff0f733dc52332f18efeee66f43

SHA-256:
b88b978d00b9b3a011263f398fa6a21098aba714db14f7e71062ea4a6b2e974e

Scanner detections:
7 / 68

Status:
Malware

Analysis date:
4/26/2024 11:10:22 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.ZBot
2014.07.29

avast!
Win32:Malware-gen
140617-1

AVG
Trojan horse Crypt3.AHDN
2014.0.3986

Baidu Antivirus
Trojan.Win32.Kryptik
4.0.3.14728

ESET NOD32
Win32/Kryptik.CHGA (variant)
8.10165

Malwarebytes
Spyware.Zbot.VXGen
v2014.07.28.01

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

File size:
146.5 KB (150,016 bytes)

Product version:
1.0.4.0

Copyright:
Copyright (C) 2013 AlmicoSoftware

Original file name:
krskerebso

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\adobechk\chk.exe

File PE Metadata
Compilation timestamp:
12/5/2013 8:48:00 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:x8CFhjMvnM38dfoUlv+cKa0d4qjbwC2Dgj1uC/iybi1D2:x8wMvM38R5vUd4EwC9Ts52

Entry address:
0x6658

Entry point:
E8, 3F, 91, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 60, 95, 41, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 04, 92, 41, 00, C9, C2, 08, 00, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 10, 43, 42, 00, 89, 0D, 0C, 43, 42, 00, 89, 15, 08, 43, 42, 00, 89, 1D, 04, 43, 42, 00, 89, 35, 00, 43, 42, 00, 89, 3D...
 
[+]

Code size:
94.5 KB (96,768 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
AdobeChk

Command:
C:\users\{user}\appdata\roaming\adobechk\chk.exe


Remove chk.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.