» ekogb.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

ekogb.exe

Holodedr incumbit dewani's pseudost

Webroot Software, Inc.

The executable ekogb.exe, “Poeticul baetylus rudes avenin nonsexua” has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Qifad’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

ekogb.exe

Publisher:

Symantec Corporation (signed by Webroot Software, Inc.)

Product:

Holodedr incumbit dewani's pseudost

Description:

Poeticul baetylus rudes avenin nonsexua

Version:

1.00.0008

MD5:

37495aa2cf855c45b024e2ab74f42d49

SHA-1:

22662b93bcb6267578f620d5c167cd8f385534ef

SHA-256:

04e76e1e712ec3e8bf96566d59c662f7c23a47a5fa388ac119174c43ce81d2a3

Scanner detections:

3 / 68

Status:

Malware

Analysis date:

4/26/2024 4:40:17 AM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Trojan.PWS.Panda.2401

9.0.1.05190

ESET NOD32

Win32/Injector.AONF trojan

6.3.12010.0

Kaspersky

Trojan-Spy.Win32.Zbot

15.0.2.529

File size:

297.9 KB (305,057 bytes)

Product version:

1.00.0008

Original file name:

Flurring.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\teim\ekogb.exe

Digital Signature

Signed by:

Webroot Software, Inc.

Authority:

VeriSign, Inc.

Valid from:

12/8/2009 9:00:00 AM

Valid to:

1/21/2012 8:59:59 AM

Subject:

CN="Webroot Software, Inc.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Webroot Software, Inc.", L=Boulder, S=Colorado, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

769328F4A1AE00A21E71A04099615F01

File PE Metadata

Compilation timestamp:

10/4/2013 9:50:49 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0xFADA0

Entry point:

60, BE, 00, 40, 4B, 00, 8D, BE, 00, D0, F4, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 19, 8B, 1E, 83, EE, FC, 11, DB, 72, 10, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 78, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11... 
[+]

Entropy:

7.8268

Packer / compiler:

UPX 2.90LZMA

Code size:

284 KB (290,816 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Qifad

Command:

C:\users\{user}\appdata\roaming\teim\ekogb.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to redirect.domcollect.com (91.195.241.121:80)

Remove ekogb.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.