» elroulq.exe
Overview
Analysis
File Details
Behaviors (1)
Network (9)

elroulq.exe

Anurisel Corporatu

The executable elroulq.exe, “Anurisel Visatl Studie 2020” has been detected as malware by 32 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

elroulq.exe

Publisher:

Anurisel Corporatu

Description:

Anurisel Visatl Studie 2020

Version:

4.49.13360.14944

MD5:

734e7b48195a1405b5116bb5b3376e7d

SHA-1:

a5a678a7757d16862307c9d489acb88cda759e10

SHA-256:

61b467868bd5cf3f5e6176747ba722514d5eac61269a784202ed3b0a25f7f944

Scanner detections:

32 / 68

Status:

Malware

Analysis date:

4/23/2024 10:52:12 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.12220218

6086863

Agnitum Outpost

Trojan.Kryptik

7.1.1

AhnLab V3 Security

Trojan/Win32.Necurs

2014.12.05

Avira AntiVirus

TR/Crypt.ZPACK.Gen

7.11.30.172

avast!

Win32:Dropper-gen [Drp]

141130-1

AVG

Win32/Cryptor

2014.0.4189

Bitdefender

Trojan.Generic.12220218

1.0.20.1690

Bkav FE

HW32.Packed

1.3.0.6267

Comodo Security

TrojWare.Win32.Spy.Zbot.CQP

20282

Dr.Web

Trojan.PWS.Panda.7719

9.0.1.05190

Emsisoft Anti-Malware

Trojan.Generic.12220218

9.0.0.4668

ESET NOD32

Win32/Kryptik.CRQR trojan

7.0.302.0

Fortinet FortiGate

W32/Kryptik.CRBX!tr

12/4/2014

F-Secure

Trojan.Generic.12220218

11.2014-04-12_5

G Data

Trojan.Generic.12220218

14.12.24

K7 AntiVirus

Trojan

13.186.14239

Kaspersky

Trojan-Spy.Win32.Zbot

15.0.0.543

Malwarebytes

Trojan.Zemot

v2014.12.04.03

McAfee

MysticCompressor!734E7B48195A

5600.6926

Microsoft Security Essentials

Threat.Undefined

1.189.1359.0

MicroWorld eScan

Trojan.Generic.12220218

15.0.0.1014

NANO AntiVirus

Trojan.Win32.Zbot.djnxek

0.28.6.63850

Norman

Trojan.Generic.12220218

03.12.2014 19:18:07

nProtect

Trojan.Generic.12220218

14.12.03.01

Panda Antivirus

Trj/Genetic.gen

14.12.04.03

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Quick Heal

FraudTool.Security

12.14.14.00

Reason Heuristics

Threat.Win.Reputation.IMP

14.12.11.0

Rising Antivirus

PE:Malware.XPACK-HIE/Heur!1.9C48

23.00.65.141202

Total Defense

Win32/Zbot.XOFKMN

37.0.11314

Vba32 AntiVirus

Heur.Trojan.Hlux

3.12.26.3

VIPRE Antivirus

Threat.4150696

35418

File size:

274.6 KB (281,227 bytes)

Product version:

4.49.13360.14944

Original file name:

bicosh.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\waavuho\elroulq.exe

File PE Metadata

Compilation timestamp:

11/23/2010 1:22:25 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

0.2

CTPH (ssdeep):

6144:hyLS5fNRHtD0Agq4KqAQc9lSC8QNQAaUBDqW/3ACQhjTy3:fwA/FCcPwQ24QhY

Entry address:

0x15400

Entry point:

55, 8B, EC, 81, EC, F4, 00, 00, 00, 8B, 0D, C4, 71, 42, 00, 89, 4D, 8C, 53, 8B, 1D, 1C, 72, 42, 00, 23, D9, 89, 5D, 8C, 56, BB, 7C, D2, 00, 00, 89, 4D, 8C, 89, 9D, 34, FF, FF, FF, 57, 89, 5D, 84, 83, C1, 66, 8B, 55, 84, 89, 4D, 8C, 83, FA, F7, 74, 58, 83, CA, 8F, BB, 29, 00, 00, 00, F7, C2, DA, 0E, 00, 00, 75, 48, 83, EA, E5, B9, 1A, 00, 00, 00, 89, 8D, 74, FF, FF, FF, 89, 5D, 8C, F7, C2, 9F, 00, 00, 00, 75, 2F, 83, C2, B7, BB, 20, EA, 00, 00, 3B, 15, 40, 72, 42, 00, 74, 1F, 89, 95, 30, FF, FF, FF, 33, D9... 
[+]

Entropy:

7.9170

Developed / compiled with:

Microsoft Visual C++

Code size:

141.5 KB (144,896 bytes)

Scheduled Task

Task name:

Security Center Update - 2881170806

Trigger:

Daily (Runs daily at 4:00 PM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to splinter.datablocks.net (199.212.255.140:80)

TCP (HTTP):

Connects to mallet9.wikipolo.com (46.244.10.228:80)

TCP (HTTP):

Connects to evo-ad4.isprime.com (68.169.70.172:80)

TCP (HTTP):

Connects to ec2-54-208-99-166.compute-1.amazonaws.com (54.208.99.166:80)

TCP (HTTP):

Connects to ec2-107-22-227-171.compute-1.amazonaws.com (107.22.227.171:80)

TCP (HTTP):

Connects to a184-84-243-48.deploy.static.akamaitechnologies.com (184.84.243.48:80)

TCP (HTTP):

Connects to a184-84-243-218.deploy.static.akamaitechnologies.com (184.84.243.218:80)

TCP (HTTP):

Connects to a184-84-243-210.deploy.static.akamaitechnologies.com (184.84.243.210:80)

TCP (HTTP):

Connects to a184-84-243-207.deploy.static.akamaitechnologies.com (184.84.243.207:80)

Remove elroulq.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.