» eseme.exe
Overview
Analysis
File Details
Behaviors (1)
Network (46)

eseme.exe

The executable eseme.exe has been detected as malware by 19 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

eseme.exe

MD5:

c4a321eb8f93dcdb9e91f222351d8c0b

SHA-1:

a0edc6c41d6e7ffd4cc5f6492f56dd11f09b0f99

SHA-256:

df5aef03cf7874c0e5abfdc75fde1ebd60367ff3300a87dd5aad50c45caa6f7b

Scanner detections:

19 / 68

Status:

Malware

Analysis date:

4/25/2024 4:24:05 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Spy.Zbot.FOF

823

AegisLab AV Signature

Troj.W32.Gen

2.1.4+

AhnLab V3 Security

Trojan/Win32.Necurs

2014.11.04

avast!

Win32:Malware-gen

141025-0

AVG

SHeur4

2015.0.3301

Bitdefender

Trojan.Spy.Zbot.FOF

1.0.20.1535

Bkav FE

HW32.Packed

1.3.0.6185

Clam AntiVirus

Win.Trojan.Zbot-37702

0.98/19586

Dr.Web

Trojan.Siggen6.22973

9.0.1.05190

Emsisoft Anti-Malware

Trojan.Spy.Zbot.FOF

8.14.11.03.03

ESET NOD32

Win32/Spy.Zbot.ABP

8.10664

F-Prot

W32/Skintrim.1!Generic

4.6.5.141

F-Secure

Trojan.Spy.Zbot.FOF

11.2014-08-11_7

G Data

Trojan.Spy.Zbot.FOF

14.11.24

Kaspersky

Trojan-Spy.Win32.Zbot

14.0.0.2976

Malwarebytes

Spyware.Zbot.ED

v2014.11.03.03

Microsoft Security Essentials

PWS:Win32/Zbot

1.11104

Qihoo 360 Security

Malware.QVM07.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.11.8.21

File size:

282 KB (288,731 bytes)

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\bemeqoof\eseme.exe

File PE Metadata

Compilation timestamp:

6/8/1992 3:06:30 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

6144:KsXeMUkYZkDX+ii/JvvD3b+e3tWnOahz7ms48BhvCg:pOzksk74Bv7rdOFM8Z

Entry address:

0x8BA2

Entry point:

55, 8B, EC, 6A, FF, 68, A0, AB, 40, 00, 68, 90, 8D, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 50, 90, 40, 00, 59, 83, 0D, 1C, F2, 5B, 00, FF, 83, 0D, 20, F2, 5B, 00, FF, FF, 15, 4C, 90, 40, 00, 8B, 0D, 18, F2, 5B, 00, 89, 08, FF, 15, 68, 90, 40, 00, 8B, 0D, 14, F2, 5B, 00, 89, 08, A1, 48, 90, 40, 00, 8B, 00, A3, 24, F2, 5B, 00, E8, 28, 01, 00, 00, 39, 1D, FC, C1, 40, 00, 75, 0C, 68, 36, 8D, 40, 00, FF, 15, 44, 90... 
[+]

Entropy:

7.7234

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

32 KB (32,768 bytes)

Scheduled Task

Task name:

Security Center Update - 3208473233

Trigger:

Daily (Runs daily at 3:00 PM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to utsapi-adcom-mtc.evip.aol.com (64.12.68.22:80)

TCP (HTTP):

Connects to qc-in-f95.1e100.net (173.194.76.95:80)

TCP (HTTP):

Connects to qc-in-f154.1e100.net (173.194.76.154:80)

TCP (HTTP):

Connects to m-nb.xplusone.com (199.38.164.155:80)

TCP (HTTP SSL):

Connects to iad23s06-in-f3.1e100.net (74.125.228.35:443)

TCP (HTTP):

Connects to iad23s05-in-f28.1e100.net (74.125.228.28:80)

TCP (HTTP):

Connects to iad23s05-in-f27.1e100.net (74.125.228.27:80)

TCP (HTTP):

Connects to iad23s05-in-f26.1e100.net (74.125.228.26:80)

TCP (HTTP):

Connects to iad23s05-in-f1.1e100.net (74.125.228.1:80)

TCP (HTTP SSL):

Connects to iad23s05-in-f0.1e100.net (74.125.228.0:443)

TCP (HTTP):

Connects to a23-66-230-97.deploy.static.akamaitechnologies.com (23.66.230.97:80)

TCP (HTTP):

Connects to a23-66-230-163.deploy.static.akamaitechnologies.com (23.66.230.163:80)

TCP (HTTP):

Connects to a23-66-230-162.deploy.static.akamaitechnologies.com (23.66.230.162:80)

TCP (HTTP):

Connects to a23-66-230-129.deploy.static.akamaitechnologies.com (23.66.230.129:80)

TCP (HTTP):

Connects to a23-66-230-128.deploy.static.akamaitechnologies.com (23.66.230.128:80)

TCP (HTTP):

Connects to a23-66-230-107.deploy.static.akamaitechnologies.com (23.66.230.107:80)

TCP (HTTP):

Connects to a23-62-236-82.deploy.static.akamaitechnologies.com (23.62.236.82:80)

TCP (HTTP):

Connects to a23-62-236-80.deploy.static.akamaitechnologies.com (23.62.236.80:80)

TCP (HTTP):

Connects to a23-62-236-74.deploy.static.akamaitechnologies.com (23.62.236.74:80)

TCP (HTTP):

Connects to a23-62-236-43.deploy.static.akamaitechnologies.com (23.62.236.43:80)

Remove eseme.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.