home

laesa.exe

Meskisift Visaal Studio 2010

Meskisift Corporatien

The executable laesa.exe, “Meskisift Visaal Studie 2010” has been detected as malware by 7 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address www.dailymotion.com on port 80 using the HTTP protocol.
Publisher:
Meskisift Corporatien

Product:
Meskisift® Visaal Studio® 2010

Description:
Meskisift Visaal Studie 2010

Version:
1.9.43074.5121 built by: SP1Rel

MD5:
152b97dd6dd943547236547b9ab21dea

SHA-1:
34eb77fa59df026c9cdaa748c3088be8b574d787

SHA-256:
166d453edb0a419f24ee6ad94da1243f51f1118c737af55e8df94dc02390ca34

Scanner detections:
7 / 68

Status:
Malware

Analysis date:
4/19/2024 3:29:12 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Crypt.XPACK.Gen2
7.11.30.172

Bkav FE
HW32.CDB
1.3.0.4959

Dr.Web
Trojan.Packed
9.0.1.0228

Malwarebytes
Trojan.Zbot.gen
v2014.08.16.05

McAfee
PWSZbot-FABW!152B97DD6DD9
5600.7036

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14814

VIPRE Antivirus
Threat.4789469
32210

File size:
299.7 KB (306,919 bytes)

Product version:
1.9.43074.5121

Copyright:
© Meskisift Corporatien. All rights reserved.

Original file name:
divanv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\ohyzaqc\laesa.exe

File PE Metadata
Compilation timestamp:
1/9/2010 6:25:10 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:YOih/O7DXk2W3kwc07erVPHBqCGxwPZg4xBbZ3KEzFAdLhn+Ju:YfYvQR7KAcbJKEzFAdlnGu

Entry address:
0xC988

Entry point:
55, 8B, EC, 81, EC, A4, 01, 00, 00, 8B, 0D, 5C, CA, 42, 00, EB, 15, EB, 13, 68, 00, 61, 16, 25, 56, 68, 00, F9, 74, 65, E8, 15, 1B, 00, 00, 83, C4, 0C, 53, B9, D3, 00, 00, 00, 89, 8D, 60, FE, FF, FF, 56, 89, 85, 60, FE, FF, FF, 57, 83, F1, 03, 8B, 05, 20, CA, 42, 00, EB, 1C, 33, CF, BA, 92, A1, 00, 00, 81, F9, 9A, 0E, 00, 00, 75, 0D, 83, F1, B2, 6A, 52, E8, DA, 1A, 00, 00, 83, C4, 04, B9, 52, 00, 00, 00, 0B, C8, 3B, C8, 74, 5A, 8B, 85, 60, FE, FF, FF, 3B, 4D, 94, 75, 4F, 83, E9, 80, 8B, 95, 60, FE, FF, FF...
 
[+]

Entropy:
7.8621

Developed / compiled with:
Microsoft Visual C++

Code size:
139 KB (142,336 bytes)

Scheduled Task
Task name:
Security Center Update - 2966778104

Trigger:
Daily (Runs daily at 5:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to yv-in-f148.1e100.net  (74.125.21.148:80)

TCP (HTTP):
Connects to yh-in-f156.1e100.net  (74.125.137.156:80)

TCP (HTTP):
Connects to www.dailymotion.com  (195.8.215.137:80)

TCP (HTTP):
Connects to r-199-59-148-84.twttr.com  (199.59.148.84:80)

TCP (HTTP):
Connects to mallet9.wikipolo.com  (46.244.10.228:80)

TCP (HTTP):
Connects to host.mimicpro.com  (96.30.12.221:80)

TCP (HTTP):
Connects to errserv-21.btrll.com  (162.208.21.166:80)

TCP (HTTP):
Connects to edge-star-shv-08-iad1.facebook.com  (31.13.69.176:80)

TCP (HTTP):
Connects to ec2-54-86-129-6.compute-1.amazonaws.com  (54.86.129.6:80)

TCP (HTTP):
Connects to ec2-54-85-44-202.compute-1.amazonaws.com  (54.85.44.202:80)

TCP (HTTP):
Connects to ec2-54-243-85-92.compute-1.amazonaws.com  (54.243.85.92:80)

TCP (HTTP):
Connects to ec2-54-243-70-111.compute-1.amazonaws.com  (54.243.70.111:80)

TCP (HTTP):
Connects to ec2-54-236-184-244.compute-1.amazonaws.com  (54.236.184.244:80)

TCP (HTTP):
Connects to ec2-50-19-122-58.compute-1.amazonaws.com  (50.19.122.58:80)

TCP (HTTP):
Connects to ec2-50-18-46-13.us-west-1.compute.amazonaws.com  (50.18.46.13:80)

TCP (HTTP):
Connects to ec2-50-18-209-44.us-west-1.compute.amazonaws.com  (50.18.209.44:80)

TCP (HTTP):
Connects to a23-72-225-50.deploy.static.akamaitechnologies.com  (23.72.225.50:80)

TCP (HTTP):
Connects to a23-72-225-49.deploy.static.akamaitechnologies.com  (23.72.225.49:80)

TCP (HTTP):
Connects to a23-195-95-139.deploy.static.akamaitechnologies.com  (23.195.95.139:80)

TCP (HTTP):
Connects to a-0001.a-msedge.net  (204.79.197.200:80)

Remove laesa.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.