home

liagdel.exe

The executable liagdel.exe has been detected as malware by 32 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Puuxseed’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
MD5:
f3e144588f188f41846867a2a8299192

SHA-1:
387b0dc189dc26403fb4dc95a7363b5fba19c22a

SHA-256:
aab108469e67f745d46f65f20e6c9ee3500eebf0eb36cced2fc8cf33011e35a8

Scanner detections:
32 / 68

Status:
Malware

Analysis date:
4/25/2024 10:53:31 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Spy.Zbot.FLD
775

Agnitum Outpost
TrojanSpy.Zbot
7.1.1

AhnLab V3 Security
Trojan/Win32.Zbot
2014.06.03

Avira AntiVirus
TR/Crypt.ZPACK.Gen
7.11.30.172

avast!
Win32:Zbot-TWG [Trj]
2014.9-141222

AVG
Trojan horse SHeur4
2015.0.3253

Bitdefender
Trojan.Spy.Zbot.FLD
1.0.20.1780

Bkav FE
HW32.CDB
1.3.0.4959

Comodo Security
TrojWare.Win32.Kryptik.CCQE
18409

Dr.Web
Trojan.Siggen6.15132
9.0.1.0356

Emsisoft Anti-Malware
Trojan.Spy.Zbot.FLD
8.14.12.22.01

ESET NOD32
Win32/Kryptik.CCZH trojan
8.7.0.302.0

Fortinet FortiGate
W32/Kryptik.CAAF!tr
5/22/2014

F-Secure
Trojan.Spy.Zbot.FLD
11.2014-22-12_2

G Data
Trojan.Spy.Zbot.FLD
14.12.24

IKARUS anti.virus
Trojan-PWS.Win32.Zbot
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.178.12278

Kaspersky
Trojan-Spy.Win32.Zbot
14.0.0.3826

Malwarebytes
Spyware.Password
v2014.12.22.01

McAfee
PWSZbot-FLM!E028CFC71FD3
5600.6909

Microsoft Security Essentials
Threat.Undefined
1.175.1108.0

MicroWorld eScan
Trojan.Spy.Zbot.FLD
15.0.0.1068

NANO AntiVirus
Trojan.Win32.Zbot.czcxfu
0.28.0.60100

nProtect
Trojan.Spy.Zbot.FLD
14.06.02.01

Panda Antivirus
Suspicious file
14.05.22.07

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.12.22.1

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14520

SUPERAntiSpyware
Trojan.Agent/Gen-XPack
10163

Total Defense
Win32/Zbot.RYDUUcB
37.0.10975

Vba32 AntiVirus
TrojanSpy.Zbot
3.12.26.0

VIPRE Antivirus
Threat.4150696
29800

File size:
275.5 KB (282,162 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\esweezy\liagdel.exe

File PE Metadata
Compilation timestamp:
8/9/2011 2:04:45 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:O624KzAsxB+ws97bIqHKQC8PoJ2CIX371fEzE8zsfddN59G:h2wsb+2pQbP6jtzx+dq

Entry address:
0x12184

Entry point:
55, 8B, EC, 81, EC, 48, 01, 00, 00, 6A, D8, E8, C7, 24, 00, 00, 83, C4, 04, 53, 8B, C8, 83, F8, 17, 74, 19, EB, 17, 03, C6, 3B, C7, 74, 11, 83, F0, 00, 8B, 15, 5C, E0, 42, 00, 89, 5D, 80, E8, A5, 22, 00, 00, 56, BE, D6, D2, 00, 00, 33, F0, 81, FE, 78, 4D, 00, 00, 74, 5F, 83, FE, AE, 75, 5A, B9, 56, 00, 00, 00, 81, F1, 00, 40, D0, E4, E8, 74, 21, 00, 00, EB, 48, 83, C3, A0, F7, C6, 9F, 00, 00, 00, 75, 3D, 8B, D0, 57, 68, 00, 84, AD, F0, E8, FA, 1E, 00, 00, 83, C4, 08, 3B, 5D, BC, 75, 28, 83, E3, BA, 56, 68...
 
[+]

Entropy:
7.8870

Developed / compiled with:
Microsoft Visual C++

Code size:
119.5 KB (122,368 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Puuxseed

Command:
C:\users\{user}\appdata\roaming\esweezy\liagdel.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to r-199-59-150-46.twttr.com  (199.59.150.46:443)

TCP (HTTP):
Connects to ord08s13-in-f7.1e100.net  (173.194.46.103:80)

TCP (HTTP):
Connects to ord08s11-in-f2.1e100.net  (173.194.46.66:80)

TCP (HTTP SSL):
Connects to ord08s06-in-f6.1e100.net  (74.125.225.38:443)

TCP (HTTP):
Connects to ny1-g013.intellitxt.com  (199.16.172.21:80)

TCP (HTTP):
Connects to mallet9.wikipolo.com  (46.244.10.228:80)

TCP (HTTP):
Connects to lax.pbwordpress.gnmedia.net  (72.172.76.151:80)

TCP (HTTP SSL):
Connects to ib-in-f84.1e100.net  (74.125.192.84:443)

TCP (HTTP):
Connects to h-207-228-83-16.gen.cadvision.com  (207.228.83.16:80)

TCP (HTTP):
Connects to edge-star-shv-13-frc1.facebook.com  (173.252.110.27:80)

TCP (HTTP):
Connects to edge-star-shv-06-sea1.facebook.com  (31.13.76.49:80)

TCP (HTTP):
Connects to ec2-54-86-3-136.compute-1.amazonaws.com  (54.86.3.136:80)

TCP (HTTP):
Connects to ec2-54-225-163-54.compute-1.amazonaws.com  (54.225.163.54:80)

TCP (HTTP):
Connects to ec2-54-215-188-251.us-west-1.compute.amazonaws.com  (54.215.188.251:80)

TCP (HTTP):
Connects to ec2-54-209-26-85.compute-1.amazonaws.com  (54.209.26.85:80)

TCP (HTTP):
Connects to ec2-54-204-23-149.compute-1.amazonaws.com  (54.204.23.149:80)

TCP (HTTP):
Connects to ec2-23-21-135-72.compute-1.amazonaws.com  (23.21.135.72:80)

TCP (HTTP):
Connects to constant.com  (108.61.42.125:80)

TCP (HTTP):
Connects to a23-6-164-174.deploy.static.akamaitechnologies.com  (23.6.164.174:80)

TCP (HTTP):
Connects to 209-114-44-42.static.cloud-ips.com  (209.114.44.42:80)

Remove liagdel.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.