» noihcye.exe
Overview
Analysis
File Details
Behaviors (1)
Network (183)

noihcye.exe

The executable noihcye.exe has been detected as malware by 22 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

noihcye.exe

MD5:

5195e5b0f04e2e991db854383992cbe1

SHA-1:

a42d6f484830579023942e20ec0b2f2b25fe7ba7

SHA-256:

95cf72e0ed787467f79e1c92bc5081723f22f7ea3a722505bc67aecf4fa61c6c

Scanner detections:

22 / 68

Status:

Malware

Analysis date:

4/26/2024 11:05:44 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Kazy.362778

1036

Avira AntiVirus

TR/Crypt.ZPACK.37879

7.11.141.72

avast!

Win32:Kryptik-NQJ [Trj]

2014.9-140405

AVG

Crypt3

2015.0.3514

Bitdefender

Gen:Variant.Kazy.362778

1.0.20.475

Bkav FE

HW32.CDB

1.3.0.4959

Emsisoft Anti-Malware

Gen:Variant.Kazy.362778

8.14.04.05.01

ESET NOD32

Win32/Kryptik.BUVK (variant)

8.9639

Fortinet FortiGate

W32/Zbot.HGR!tr

4/5/2014

F-Secure

Gen:Variant.Kazy.362778

11.2014-05-04_7

G Data

Gen:Variant.Kazy.362778

14.4.24

K7 AntiVirus

Trojan

13.176.11663

Kaspersky

Trojan-Spy.Win32.Zbot

14.0.0.4065

Malwarebytes

Trojan.Spy.Zbot

v2014.04.05.01

McAfee

PWSZbot-FLM!5195E5B0F04E

5600.7170

Microsoft Security Essentials

PWS:Win32/Zbot.gen!AP

1.10401

MicroWorld eScan

Gen:Variant.Kazy.362778

15.0.0.285

Norman

Kryptic.AW

11.20140405

Panda Antivirus

Trj/Genetic.gen

14.04.05.01

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Sophos

Troj/Zbot-IAL

4.98

VIPRE Antivirus

Trojan.Win32.Generic

28036

File size:

278 KB (284,711 bytes)

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\asvetuiq\noihcye.exe

File PE Metadata

Compilation timestamp:

11/21/2012 10:23:19 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:mWXTy51u4tgIhSJ/JQJ5P54wHvEiXvMCGFfe8Jz76ce7MA/GvNBIeZvx:mWDy517hSJhQJ5P54wHciXxlI7k7MA+n

Entry address:

0x5000

Entry point:

55, 8B, EC, 81, EC, E0, 00, 00, 00, EB, 0E, 8B, CB, 6A, 50, 53, 56, E8, 32, 1F, 00, 00, 83, C4, 0C, 53, 3B, 45, D0, 74, 06, 89, 85, 78, FF, FF, FF, 56, EB, 20, BA, ED, 00, 00, 00, 68, 00, C7, 45, 10, 68, 00, 64, 74, 14, 68, 00, 97, E2, 38, 6A, 75, 6A, E1, E8, 8E, 1C, 00, 00, 83, C4, 14, 57, 3B, 85, 78, FF, FF, FF, 74, 08, EB, 06, 83, C3, 79, 89, 5D, 9C, 89, 9D, 4C, FF, FF, FF, FF, 15, 08, BA, 42, 00, 8B, BD, 4C, FF, FF, FF, 3B, F8, 74, 28, 8B, 8D, 4C, FF, FF, FF, F7, C7, 3F, 00, 00, 00, 75, 1A, 83, EF, 4D... 
[+]

Entropy:

7.9018

Developed / compiled with:

Microsoft Visual C++

Code size:

24.5 KB (25,088 bytes)

Scheduled Task

Task name:

Security Center Update - 115763021

Trigger:

Daily (Runs daily at 9:00 PM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to vip-113.lax.adconion.com (207.171.14.113:80)

TCP (HTTP):

Connects to vip-112.lax.adconion.com (207.171.14.112:80)

TCP (HTTP SSL):

Connects to vip1.g.cachefly.net (205.234.175.175:443)

TCP (HTTP):

Connects to video.dc6.vcmedia.com (8.18.45.89:80)

TCP (HTTP):

Connects to v-2-do13-d1175-109.webazilla.com (78.140.150.109:80)

TCP (HTTP):

Connects to unknown.carohosting.net (69.59.16.4:80)

TCP (HTTP SSL):

Connects to students.petinsurance.com (64.209.138.40:443)

TCP (HTTP):

Connects to server-54-230-7-245.dfw3.r.cloudfront.net (54.230.7.245:80)

TCP (HTTP):

Connects to server-54-230-7-235.dfw3.r.cloudfront.net (54.230.7.235:80)

TCP (HTTP):

Connects to server-54-230-7-163.dfw3.r.cloudfront.net (54.230.7.163:80)

TCP (HTTP):

Connects to server-54-230-7-120.dfw3.r.cloudfront.net (54.230.7.120:80)

TCP (HTTP SSL):

Connects to server-54-230-6-21.dfw3.r.cloudfront.net (54.230.6.21:443)

TCP (HTTP):

Connects to server-54-230-6-114.dfw3.r.cloudfront.net (54.230.6.114:80)

TCP (HTTP SSL):

Connects to server-54-230-5-130.dfw3.r.cloudfront.net (54.230.5.130:443)

TCP (HTTP):

Connects to server-54-230-4-38.dfw3.r.cloudfront.net (54.230.4.38:80)

TCP (HTTP):

Connects to server-216-137-43-65.dfw3.r.cloudfront.net (216.137.43.65:80)

TCP (HTTP):

Connects to server-216-137-43-171.dfw3.r.cloudfront.net (216.137.43.171:80)

TCP (HTTP):

Connects to server-216-137-43-100.dfw3.r.cloudfront.net (216.137.43.100:80)

TCP:

Connects to server-204-246-181-105.dfw3.r.cloudfront.net (204.246.181.105:1935)

TCP (HTTP):

Connects to s3-1-w.amazonaws.com (205.251.243.169:80)

Remove noihcye.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.