» oswye.exe
Overview
Analysis
File Details
Behaviors (1)
Network (90)

oswye.exe

Virtual

Virtual Group

The executable oswye.exe, “Virtual Group Index” has been detected as malware by 30 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

oswye.exe

Publisher:

Virtual Group

Product:

Virtual

Description:

Virtual Group Index

Version:

0.0.0.4

MD5:

5ff2e32593a4858e422508865126a217

SHA-1:

f33b343a72405c67edef5b5c505ede2a72ad1e60

SHA-256:

cf8d6e1f2487033fcaa596966a2feaae5eaac9eb6ed0589c1acfb013eb00fa44

Scanner detections:

30 / 68

Status:

Malware

Analysis date:

4/27/2024 9:35:10 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Kazy.404383

933

Agnitum Outpost

TrojanSpy.Zbot

7.1.1

AhnLab V3 Security

Dropper/Win32.Necurs

2014.07.17

Avira AntiVirus

TR/Kryptik.opbh

7.11.162.6

avast!

Win32:Zbot-UGA [Trj]

140617-1

AVG

Trojan horse SHeur4.BXQQ

2014.0.3986

Bitdefender

Gen:Variant.Kazy.403614

1.0.20.985

Bkav FE

HW32.Laneul

1.3.0.4959

Comodo Security

TrojWare.Win32.Spy.Zbot.AJB

18870

Dr.Web

Trojan.Siggen6.15132

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Kazy.403614

8.14.07.16.06

ESET NOD32

Win32/Spy.Zbot.ABA trojan

7.0.302.0

Fortinet FortiGate

W32/Kryptik.CDCX!tr

7/16/2014

F-Secure

Gen:Variant.Kazy.404383

11.2014-16-07_4

G Data

Gen:Variant.Kazy.403614

14.7.24

IKARUS anti.virus

Trojan.Win32.Spy

t3scan.1.6.1.0

Kaspersky

Trojan-Spy.Win32.Zbot

15.0.0.494

Malwarebytes

Trojan.Agent.ED

v2014.07.16.06

McAfee

PWSZbot-FAAA!5FF2E32593A4

5600.7067

Microsoft Security Essentials

Threat.Undefined

1.179.190.0

MicroWorld eScan

Gen:Variant.Kazy.403614

15.0.0.591

NANO AntiVirus

Trojan.Win32.Zbot.dbzcus

0.28.2.60881

Norman

ZBot.UCBP

11.20140716

Panda Antivirus

Trj/Genetic.gen

14.07.16.06

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Rising Antivirus

PE:Trojan.Win32.Generic.16F26A0A!384985610

23.00.65.14714

SUPERAntiSpyware

Trojan.Agent/Gen-Zbot

10479

Vba32 AntiVirus

TrojanSpy.Zbot

3.12.26.3

VIPRE Antivirus

Threat.4657539

31208

Zillya! Antivirus

Trojan.ZBot.Win32.71

2.0.0.1860

File size:

286.5 KB (293,376 bytes)

Product version:

0.0.0.4

Original file name:

Virtual

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\isezte\oswye.exe

File PE Metadata

Compilation timestamp:

1/27/1979 7:25:53 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.1

CTPH (ssdeep):

6144:gYJbG8qUhNYYbh+rry7klogZxicJPzKdFXlYVL:gwb1NT8C7k2g1OdFO

Entry address:

0x4DFC

Entry point:

55, 8B, EC, 51, 56, 57, BE, 01, 07, 15, 02, 33, FF, 6A, 39, 4E, FF, 15, 98, C0, 44, 00, 68, E0, DD, 40, 00, FF, 15, 94, C0, 44, 00, 3B, F7, 75, E8, 57, 57, FF, 15, 54, C0, 44, 00, 68, E8, DD, 40, 00, FF, 15, 58, C0, 44, 00, 57, 57, FF, 15, 78, C0, 44, 00, 68, F8, DD, 40, 00, 68, 58, DE, 40, 00, FF, 15, 64, C0, 44, 00, 85, C0, 74, 1C, FF, 15, 68, C0, 44, 00, 6A, 02, 6A, 10, 68, 00, 01, 00, 00, FF, 15, 70, C0, 44, 00, 57, FF, 15, 5C, C0, 44, 00, BE, FC, 3E, 08, 00, 89, 75, FC, 8B, 55, 0C, B9, 0E, C1, 01, 00... 
[+]

Entropy:

7.6635

Developed / compiled with:

Microsoft Visual C++ v6.0 (Debug)

Code size:

16.4 KB (16,802 bytes)

Scheduled Task

Task name:

Security Center Update - 3328380256

Trigger:

Daily (Runs daily at 7:00 PM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to vip064.ssl.hwcdn.net (205.185.208.64:80)

TCP (HTTP):

Connects to utsapi-adcom-mtc.evip.aol.com (64.12.68.22:80)

TCP (HTTP):

Connects to tps.sj2.fastclick.net (64.156.167.98:80)

TCP (HTTP SSL):

Connects to t.mookie1.com (208.71.121.1:443)

TCP (HTTP):

Connects to server-54-230-39-90.jfk1.r.cloudfront.net (54.230.39.90:80)

TCP (HTTP):

Connects to server-54-230-39-63.jfk1.r.cloudfront.net (54.230.39.63:80)

TCP (HTTP):

Connects to server-54-230-39-234.jfk1.r.cloudfront.net (54.230.39.234:80)

TCP (HTTP):

Connects to server-54-230-39-228.jfk1.r.cloudfront.net (54.230.39.228:80)

TCP (HTTP):

Connects to server-54-230-38-215.jfk1.r.cloudfront.net (54.230.38.215:80)

TCP (HTTP):

Connects to server-54-230-38-186.jfk1.r.cloudfront.net (54.230.38.186:80)

TCP (HTTP):

Connects to server-54-230-38-165.jfk1.r.cloudfront.net (54.230.38.165:80)

TCP (HTTP):

Connects to server-54-230-36-112.jfk1.r.cloudfront.net (54.230.36.112:80)

TCP (HTTP):

Connects to media.dc6.vcmedia.com (8.18.45.90:80)

TCP (HTTP SSL):

Connects to lga15s45-in-f4.1e100.net (74.125.226.164:443)

TCP (HTTP SSL):

Connects to lga15s45-in-f28.1e100.net (74.125.226.188:443)

TCP (HTTP):

Connects to lga15s45-in-f26.1e100.net (74.125.226.186:80)

TCP (HTTP):

Connects to lga15s45-in-f25.1e100.net (74.125.226.185:80)

TCP (HTTP):

Connects to lga15s45-in-f13.1e100.net (74.125.226.173:80)

TCP (HTTP):

Connects to lga15s42-in-f5.1e100.net (74.125.226.5:80)

TCP (HTTP):

Connects to lga15s42-in-f27.1e100.net (74.125.226.27:80)

Remove oswye.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.