oswye.exe

Virtual

Virtual Group

The executable oswye.exe, “Virtual Group Index” has been detected as malware by 32 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
Virtual Group

Product:
Virtual

Description:
Virtual Group Index

Version:
0.0.0.4

MD5:
5ff2e32593a4858e422508865126a217

SHA-1:
f33b343a72405c67edef5b5c505ede2a72ad1e60

SHA-256:
cf8d6e1f2487033fcaa596966a2feaae5eaac9eb6ed0589c1acfb013eb00fa44

Scanner detections:
32 / 68

Status:
Malware

Analysis date:
11/23/2017 4:08:20 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.404383
933

Agnitum Outpost
TrojanSpy.Zbot
7.1.1

AhnLab V3 Security
Dropper/Win32.Necurs
2014.07.17

Avira AntiVirus
TR/Kryptik.opbh
7.11.162.6

Antiy Labs AVL
Trojan[Spy]/Win32.Zbot
1.0.0.1

avast!
Win32:Zbot-UGA [Trj]
140617-1

AVG
Trojan horse SHeur4.BXQQ
2014.0.3986

Bitdefender
Gen:Variant.Kazy.403614
1.0.20.985

Bkav FE
HW32.Laneul
1.3.0.4959

Comodo Security
TrojWare.Win32.Spy.Zbot.AJB
18870

Dr.Web
Trojan.Siggen6.15132
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Kazy.403614
8.14.07.16.06

ESET NOD32
Win32/Spy.Zbot.ABA trojan
7.0.302.0

Fortinet FortiGate
W32/Kryptik.CDCX!tr
7/16/2014

F-Secure
Gen:Variant.Kazy.404383
11.2014-16-07_4

G Data
Gen:Variant.Kazy.403614
14.7.24

IKARUS anti.virus
Trojan.Win32.Spy
t3scan.1.6.1.0

Kaspersky
Trojan-Spy.Win32.Zbot
15.0.0.494

Malwarebytes
Trojan.Agent.ED
v2014.07.16.06

McAfee
PWSZbot-FAAA!5FF2E32593A4
5600.7067

McAfee Web Gateway
PWSZbot-FAAA!5FF2E32593A4
7.7067

Microsoft Security Essentials
Threat.Undefined
1.179.190.0

MicroWorld eScan
Gen:Variant.Kazy.403614
15.0.0.591

NANO AntiVirus
Trojan.Win32.Zbot.dbzcus
0.28.2.60881

Norman
ZBot.UCBP
11.20140716

Panda Antivirus
Trj/Genetic.gen
14.07.16.06

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Rising Antivirus
PE:Trojan.Win32.Generic.16F26A0A!384985610
23.00.65.14714

SUPERAntiSpyware
Trojan.Agent/Gen-Zbot
10479

Vba32 AntiVirus
TrojanSpy.Zbot
3.12.26.3

VIPRE Antivirus
Threat.4657539
31208

Zillya! Antivirus
Trojan.ZBot.Win32.71
2.0.0.1860

File size:
286.5 KB (293,376 bytes)

Product version:
0.0.0.4

Copyright:
Copyright (C) 2011

Original file name:
Virtual

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\isezte\oswye.exe

File PE Metadata
Compilation timestamp:
1/27/1979 7:25:53 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.1

CTPH (ssdeep):
6144:gYJbG8qUhNYYbh+rry7klogZxicJPzKdFXlYVL:gwb1NT8C7k2g1OdFO

Entry address:
0x4DFC

Entry point:
55, 8B, EC, 51, 56, 57, BE, 01, 07, 15, 02, 33, FF, 6A, 39, 4E, FF, 15, 98, C0, 44, 00, 68, E0, DD, 40, 00, FF, 15, 94, C0, 44, 00, 3B, F7, 75, E8, 57, 57, FF, 15, 54, C0, 44, 00, 68, E8, DD, 40, 00, FF, 15, 58, C0, 44, 00, 57, 57, FF, 15, 78, C0, 44, 00, 68, F8, DD, 40, 00, 68, 58, DE, 40, 00, FF, 15, 64, C0, 44, 00, 85, C0, 74, 1C, FF, 15, 68, C0, 44, 00, 6A, 02, 6A, 10, 68, 00, 01, 00, 00, FF, 15, 70, C0, 44, 00, 57, FF, 15, 5C, C0, 44, 00, BE, FC, 3E, 08, 00, 89, 75, FC, 8B, 55, 0C, B9, 0E, C1, 01, 00...
 
[+]

Entropy:
7.6635

Developed / compiled with:
Microsoft Visual C++ v6.0 (Debug)

Code size:
16.4 KB (16,802 bytes)

Scheduled Task
Task name:
Security Center Update - 3328380256

Trigger:
Daily (Runs daily at 7:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to vip064.ssl.hwcdn.net  (205.185.208.64:80)

TCP (HTTP):
Connects to utsapi-adcom-mtc.evip.aol.com  (64.12.68.22:80)

TCP (HTTP):
Connects to tps.sj2.fastclick.net  (64.156.167.98:80)

TCP (HTTP SSL):
Connects to t.mookie1.com  (208.71.121.1:443)

TCP (HTTP):
Connects to server-54-230-39-90.jfk1.r.cloudfront.net  (54.230.39.90:80)

TCP (HTTP):
Connects to server-54-230-39-63.jfk1.r.cloudfront.net  (54.230.39.63:80)

TCP (HTTP):
Connects to server-54-230-39-234.jfk1.r.cloudfront.net  (54.230.39.234:80)

TCP (HTTP):
Connects to server-54-230-39-228.jfk1.r.cloudfront.net  (54.230.39.228:80)

TCP (HTTP):
Connects to server-54-230-38-215.jfk1.r.cloudfront.net  (54.230.38.215:80)

TCP (HTTP):
Connects to server-54-230-38-186.jfk1.r.cloudfront.net  (54.230.38.186:80)

TCP (HTTP):
Connects to server-54-230-38-165.jfk1.r.cloudfront.net  (54.230.38.165:80)

TCP (HTTP):
Connects to server-54-230-36-112.jfk1.r.cloudfront.net  (54.230.36.112:80)

TCP (HTTP):
Connects to media.dc6.vcmedia.com  (8.18.45.90:80)

TCP (HTTP SSL):
Connects to lga15s45-in-f4.1e100.net  (74.125.226.164:443)

TCP (HTTP SSL):
Connects to lga15s45-in-f28.1e100.net  (74.125.226.188:443)

TCP (HTTP):
Connects to lga15s45-in-f26.1e100.net  (74.125.226.186:80)

TCP (HTTP):
Connects to lga15s45-in-f25.1e100.net  (74.125.226.185:80)

TCP (HTTP):
Connects to lga15s45-in-f13.1e100.net  (74.125.226.173:80)

TCP (HTTP):
Connects to lga15s42-in-f5.1e100.net  (74.125.226.5:80)

TCP (HTTP):
Connects to lga15s42-in-f27.1e100.net  (74.125.226.27:80)

Remove oswye.exe - Powered by Reason Core Security