» pacloksunasv.exe
Overview
Analysis
File Details
Behaviors (1)
Network (40)

pacloksunasv.exe

The executable pacloksunasv.exe has been detected as malware by 39 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘pacloksunasv’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address we-pbna-01.weservices.eu on port 80 using the HTTP protocol.

File name:

pacloksunasv.exe

MD5:

96e0cc67a3304f60a6bf1d8f84e47754

SHA-1:

a3d4740f7a2bd3f50842c9bc91694faa56d0185e

SHA-256:

5d004763b458ac02460b5bb4faac06a6ba3de81e83883a710c8db9653cdc732a

Scanner detections:

39 / 68

Status:

Malware

Analysis date:

4/27/2024 6:08:47 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Encpk.Gen.4

249

Agnitum Outpost

Trojan.Inject

7.1.1

AhnLab V3 Security

Trojan/Win32.Zbot

2015.09.24

Avira AntiVirus

TR/Injector.2576884

8.3.2.2

Arcabit

Trojan.Encpk.Gen.4

1.0.0.567

avast!

Win32:Injector-BID [Trj]

2014.9-160531

AVG

Generic34

2017.0.2727

Baidu Antivirus

Worm.Win32.Pilleuz

4.0.3.16531

Bitdefender

Trojan.Encpk.Gen.4

1.0.20.760

Bkav FE

W32.FaraeloAJ.Trojan

1.3.0.7237

Comodo Security

TrojWare.Win32.Injector.AKLC

23286

Dr.Web

Trojan.Spambot.11951

9.0.1.0152

Emsisoft Anti-Malware

Trojan.Encpk.Gen

8.16.05.31.05

ESET NOD32

Win32/Injector.AKNU (variant)

10.12296

Fortinet FortiGate

W32/Kryptik.ADF!tr

5/31/2016

F-Secure

Trojan.Encpk.Gen.4

11.2016-31-05_3

G Data

Trojan.Encpk.Gen

16.5.25

IKARUS anti.virus

Trojan.Inject

t3scan.1.9.5.0

K7 AntiVirus

Trojan

13.210.17303

Kaspersky

HEUR:Trojan.Win32.Generic

14.0.0.129

Malwarebytes

Trojan.Zbot

v2016.05.31.05

McAfee

Generic-FANR!96E0CC67A330

5600.6383

Microsoft Security Essentials

TrojanDownloader:Win32/Cutwail

1.1.12101.0

MicroWorld eScan

Trojan.Encpk.Gen.4

17.0.0.456

NANO AntiVirus

Trojan.Win32.Spambot.crmhyv

0.30.24.3283

nProtect

Trojan.Encpk.Gen.4

15.09.23.01

Panda Antivirus

Trj/Dtcontx.G

16.05.31.05

Qihoo 360 Security

Win32/Trojan.39e

1.0.0.1015

Quick Heal

Trojan.ZAgent.r3

5.16.14.00

Rising Antivirus

PE:Trojan.Injector!1.9DEE[F1]

23.00.65.16529

Sophos

Troj/Agent-ADBJ

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-Dropper

9111

Total Defense

Win32/Inject.C2!generic

37.1.62.1

Trend Micro House Call

TROJ_SPNR.1AHA13

7.2.152

Trend Micro

TROJ_SPNR.1AHA13

10.465.31

Vba32 AntiVirus

Malware-Cryptor.Inject.gen

3.12.26.4

VIPRE Antivirus

TrojanPWS.Win32.Fareit.aa

43988

ViRobot

Trojan.Win32.S.Zbot.65659[h]

2014.3.20.0

Zillya! Antivirus

Trojan.Inject.Win32.61849

2.0.0.2409

File size:

64.1 KB (65,659 bytes)

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\fandy-ferry\pacloksunasv.exe

File PE Metadata

Compilation timestamp:

8/5/2013 5:51:39 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.50

CTPH (ssdeep):

1536:RwEreUZnrqMIGftZKHpUuFhEQKorc6Osp:RwErbrimlQNf

Entry address:

0xBEE0

Entry point:

60, BE, 15, A0, 40, 00, 8D, BE, EB, 6F, FF, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75... 
[+]

Packer / compiler:

UPX 2.90LZMA

Code size:

12 KB (12,288 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

pacloksunasv

Command:

C:\users\fandy-ferry\pacloksunasv.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www65.totaalholding.nl (185.56.145.59:80)

TCP (HTTP):

Connects to srv30.gepcom.com (208.66.193.80:80)

TCP (HTTP):

Connects to mhintdin-unix.alicomitalia.it (95.110.192.171:80)

TCP (HTTP):

Connects to cluster003.ovh.net (213.186.33.4:80)

TCP (HTTP):

Connects to box318.bluehost.com (69.89.31.118:80)

TCP (HTTP):

Connects to cluster005.ovh.net (213.186.33.16:80)

TCP (HTTP):

Connects to wp208071.dreamhost.com (208.113.145.77:80)

TCP (HTTP):

Connects to we-pbna-01.weservices.eu (94.237.26.105:80)

TCP (HTTP):

Connects to web.alganet.fr (212.129.21.17:80)

TCP (HTTP):

Connects to vultur.fullspace.ru (185.72.144.129:80)

TCP (HTTP):

Connects to vm16202.mailclub.pro (195.64.165.29:80)

TCP (HTTP):

Connects to sv2.wmsj.ne.jp (59.106.231.244:80)

TCP (HTTP):

Connects to meso.nmsrv.com (208.70.247.105:80)

TCP (HTTP):

Connects to just61.justhost.com (173.254.28.61:80)

TCP (HTTP):

Connects to ip-50-63-202-4.ip.secureserver.net (50.63.202.4:80)

TCP (HTTP):

Connects to ip-50-63-202-31.ip.secureserver.net (50.63.202.31:80)

TCP (HTTP):

Connects to ip-50-62-115-20.ip.secureserver.net (50.62.115.20:80)

TCP (HTTP):

Connects to intern.genet.at (213.208.149.101:80)

TCP (HTTP):

Connects to host21.my-ehost.com (198.31.50.49:80)

TCP (HTTP SSL):

Connects to ec2-52-51-140-179.eu-west-1.compute.amazonaws.com (52.51.140.179:443)

Remove pacloksunasv.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.