pacloksunasv.exe

The executable pacloksunasv.exe has been detected as malware by 39 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘pacloksunasv’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address we-pbna-01.weservices.eu on port 80 using the HTTP protocol.
MD5:
96e0cc67a3304f60a6bf1d8f84e47754

SHA-1:
a3d4740f7a2bd3f50842c9bc91694faa56d0185e

SHA-256:
5d004763b458ac02460b5bb4faac06a6ba3de81e83883a710c8db9653cdc732a

Scanner detections:
39 / 68

Status:
Malware

Analysis date:
12/17/2018 9:15:17 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Encpk.Gen.4
249

Agnitum Outpost
Trojan.Inject
7.1.1

AhnLab V3 Security
Trojan/Win32.Zbot
2015.09.24

Avira AntiVirus
TR/Injector.2576884
8.3.2.2

Arcabit
Trojan.Encpk.Gen.4
1.0.0.567

avast!
Win32:Injector-BID [Trj]
2014.9-160531

AVG
Generic34
2017.0.2727

Baidu Antivirus
Worm.Win32.Pilleuz
4.0.3.16531

Bitdefender
Trojan.Encpk.Gen.4
1.0.20.760

Bkav FE
W32.FaraeloAJ.Trojan
1.3.0.7237

Comodo Security
TrojWare.Win32.Injector.AKLC
23286

Dr.Web
Trojan.Spambot.11951
9.0.1.0152

Emsisoft Anti-Malware
Trojan.Encpk.Gen
8.16.05.31.05

ESET NOD32
Win32/Injector.AKNU (variant)
10.12296

Fortinet FortiGate
W32/Kryptik.ADF!tr
5/31/2016

F-Secure
Trojan.Encpk.Gen.4
11.2016-31-05_3

G Data
Trojan.Encpk.Gen
16.5.25

IKARUS anti.virus
Trojan.Inject
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.210.17303

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.129

Malwarebytes
Trojan.Zbot
v2016.05.31.05

McAfee
Generic-FANR!96E0CC67A330
5600.6383

Microsoft Security Essentials
TrojanDownloader:Win32/Cutwail
1.1.12101.0

MicroWorld eScan
Trojan.Encpk.Gen.4
17.0.0.456

NANO AntiVirus
Trojan.Win32.Spambot.crmhyv
0.30.24.3283

nProtect
Trojan.Encpk.Gen.4
15.09.23.01

Panda Antivirus
Trj/Dtcontx.G
16.05.31.05

Qihoo 360 Security
Win32/Trojan.39e
1.0.0.1015

Quick Heal
Trojan.ZAgent.r3
5.16.14.00

Rising Antivirus
PE:Trojan.Injector!1.9DEE[F1]
23.00.65.16529

Sophos
Troj/Agent-ADBJ
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Dropper
9111

Total Defense
Win32/Inject.C2!generic
37.1.62.1

Trend Micro House Call
TROJ_SPNR.1AHA13
7.2.152

Trend Micro
TROJ_SPNR.1AHA13
10.465.31

Vba32 AntiVirus
Malware-Cryptor.Inject.gen
3.12.26.4

VIPRE Antivirus
TrojanPWS.Win32.Fareit.aa
43988

ViRobot
Trojan.Win32.S.Zbot.65659[h]
2014.3.20.0

Zillya! Antivirus
Trojan.Inject.Win32.61849
2.0.0.2409

File size:
64.1 KB (65,659 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\fandy-ferry\pacloksunasv.exe

File PE Metadata
Compilation timestamp:
8/5/2013 5:51:39 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.50

CTPH (ssdeep):
1536:RwEreUZnrqMIGftZKHpUuFhEQKorc6Osp:RwErbrimlQNf

Entry address:
0xBEE0

Entry point:
60, BE, 15, A0, 40, 00, 8D, BE, EB, 6F, FF, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75...
 
[+]

Packer / compiler:
UPX 2.90LZMA

Code size:
12 KB (12,288 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
pacloksunasv

Command:
C:\users\fandy-ferry\pacloksunasv.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www65.totaalholding.nl  (185.56.145.59:80)

TCP (HTTP):
Connects to srv30.gepcom.com  (208.66.193.80:80)

TCP (HTTP):
Connects to mhintdin-unix.alicomitalia.it  (95.110.192.171:80)

TCP (HTTP):
Connects to cluster003.ovh.net  (213.186.33.4:80)

TCP (HTTP):
Connects to box318.bluehost.com  (69.89.31.118:80)

TCP (HTTP):
Connects to cluster005.ovh.net  (213.186.33.16:80)

TCP (HTTP):
Connects to wp208071.dreamhost.com  (208.113.145.77:80)

TCP (HTTP):
Connects to we-pbna-01.weservices.eu  (94.237.26.105:80)

TCP (HTTP):
Connects to web.alganet.fr  (212.129.21.17:80)

TCP (HTTP):
Connects to vultur.fullspace.ru  (185.72.144.129:80)

TCP (HTTP):
Connects to vm16202.mailclub.pro  (195.64.165.29:80)

TCP (HTTP):
Connects to sv2.wmsj.ne.jp  (59.106.231.244:80)

TCP (HTTP):
Connects to meso.nmsrv.com  (208.70.247.105:80)

TCP (HTTP):
Connects to just61.justhost.com  (173.254.28.61:80)

TCP (HTTP):
Connects to ip-50-63-202-4.ip.secureserver.net  (50.63.202.4:80)

TCP (HTTP):
Connects to ip-50-63-202-31.ip.secureserver.net  (50.63.202.31:80)

TCP (HTTP):
Connects to ip-50-62-115-20.ip.secureserver.net  (50.62.115.20:80)

TCP (HTTP):
Connects to intern.genet.at  (213.208.149.101:80)

TCP (HTTP):
Connects to host21.my-ehost.com  (198.31.50.49:80)

TCP (HTTP SSL):
Connects to ec2-52-51-140-179.eu-west-1.compute.amazonaws.com  (52.51.140.179:443)

Remove pacloksunasv.exe - Powered by Reason Core Security