qexesoriqcak.exe

The executable qexesoriqcak.exe has been detected as malware by 37 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘qexesoriqcak’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address manage.embarq.synacor.com on port 80 using the HTTP protocol.
MD5:
80824335e4be12c7589329ea01b6934b

SHA-1:
60bc35c45e07db0eccb2a2124fd1923db836f4a9

Scanner detections:
37 / 68

Status:
Malware

Analysis date:
11/20/2017 2:55:15 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
TrojanSpy.Zbot
7.1.1

Avira AntiVirus
TR/Injector.100504
7.11.107.74

Antiy Labs AVL
Trojan/Win32.Zbot
2.0.3.7

avast!
Win32:Injector-BGX [Trj]
2014.9-160628

AVG
PSW.Generic11
2017.0.2698

Baidu Antivirus
Trojan.Win32.Zbot
4.0.3.16628

Bitdefender
Trojan.Generic.9411034
1.0.20.900

Bkav FE
W32.SofiesLTD.Trojan
1.3.0.4246

Commtouch SDK
W32/Zbot.LXVK-8094
5.4.1.7

Comodo Security
TrojWare.Win32.Injector.AKLC
17094

Dr.Web
Trojan.Inject2.23
9.0.1.0180

Emsisoft Anti-Malware
Trojan.Generic.9411034
8.16.06.28.04

ESET NOD32
Win32/Injector.AJXZ (variant)
10.8908

F-Prot
W32/Zbot.BSK
v6.4.7.1.166

G Data
Trojan.Generic.9411034
16.6.22

IKARUS anti.virus
Trojan-Spy.Zbot
t3scan.2.0.127

Jiangmin
TrojanSpy.Zbot.eyfy
KV160628

K7 AntiVirus
Spyware
13.173.9850

K7 Gateway Antivirus
Spyware
13.12.7.0.14

Kaspersky
Trojan-Spy.Win32.Zbot
14.0.0.-13

Kingsoft AntiVirus
Win32.Troj.Generic.a.(kcloud)
331020.49267

Malwarebytes
Trojan.LVBP.UX
v2016.06.28.04

McAfee
PWS-FBHE!80824335E4BE
5600.6354

McAfee Web Gateway
Heuristic.BehavesLike.Win32.ModifiedUPX.C
7.6354

Microsoft Security Essentials
TrojanDownloader:Win32/Cutwail.BS
1.163.1557.0

NANO AntiVirus
Trojan.Win32.Zbot.bysrbf
0.26.0.55366

Norman
Dorkbot.KLF
11.20160628

nProtect
Trojan.Encpk.Gen.1
13.10.11.03

Panda Antivirus
Trj/Genetic.gen
16.06.28.04

Quick Heal
TrojanDownloader.Cutwail.bs
6.16.12.00

Sophos
Troj/Agent-ADBJ
4.93

The Hacker
Trojan/Spy.Zbot.zr
6.8.0.5.346

Total Defense
Win32/Inject.BBQ
37.0.10498

Trend Micro House Call
TROJ_SPNR.14HJ13
7.2.180

Trend Micro
TROJ_CUTWAIL.TFR
10.465.28

Vba32 AntiVirus
TrojanSpy.Zbot
3.12.24.3

VIPRE Antivirus
TrojanPWS.Win32.Fareit.aa
22306

File size:
98.1 KB (100,504 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\documents and settings\utente\qexesoriqcak.exe

File PE Metadata
Compilation timestamp:
7/23/2013 3:36:40 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.50

CTPH (ssdeep):
1536:S46jJ/1aqcC7ywr8ypfVF57uzQnxRnouy8oWtCd9qixBVdj7LpsWmzK30s5Fxinf:bg/1a3wrvvRoutjKMiX/z6KEs5FUnkE

Entry address:
0x1F8F0

Entry point:
60, BE, 15, 50, 41, 00, 8D, BE, EB, BF, FE, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, 5F, D4, 01, 00, 57, 83, C3, 04, 53, 68, CF, A8, 00, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 00, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 01, 01, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Code size:
48 KB (49,152 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
qexesoriqcak

Command:
C:\documents and settings\utente\qexesoriqcak.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mtsdatacentres.com  (199.27.222.110:80)

TCP (HTTP):
Connects to conferencing.Level3.com  (4.68.80.110:80)

TCP (HTTP):
Connects to goto.canada.com  (199.71.40.135:80)

TCP (HTTP):
Connects to ec2-54-165-41-78.compute-1.amazonaws.com  (54.165.41.78:80)

TCP (HTTP):
Connects to www.drexel.edu  (144.118.66.83:80)

TCP (HTTP):
Connects to web02.contakt.net  (193.227.203.172:80)

TCP (HTTP):
Connects to server3.barcelona.com  (193.27.78.221:80)

TCP (HTTP):
Connects to ohiou.edu  (132.235.8.53:80)

TCP (HTTP):
Connects to mail.floodcity.com  (64.186.80.70:80)

TCP (HTTP):
Connects to ip-184-168-221-32.ip.secureserver.net  (184.168.221.32:80)

TCP (SMTP):
Connects to xtra.co.nz  (202.27.184.102:25)

TCP (SMTP):
Connects to www.waupacafoundry.com  (71.13.131.168:25)

TCP (HTTP):
Connects to www.terra.es  (208.84.244.10:80)

TCP (SMTP):
Connects to www.catholic.org  (66.219.98.183:25)

TCP (SMTP):
Connects to www.auto.freenet.de  (62.104.23.121:25)

TCP (SMTP):
Connects to www.alice-dsl.de  (85.183.254.1:25)

TCP (HTTP):
Connects to webportal.synacor.com  (64.8.70.102:80)

TCP (SMTP):
Connects to thankful.callbuttonsource.com  (173.239.23.228:25)

TCP (HTTP):
Connects to sv.e-broad.jp  (58.138.175.188:80)

TCP (HTTP):
Connects to surveyslive.com  (72.32.108.144:80)

Remove qexesoriqcak.exe - Powered by Reason Core Security