home

qexewi.exe

Punto Switcher

ООО Яндекс

The executable qexewi.exe, “Выгрузчик Punto Switcher” has been detected as malware by 37 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
ООО Яндекс

Product:
Punto Switcher

Description:
Выгрузчик Punto Switcher

Version:
3.2.3.51

MD5:
edf1fc48d188de467f5c8af7baa2e960

SHA-1:
b276b1516dec4a0813f5b8b2604545b406e07f87

SHA-256:
4f3788abcec837ceb49aaf079b85ae75026af69e80185811889e7f83aef9fd74

Scanner detections:
37 / 68

Status:
Malware

Analysis date:
5/8/2024 4:56:35 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Agent.BEQN
839

AegisLab AV Signature
Troj.W32.Gen
2.1.4+

AhnLab V3 Security
Dropper/Win32.Necurs
2014.08.23

Avira AntiVirus
TR/Spy.ZBot.sifgdkw
7.11.168.222

avast!
Win32:Zbot-UJZ [Trj]
141003-0

AVG
Trojan horse Zbot.MTB
2014.0.4040

Baidu Antivirus
Trojan.Win32.Zbot
4.0.3.141018

Bitdefender
Trojan.Agent.BEQN
1.0.20.1455

Clam AntiVirus
Win.Trojan.Zbot-36049
0.98/21411

Comodo Security
TrojWare.Win32.Spy.Zbot.BH
19393

Dr.Web
Trojan.Packed.28485
9.0.1.05190

Emsisoft Anti-Malware
Trojan.Agent.BEQN
14.10.18

ESET NOD32
Win32/Spy.Zbot.ABA trojan
7.0.302.0

Fortinet FortiGate
W32/Zbot.ABA!tr
10/18/2014

F-Prot
W32/Backdoor2.HVQJ
4.6.5.141

F-Secure
Trojan.Agent.BEQN
11.2014-18-10_7

G Data
Trojan.Agent.BEQN
14.10.24

IKARUS anti.virus
Trojan-Ransom.Win32.Blocker
t3scan.1.7.5.0

K7 AntiVirus
Trojan
13.184.13727

Kaspersky
Trojan-Ransom.Win32.Blocker
15.0.0.494

Malwarebytes
Trojan.Spy.Zbot
v2014.10.18.02

McAfee
PWSZbot-FABY!D103D073C84A
5600.6973

Microsoft Security Essentials
Threat.Undefined
1.181.345.0

MicroWorld eScan
Trojan.Agent.BEQN
15.0.0.873

NANO AntiVirus
Trojan.Win32.Blocker.ddwcxw
0.28.2.61721

Norman
ZBot.VFJI
11.20141018

nProtect
Trojan.Agent.BEQN
14.08.22.01

Panda Antivirus
Trj/Genetic.gen
14.10.18.02

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Quick Heal
TrojanPWS.Zbot.Gen
10.14.14.00

Reason Heuristics
Threat.Win.Reputation.IMP
14.10.18.14

Sophos
Troj/Agent-AIKH
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Blocker
10292

Total Defense
Win32/Zbot.eFPIPXD
37.0.11136

Vba32 AntiVirus
Hoax.Blocker
3.12.26.3

VIPRE Antivirus
Threat.5063768
32210

Zillya! Antivirus
Trojan.Blocker.Win32.20929
2.0.0.1899

File size:
443.5 KB (454,144 bytes)

Product version:
3.2.3.51

Copyright:
Copyright 2008-2011 ООО Яндекс

Trademarks:
Punto Switcher

Original file name:
puntounloader.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\roaming\pimiul\qexewi.exe

File PE Metadata
Compilation timestamp:
8/15/2014 11:33:29 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:N9coF/1tTIMSFdodPF4TFYfhswwmgU+iLUn9FbXTNd:N/FttTWEPF4xuwmqxn9xXTN

Entry address:
0x21D0

Entry point:
55, 8B, EC, 81, EC, A4, 02, 00, 00, C7, 85, 44, FE, FF, FF, 33, 00, 00, 00, 6A, 00, FF, 15, 78, 11, 40, 00, 68, 79, 0B, 00, 00, 6A, 00, FF, 15, 7C, 11, 40, 00, 85, C0, 74, 07, 33, C0, E9, 73, 03, 00, 00, 6A, 01, FF, 15, 80, 11, 40, 00, 68, 79, 0B, 00, 00, 6A, 00, FF, 15, 7C, 11, 40, 00, 85, C0, 74, 07, 33, C0, E9, 53, 03, 00, 00, C7, 85, 70, FD, FF, FF, 00, 00, 00, 00, EB, 0F, 8B, 8D, 70, FD, FF, FF, 83, C1, 01, 89, 8D, 70, FD, FF, FF, 83, BD, 70, FD, FF, FF, 07, 73, 02, EB, E6, 8B, 85, 74, FD, FF, FF, 8B...
 
[+]

Entropy:
5.8885

Developed / compiled with:
Microsoft Visual C++

Code size:
416.5 KB (426,496 bytes)

Scheduled Task
Task name:
Security Center Update - 2386768902

Trigger:
Daily (Runs daily at 3:00 PM)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to yk-in-f157.1e100.net  (74.125.196.157:80)

TCP (HTTP):
Connects to yk-in-f155.1e100.net  (74.125.196.155:80)

TCP (HTTP SSL):
Connects to yk-in-f148.1e100.net  (74.125.196.148:443)

TCP (HTTP):
Connects to static.ny.us.criteo.net  (74.119.118.91:80)

TCP (HTTP SSL):
Connects to server-54-239-172-206.atl50.r.cloudfront.net  (54.239.172.206:443)

TCP (HTTP):
Connects to server-54-230-205-215.atl50.r.cloudfront.net  (54.230.205.215:80)

TCP (HTTP):
Connects to leonardo.datablocks.net  (199.212.255.136:80)

TCP (HTTP SSL):
Connects to edge-star-shv-04-atl1.facebook.com  (31.13.65.49:443)

TCP (HTTP):
Connects to ec2-54-84-191-96.compute-1.amazonaws.com  (54.84.191.96:80)

TCP (HTTP):
Connects to ec2-54-84-145-193.compute-1.amazonaws.com  (54.84.145.193:80)

TCP (HTTP):
Connects to ec2-54-243-35-239.compute-1.amazonaws.com  (54.243.35.239:80)

TCP (HTTP SSL):
Connects to ec2-54-225-216-126.compute-1.amazonaws.com  (54.225.216.126:443)

TCP (HTTP):
Connects to ec2-54-210-149-198.compute-1.amazonaws.com  (54.210.149.198:80)

TCP (HTTP):
Connects to ec2-54-183-153-176.us-west-1.compute.amazonaws.com  (54.183.153.176:80)

TCP (HTTP):
Connects to ec2-54-183-15-166.us-west-1.compute.amazonaws.com  (54.183.15.166:80)

TCP (HTTP):
Connects to ec2-184-73-190-201.compute-1.amazonaws.com  (184.73.190.201:80)

TCP (HTTP):
Connects to ec2-107-20-236-124.compute-1.amazonaws.com  (107.20.236.124:80)

TCP (HTTP):
Connects to ec2-107-20-199-246.compute-1.amazonaws.com  (107.20.199.246:80)

TCP (HTTP):
Connects to ec2-107-20-139-109.compute-1.amazonaws.com  (107.20.139.109:80)

TCP (HTTP):
Connects to b-shared-b-atc.evip.aol.com  (149.174.98.86:80)

Remove qexewi.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.