» sywic.exe
Overview
Analysis
File Details
Behaviors (1)
Network (8)

sywic.exe

The executable sywic.exe has been detected as malware by 31 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

sywic.exe

MD5:

be8e7481b1996c1f8a63881aec8b189a

SHA-1:

162916890ee514176489dce35d78b8fa343942e7

SHA-256:

c2238ea7fb98a314049e98f02eb9e0e7d5b87bbb3ee27af198dabff4e268c338

Scanner detections:

31 / 68

Status:

Malware

Analysis date:

4/19/2024 11:40:16 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.1869871

862

AhnLab V3 Security

Trojan/Win32.ZBot

2014.09.26

Avira AntiVirus

TR/Crypt.ZPACK.88407

7.11.173.108

avast!

Win32:Dropper-gen [Drp]

2014.9-140925

AVG

SHeur4

2015.0.3340

Bitdefender

Trojan.GenericKD.1869871

1.0.20.1340

Bkav FE

HW32.Paked

1.3.0.4959

Comodo Security

TrojWare.Win32.Spy.Zbot.GLC

19620

Dr.Web

Trojan.Siggen6.15132

9.0.1.05190

Emsisoft Anti-Malware

Trojan.GenericKD.1869871

8.14.09.25.05

ESET NOD32

Win32/Kryptik.CLOX (variant)

8.10441

Fortinet FortiGate

W32/Zbot.CLOX!tr

9/25/2014

F-Secure

Trojan.GenericKD.1869871

11.2014-25-09_5

G Data

Trojan.GenericKD.1869871

14.9.24

IKARUS anti.virus

Trojan-Ransom.Win32.Blocker

t3scan.1.7.8.0

K7 AntiVirus

Riskware

13.183.13432

Kaspersky

Trojan-Spy.Win32.Zbot

14.0.0.3197

Malwarebytes

Spyware.Password

v2014.09.25.05

McAfee

PWSZbot-FADO!99E479CCF884

5600.6996

Microsoft Security Essentials

Threat.Undefined

1.185.1121.0

MicroWorld eScan

Trojan.GenericKD.1869871

15.0.0.804

NANO AntiVirus

Trojan.Win32.Zbot.dfhkjn

0.28.2.62286

nProtect

Trojan.GenericKD.1869871

14.09.25.01

Panda Antivirus

Trj/Genetic.gen

14.09.25.05

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.14923

Sophos

Mal/EncPk-AFC

4.98

SUPERAntiSpyware

Trojan.Agent/PWS-Zbot

10338

Total Defense

Win32/Zbot.GdcBKE

37.0.11199

VIPRE Antivirus

Threat.4150696

33120

Zillya! Antivirus

Trojan.Zbot.Win32.166697

2.0.0.1934

File size:

284.3 KB (291,072 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\awzuxogy\sywic.exe

File PE Metadata

Compilation timestamp:

3/20/2011 11:37:16 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

6144:y2EnIW7iI6kSKxU0hJTOz6tcqaF2Mzry+oDXz7iKiqJAkh+fX:yNIsjrSgJ8V2Mzry+oDzOKlJA4+fX

Entry address:

0x1296C

Entry point:

55, 8B, EC, 81, EC, F8, 00, 00, 00, 8B, 05, 20, 38, 43, 00, EB, 43, 2B, D0, B9, AB, 0F, 00, 00, 83, FB, 54, 75, 37, 89, 8D, 44, FF, FF, FF, EB, 2F, 23, C2, 8B, 15, 90, 37, 43, 00, A9, 19, DE, 00, 00, 74, 20, BB, 84, 90, 00, 00, 0D, 00, 22, 41, 25, 89, 85, 30, FF, FF, FF, 89, 95, 30, FF, FF, FF, EB, 08, 2B, C6, 89, 85, 68, FF, FF, FF, 53, 83, E8, 7D, 3D, 57, A0, 00, 00, 74, 06, 89, 85, 14, FF, FF, FF, 56, 89, 45, A0, 57, 8B, 55, A0, 89, 55, A0, A9, D4, 00, 00, 00, 75, 03, 89, 55, A0, 8D, 85, 6C, FF, FF, FF... 
[+]

Entropy:

7.9063

Developed / compiled with:

Microsoft Visual C++

Code size:

162.5 KB (166,400 bytes)

Scheduled Task

Task name:

Security Center Update - 657889205

Trigger:

Daily (Runs daily at 1:00 PM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to nuq05s01-in-f27.1e100.net (74.125.239.123:80)

TCP (HTTP):

Connects to ec2-54-243-123-107.compute-1.amazonaws.com (54.243.123.107:80)

TCP (HTTP):

Connects to ec2-54-225-139-61.compute-1.amazonaws.com (54.225.139.61:80)

TCP (HTTP):

Connects to cf-190-93-246-37.cloudflare.com (190.93.246.37:80)

TCP (HTTP):

Connects to cf-190-93-244-24.cloudflare.com (190.93.244.24:80)

TCP (HTTP):

Connects to a23-67-247-105.deploy.static.akamaitechnologies.com (23.67.247.105:80)

TCP (HTTP):

Connects to a23-193-4-174.deploy.static.akamaitechnologies.com (23.193.4.174:80)

TCP (HTTP):

Connects to a184-28-16-72.deploy.static.akamaitechnologies.com (184.28.16.72:80)

Remove sywic.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.