» temp4185448946.exe
Overview
Analysis
File Details
Behaviors (1)

temp4185448946.exe

The executable temp4185448946.exe has been detected as malware by 17 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘TimeUpdater’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

temp4185448946.exe

MD5:

ae8dc673fb63309dff931d2356bc2097

SHA-1:

518a57c888b34487600a9643f8ec402a9d9f7db2

SHA-256:

4cbb9ccc7d2dfc06e4814254b26cdd56d752c5724a611853e56812e123b25c5d

Scanner detections:

17 / 68

Status:

Malware

Analysis date:

4/19/2024 9:28:33 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.2036865

775

avast!

Win32:Malware-gen

2014.9-141221

Baidu Antivirus

Trojan.Win32.Kryptik

4.0.3.141221

Bitdefender

Trojan.GenericKD.2036865

1.0.20.1775

Bkav FE

HW32.Packed

1.3.0.6267

Emsisoft Anti-Malware

Trojan.Zbot.INN

8.14.12.19.09

ESET NOD32

Win32/Kryptik.CTIK trojan

8.7.0.302.0

F-Secure

Trojan.GenericKD.2036865

11.2014-21-12_1

G Data

Trojan.GenericKD.2036865

14.12.24

Kaspersky

Trojan-PSW.Win32.Tepfer

14.0.0.2760

Malwarebytes

Trojan.Agent

v2014.12.19.09

MicroWorld eScan

Trojan.GenericKD.2036865

15.0.0.1065

Norman

Trojan.GenericKD.2036865

11.20141221

nProtect

Trojan.GenericKD.2036865

14.12.19.01

Panda Antivirus

Generic Suspicious

14.12.21.11

Qihoo 360 Security

Malware.QVM10.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.12.21.23

File size:

1.3 MB (1,405,952 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\windows\temp\temp4185448946.exe

File PE Metadata

Compilation timestamp:

12/16/2014 10:00:33 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

24576:KrCG1iAAusVd0Pkfa4GyByv6olEmaiWQJTUfq5nwbb:YyQkMTlK/Lb

Entry address:

0x16815B8

Entry point:

E8, 11, 32, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 28, F1, A7, 01, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 2C, F1, A7, 01, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, 4E, 20, 00, 00, 85, C0, 75, 06, B8, 90, F2, A7, 01, C3, 83, C0, 08, C3, 8B, FF, 55, 8B, EC, 33, C0, 39, 45, 08, 6A, 00, 0F, 94, C0, 68, 00, 10, 00, 00, 50, FF, 15, 24, F0, A7, 01, A3, 8C, 8C, A8, 01, 85... 
[+]

Code size:

44 KB (45,056 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

TimeUpdater

Command:

C:\windows\temp\temp4185448946.exe

Remove temp4185448946.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.