» tiddiszagtor.exe
Overview
Analysis
File Details
Behaviors (1)
Network (10)

tiddiszagtor.exe

Faster Aids Manager

XIGMATEK

The executable tiddiszagtor.exe has been detected as malware by 34 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘tiddiszagtor’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address www.t-online.de on port 25.

File name:

tiddiszagtor.exe

Publisher:

XIGMATEK

Product:

Faster Aids Manager

Version:

8.2.0

MD5:

cd48bea993838b6a1ed9e95062fb9ded

SHA-1:

fca2d575095d21936785bb91a0631f2a8dfa3dec

SHA-256:

50798f6833a88c27ac9318266003b4145c3e98fdfa5b56d6e060bf8b618c1240

Scanner detections:

34 / 68

Status:

Malware

Analysis date:

4/25/2024 2:51:46 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Symmi.2761

386

Agnitum Outpost

Trojan.Kryptik

7.1.1

AhnLab V3 Security

Spyware/Win32.Zbot

2014.08.28

Avira AntiVirus

TR/Crypt.XPACK.Gen

7.11.169.164

avast!

Win32:Crypt-NUB [Trj]

2014.9-160114

AVG

Generic29

2017.0.2864

Baidu Antivirus

Trojan.Win32.Generic

4.0.3.16114

Bitdefender

Gen:Variant.Symmi.2761

1.0.20.70

Comodo Security

UnclassifiedMalware

19338

Dr.Web

Trojan.Siggen4.20188

9.0.1.014

Emsisoft Anti-Malware

Gen:Variant.Symmi.2761

8.16.01.14.11

ESET NOD32

Win32/Kryptik.ALQU (variant)

10.10327

Fortinet FortiGate

W32/Androm.DW!tr

1/14/2016

F-Secure

Gen:Variant.Symmi.2761

11.2016-14-01_5

G Data

Gen:Variant.Symmi.2761

16.1.24

IKARUS anti.virus

Trojan.Win32.Yakes

t3scan.1.7.5.0

K7 AntiVirus

Trojan

13.183.13166

Kaspersky

HEUR:Trojan.Win32.Generic

14.0.0.815

Malwarebytes

Trojan.Phex.THAGen9

v2016.01.14.11

McAfee

PWS-Zbot.gen.aml

5600.6520

Microsoft Security Essentials

TrojanDownloader:Win32/Cutwail.BV

1.10904

MicroWorld eScan

Gen:Variant.Symmi.2761

17.0.0.42

NANO AntiVirus

Trojan.Win32.Yakes.wvvfc

0.28.2.61861

nProtect

Trojan/W32.Agent.108032.TL

14.08.27.01

Panda Antivirus

Trj/Pacrypt.C

16.01.14.11

Qihoo 360 Security

HEUR/Malware.QVM20.Gen

1.0.0.1015

Quick Heal

TrojanPWS.Zbot.Y

1.16.14.00

Sophos

Mal/NecursDrp-A

4.98

SUPERAntiSpyware

Trojan.Agent/Gen

9385

Trend Micro House Call

TROJ_YAKES.TP

7.2.14

Trend Micro

TROJ_YAKES.TP

10.465.14

VIPRE Antivirus

Lookslike.Win32.Cbeplay.p

32614

ViRobot

Trojan.Win32.A.Yakes.108032.J

2011.4.7.4223

Zillya! Antivirus

Trojan.Yakes.Win32.6040

2.0.0.1903

File size:

105.5 KB (108,032 bytes)

Product version:

8.2.0

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\franco\tiddiszagtor.exe

File PE Metadata

Compilation timestamp:

9/10/2012 5:42:01 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

3072:8/YPZX7rbrOUgEmrZlLb+eNIz8sqaASyCm7VMKbHLKk:8sX7rbrzmrZlLmgb2iZ/bB

Entry address:

0x10090

Entry point:

E8, 4B, 61, 00, 00, 6A, 00, 68, 60, 9A, 41, 00, FF, 15, 78, 70, 41, 00, 8B, 0D, 20, 70, 41, 00, 6A, 00, 68, 80, 62, 41, 00, 6A, 10, 50, 89, 0D, BC, AD, 41, 00, FF, D1, 6A, 29, FF, 15, 50, 70, 41, 00, 68, D0, D3, 40, 00, 68, 30, 06, 41, 00, E8, 0F, 0D, 00, 00, 68, 70, C5, 40, 00, 6A, 52, E8, A3, 2D, FF, FF, 68, 80, FE, 40, 00, 68, 10, A1, 40, 00, 68, C0, 59, 41, 00, 68, 70, FC, 40, 00, E8, FA, 84, FF, FF, 68, C0, 8D, 40, 00, E8, 60, 18, 00, 00, 6A, 0E, 6A, 0A, FF, 15, 70, AD, 41, 00, 83, C4, 2C, 33, C0, C3... 
[+]

Code size:

85 KB (87,040 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

tiddiszagtor

Command:

C:\users\franco\tiddiszagtor.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to adtbusiness.com (216.224.192.243:80)

TCP (HTTP):

Connects to wwwp.oakland.edu (141.210.5.108:80)

TCP (SMTP):

Connects to www.t-online.de (217.6.164.162:25)

TCP (SMTP):

Connects to www.cruzio.com (63.249.93.172:25)

TCP (SMTP):

Connects to wf.networksolutions.com (205.178.189.131:25)

TCP (SMTP):

Connects to unknown.prolexic.com (72.52.4.119:25)

TCP (HTTP):

Connects to ip-184-168-221-32.ip.secureserver.net (184.168.221.32:80)

TCP (SMTP):

Connects to h40s184.ispnet.us (208.82.184.40:25)

TCP (HTTP):

Connects to creightontoday.com (147.134.13.145:80)

TCP (HTTP):

Connects to aismail.aeroinc.net (216.82.160.146:80)

Remove tiddiszagtor.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.