» tygiowd.exe
Overview
Analysis
File Details
Behaviors (1)
Network (44)

tygiowd.exe

Mesrisift Visaal Studio 2010

Mesrisift Corporatien

The executable tygiowd.exe, “Mesrisift Visaal Studie 2010” has been detected as malware by 28 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address mail.brochard.co.uk on port 80 using the HTTP protocol.

File name:

tygiowd.exe

Publisher:

Mesrisift Corporatien

Product:

Mesrisift® Visaal Studio® 2010

Description:

Mesrisift Visaal Studie 2010

Version:

1.9.43074.5121 built by: SP1Rel

MD5:

507d85e03f051345991b90633eefd65a

SHA-1:

e857cfdf000a59069c1e87a36a1d3172c61f0b40

SHA-256:

9b700b241485b8bdd7018c1dc214345f032a9acfdc1d36ee21858191420734b4

Scanner detections:

28 / 68

Status:

Malware

Analysis date:

4/25/2024 11:20:00 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.11622707

893

Agnitum Outpost

TrojanSpy.Zbot

7.1.1

AhnLab V3 Security

Trojan/Win32.Zbot

2014.08.26

Avira AntiVirus

TR/Crypt.ZPACK.Gen2

7.11.30.172

avast!

Win32:Malware-gen

140813-1

AVG

Trojan horse Zbot.NAW

2014.0.4007

Bitdefender

Trojan.Generic.11622707

1.0.20.1190

Bkav FE

HW32.CDB

1.3.0.4959

Dr.Web

Trojan.Packed

9.0.1.0238

Emsisoft Anti-Malware

Trojan.Generic.11622707

9.0.0.4324

ESET NOD32

Win32/Spy.Zbot.ABA

8.10316

Fortinet FortiGate

W32/Kryptik.CJED!tr

8/26/2014

F-Secure

Trojan.Generic.11622707

11.2014-26-08_3

G Data

Trojan.Generic.11622707

14.8.24

K7 AntiVirus

Riskware

13.183.13160

Kaspersky

Trojan-Spy.Win32.Zbot

15.0.0.463

Malwarebytes

Trojan.Zbot.gen

v2014.08.26.05

McAfee

PWSZbot-FABW!507D85E03F05

5600.7027

Microsoft Security Essentials

Threat.Undefined

1.183.505.0

MicroWorld eScan

Trojan.Generic.11622707

15.0.0.714

NANO AntiVirus

Trojan.Win32.Zbot.decnmn

0.28.2.61861

nProtect

Trojan.Generic.11622707

14.08.25.01

Panda Antivirus

Trj/Genetic.gen

14.08.26.05

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.9.2.18

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.14824

SUPERAntiSpyware

Trojan.Agent/Gen-Falcomp[i]

10399

VIPRE Antivirus

Threat.4789469

32210

File size:

299 KB (306,201 bytes)

Product version:

1.9.43074.5121

Original file name:

divanv.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\koasty\tygiowd.exe

File PE Metadata

Compilation timestamp:

4/27/2011 11:35:44 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

6144:frpraQi2XLoc6Lry04hUzCmbgPWhpFqDDVrTIfHybEi+fHF6u1:DprY3c6fyfUzCPPW1qDxgyI3HF31

Entry address:

0xCA20

Entry point:

55, 8B, EC, 81, EC, 80, 01, 00, 00, EB, 2F, 33, DA, 8B, C7, 68, 00, 30, CD, 12, E8, A1, 20, 00, 00, 83, C4, 04, E8, 18, 1F, 00, 00, 89, 45, D4, EB, 14, 6A, B3, 51, 6A, EE, 6A, E4, 68, 00, 69, 97, B2, E8, DC, 16, 00, 00, 83, C4, 14, 53, 89, 85, C4, FE, FF, FF, 56, 03, C0, 8B, 95, C4, FE, FF, FF, 83, FA, 02, 74, 21, 33, C2, 8B, B5, C4, FE, FF, FF, 3B, 85, 90, FE, FF, FF, 75, 11, 89, 85, C4, FE, FF, FF, 8B, CE, 3B, CE, 74, 05, E8, B1, 15, 00, 00, 57, 89, B5, C4, FE, FF, FF, 83, F6, 2A, 8B, 15, 0C, CA, 42, 00... 
[+]

Entropy:

7.8595

Developed / compiled with:

Microsoft Visual C++

Code size:

139.5 KB (142,848 bytes)

Scheduled Task

Task name:

Security Center Update - 2065485923

Trigger:

Daily (Runs daily at 4:00 AM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to vip-112.lax.adconion.com (207.171.14.112:80)

TCP (HTTP):

Connects to qh-in-f95.1e100.net (74.125.22.95:80)

TCP (HTTP):

Connects to network.realmedia.com (208.71.122.192:80)

TCP (HTTP):

Connects to net64-20-243-254.static-customer.corenap.com (64.20.243.254:80)

TCP (HTTP):

Connects to m-prd-umpxl-adcom-mtc.evip.aol.com (64.12.68.41:80)

TCP (HTTP):

Connects to m-prd-pxl-adcom-mtc.evip.aol.com (64.12.106.9:80)

TCP (HTTP):

Connects to mpr2.ngd.vip.bf1.yahoo.com (98.139.225.43:80)

TCP (HTTP):

Connects to mallet9.wikipolo.com (46.244.10.228:80)

TCP (HTTP):

Connects to mail.brochard.co.uk (88.208.192.185:80)

TCP (HTTP):

Connects to iad23s26-in-f28.1e100.net (173.194.121.60:80)

TCP (HTTP):

Connects to iad23s26-in-f25.1e100.net (173.194.121.57:80)

TCP (HTTP):

Connects to iad23s05-in-f25.1e100.net (74.125.228.25:80)

TCP (HTTP):

Connects to float.2045.bm-impbus.prod.nym2.adnexus.net (68.67.153.164:80)

TCP (HTTP):

Connects to ec2-54-235-129-196.compute-1.amazonaws.com (54.235.129.196:80)

TCP (HTTP):

Connects to ec2-54-225-175-13.compute-1.amazonaws.com (54.225.175.13:80)

TCP (HTTP):

Connects to ec2-54-225-129-251.compute-1.amazonaws.com (54.225.129.251:80)

TCP (HTTP):

Connects to ec2-54-221-246-180.compute-1.amazonaws.com (54.221.246.180:80)

TCP (HTTP):

Connects to ec2-50-19-243-45.compute-1.amazonaws.com (50.19.243.45:80)

TCP (HTTP):

Connects to ec2-50-18-55-208.us-west-1.compute.amazonaws.com (50.18.55.208:80)

TCP (HTTP):

Connects to ec2-23-23-213-221.compute-1.amazonaws.com (23.23.213.221:80)

Remove tygiowd.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.