» tytak.exe
Overview
Analysis
File Details
Behaviors (1)
Network (11)

tytak.exe

Musrukafa Visatl Studio 2010

Musrukafa Corporatien

The executable tytak.exe, “Musrukafa Visatl Studie 2010” has been detected as malware by 8 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address float.871.bm-impbus.prod.ams1.adnexus.net on port 80 using the HTTP protocol.

File name:

tytak.exe

Publisher:

Musrukafa Corporatien

Product:

Musrukafa® Visatl Studio® 2010

Description:

Musrukafa Visatl Studie 2010

Version:

1.7.42074.51266 built by: SP1Rel

MD5:

371724749e23fd9324ef94a58a1c584f

SHA-1:

cd6da46ec3371987c5d5765be8d654681216d008

SHA-256:

440018d831443d89cb4d76ab7f6552a0f9ae9cacea0cbddbe4cf02b6ad28c05e

Scanner detections:

8 / 68

Status:

Malware

Analysis date:

4/20/2024 2:38:39 AM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

TR/Dropper.Gen

7.11.30.172

AVG

Win32/Cryptor

2014.0.4037

ESET NOD32

Win32/Kryptik.CMTA (variant)

8.10514

Kaspersky

HEUR:Trojan.Win32.Generic

14.0.0.3148

Malwarebytes

Spyware.Zbot.MSXGen

v2014.10.05.10

Panda Antivirus

Trj/Genetic.gen

14.10.05.10

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.141003

File size:

274 KB (280,623 bytes)

Product version:

1.7.42074.51266

Original file name:

dimink.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\vauwsyyq\tytak.exe

File PE Metadata

Compilation timestamp:

10/31/2011 12:45:03 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:dEUXHkAjaact4YzHRYr+IWbkG1csv28RdF9OfOFvviDEDg5NCC:dbXEAjaay4YYCIEkG1GedF6OtvnDg9

Entry address:

0x6CC8

Entry point:

55, 8B, EC, 81, EC, AC, 01, 00, 00, B9, 97, 00, 00, 00, 83, C1, 9B, EB, 09, 83, EB, 4C, 89, 9D, B8, FE, FF, FF, 53, 89, 9D, A8, FE, FF, FF, 56, 8B, B5, A8, FE, FF, FF, 03, F6, 3B, 9D, 5C, FE, FF, FF, 75, 17, 3B, B5, A8, FE, FF, FF, 74, 0F, 0B, F3, 81, FE, 6F, 08, 00, 00, 75, 05, EB, 03, 89, 55, DC, 57, B8, F0, B7, 00, 00, 83, C8, 20, 89, 85, A8, FE, FF, FF, 83, E0, 84, 89, 85, A8, FE, FF, FF, 68, B8, 40, 44, 00, FF, 15, B8, 35, 44, 00, 8B, 95, A8, FE, FF, FF, 3B, 15, 60, 40, 44, 00, 75, 2E, 8B, BD, A8, FE... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

39.5 KB (40,448 bytes)

Scheduled Task

Task name:

Security Center Update - 1090571742

Trigger:

Daily (Runs daily at 17:00)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to s3-us-west-2.amazonaws.com (54.240.252.18:80)

TCP (HTTP):

Connects to hosted.by.cirn.net (69.5.90.99:80)

TCP (HTTP):

Connects to float.871.bm-impbus.prod.ams1.adnexus.net (37.252.162.109:80)

TCP (HTTP):

Connects to float.1615.bm-impbus.prod.ams1.adnexus.net (37.252.162.105:80)

TCP (HTTP):

Connects to ee-in-f148.1e100.net (173.194.65.148:80)

TCP (HTTP):

Connects to ea-in-f149.1e100.net (74.125.136.149:80)

TCP (HTTP):

Connects to a184-50-163-146.deploy.static.akamaitechnologies.com (184.50.163.146:80)

TCP (HTTP):

Connects to a172-229-196-174.deploy.static.akamaitechnologies.com (172.229.196.174:80)

TCP (HTTP):

Connects to 72.188.serverel.net (109.206.188.72:80)

TCP (HTTP):

Connects to 150.254-4-62.akamai.com (62.4.254.150:80)

TCP (HTTP):

Connects to 137.254-4-62.akamai.com (62.4.254.137:80)

Remove tytak.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.