home

ybimg.exe

Mesrosift Visaal Studio 2010

Mesrosift Corporatien

The executable ybimg.exe, “Mesrosift Visaal Studie 2010” has been detected as malware by 27 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Baapfumyovq’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
Mesrosift Corporatien

Product:
Mesrosift® Visaal Studio® 2010

Description:
Mesrosift Visaal Studie 2010

Version:
1.9.43074.5121 built by: SP1Rel

MD5:
04b35e42c6b647736d47baa677c7761d

SHA-1:
ab14558c076020aebab6cfbb2a1f2df8c0959164

SHA-256:
f2e71076de730f21397fe8f078cd1ba82938beafaff2874640cfb851f16ecf6e

Scanner detections:
27 / 68

Status:
Malware

Analysis date:
4/19/2024 11:58:57 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.439704
889

Agnitum Outpost
Trojan.Kryptik
7.1.1

AhnLab V3 Security
Dropper/Win32.Necurs
2014.08.30

Avira AntiVirus
TR/Crypt.XPACK.Gen2
7.11.30.172

avast!
Win32:Kryptik-OED [Trj]
140813-1

AVG
Trojan horse Crypt3.ALME
2014.0.4015

Bitdefender
Gen:Variant.Kazy.439704
1.0.20.1205

Bkav FE
HW32.CDB
1.3.0.4959

Comodo Security
TrojWare.Win32.Kryptik.CJQM
19353

Dr.Web
Trojan.KillProc.32558
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Kazy.439704
9.0.0.4324

ESET NOD32
Win32/Kryptik.CJQM (variant)
8.10337

Fortinet FortiGate
W32/Yakes.CJQM!tr
8/29/2014

F-Secure
Gen:Variant.Kazy.438787
11.2014-29-08_6

G Data
Gen:Variant.Kazy.439704
14.8.24

K7 AntiVirus
Trojan
13.183.13198

Kaspersky
Trojan.Win32.Yakes
15.0.0.494

Malwarebytes
Trojan.Zbot.gen
v2014.08.29.05

McAfee
PWSZbot-FBTA!04B35E42C6B6
5600.7023

Microsoft Security Essentials
Threat.Undefined
1.183.900.0

MicroWorld eScan
Gen:Variant.Kazy.439704
15.0.0.723

NANO AntiVirus
Trojan.Win32.Yakes.deezqf
0.28.2.61861

Panda Antivirus
Trj/Genetic.gen
14.08.29.05

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14827

SUPERAntiSpyware
Trojan.Agent/Gen-Falcomp[i]
10392

VIPRE Antivirus
Threat.4150696
32210

File size:
298.1 KB (305,229 bytes)

Product version:
1.9.43074.5121

Copyright:
© Mesrosift Corporatien. All rights reserved.

Original file name:
davanv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\tararap\ybimg.exe

File PE Metadata
Compilation timestamp:
7/27/2011 10:47:27 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:T1lm3z/ppW1e/Uizq7xuaAJMPI5mUaYjQ7zr8U7n:kzWErxEHUf6nr

Entry address:
0xC984

Entry point:
55, 8B, EC, 81, EC, C8, 00, 00, 00, B9, D5, CF, 00, 00, 89, 8D, 68, FF, FF, FF, 53, 83, C1, 7F, BA, 9D, 00, 00, 00, 6A, C0, 51, E8, 1F, 20, 00, 00, 83, C4, 08, 56, 83, F8, 50, 75, 10, 83, F8, E8, 75, 0B, B9, DC, 2F, 00, 00, 83, E9, A3, 89, 4D, E8, 57, 8B, 95, 68, FF, FF, FF, 83, C2, 24, 6A, 38, E8, 0A, 1A, 00, 00, 83, C4, 04, 8B, 8D, 68, FF, FF, FF, 33, C8, 3B, 8D, 78, FF, FF, FF, 75, 22, 2B, C8, 89, 45, C4, 8B, 55, C4, 3B, 15, DC, CA, 42, 00, 75, 12, EB, 10, 83, F2, 49, B8, 80, 00, 00, 00, EB, 06, 89, 8D...
 
[+]

Entropy:
7.8108

Developed / compiled with:
Microsoft Visual C++

Code size:
140 KB (143,360 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Baapfumyovq

Command:
C:\users\{user}\appdata\roaming\tararap\ybimg.exe


Remove ybimg.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.