» ylifacu.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

ylifacu.exe

Welltek Software

The executable ylifacu.exe, “jxMCosX8 90adddef” has been detected as malware by 34 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

ylifacu.exe

Publisher:

Welltek Software

Description:

jxMCosX8 90adddef

Version:

2 4.513 518

MD5:

67292444302482b0d7aad1114d45d448

SHA-1:

199ba8cf834644668f74a5f4177f361d16663ae8

SHA-256:

36f21b2ff5bafaeb25d944184acf3501884adf5a42e72a15f6e8195a840d179a

Scanner detections:

34 / 68

Status:

Malware

Analysis date:

4/25/2024 9:40:24 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Agent.BFLG

856

Agnitum Outpost

TrojanSpy.Zbot

7.1.1

AhnLab V3 Security

Trojan/Win32.Necurs

2014.09.20

Avira AntiVirus

TR/Spy.ZBot.ikyv

7.11.173.116

avast!

Win32:Kryptik-OHQ [Trj]

140929-0

AVG

Trojan horse Crypt3.APQG

2014.0.4025

Bitdefender

Trojan.Agent.BFLG

1.0.20.1375

Bkav FE

HW32.Paked

1.3.0.4959

Clam AntiVirus

Win.Trojan.Agent-777082

0.98/19465

Dr.Web

Trojan.Siggen6.15132

9.0.1.05190

Emsisoft Anti-Malware

Trojan.Agent.BFLG

8.14.10.02.04

ESET NOD32

Win32/Spy.Zbot.ABA

8.10443

Fortinet FortiGate

W32/Yakes.GAKM!tr

10/2/2014

F-Prot

W32/A-26e5096c

v6.4.7.1.166

F-Secure

Trojan.Agent.BFLG

11.2014-02-10_5

G Data

Trojan.Agent.BFLG

14.10.24

IKARUS anti.virus

Trojan-Ransom.Win32.Blocker

t3scan.1.7.8.0

K7 AntiVirus

Trojan

13.183.13432

Kaspersky

HEUR:Trojan.Win32.Generic

14.0.0.3164

Malwarebytes

Trojan.Zbot.RV

v2014.10.02.04

McAfee

PWSZbot-FADF!3E382198536C

5600.6990

Microsoft Security Essentials

PWS:Win32/Zbot

1.11005

MicroWorld eScan

Trojan.Agent.BFLG

15.0.0.825

NANO AntiVirus

Trojan.Win32.Blocker.dfgjnb

0.28.2.62151

nProtect

Trojan.Agent.BFLG

14.09.19.01

Panda Antivirus

Trj/Genetic.gen

14.10.02.04

Reason Heuristics

Threat.Win.Reputation.IMP

14.10.2.4

Sophos

Troj/Wonton-HN

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-Blocker

10325

Total Defense

Win32/Zbot.ZBUUeNB

37.0.11199

Vba32 AntiVirus

Hoax.Blocker

3.12.26.3

VIPRE Antivirus

Trojan.Win32.Generic

33264

ViRobot

Trojan.Win32.Zbot.360960.A

2011.4.7.4223

Zillya! Antivirus

Trojan.Zbot.Win32.166466

2.0.0.1929

File size:

352.5 KB (360,960 bytes)

Product version:

2 4.513 518

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\eweltyh\ylifacu.exe

File PE Metadata

Compilation timestamp:

9/17/2014 6:24:49 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

6144:p+9XaEuIk44cBz6bYnFcE8aCj0KAGeLAyIQqZVadgiDUkQ5dj/iPB2zPAl:p+9qEuIvHBxFcvaCtA6yxPfwkQniPQQ

Entry address:

0x17902

Entry point:

55, 8B, EC, 6A, FF, 68, 60, 84, 41, 00, 68, F0, 7A, 41, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 64, 82, 41, 00, 59, 83, 0D, 34, 0B, 57, 00, FF, 83, 0D, 38, 0B, 57, 00, FF, FF, 15, 60, 82, 41, 00, 8B, 0D, 30, 0B, 57, 00, 89, 08, FF, 15, 5C, 82, 41, 00, 8B, 0D, 2C, 0B, 57, 00, 89, 08, A1, 34, 82, 41, 00, 8B, 00, A3, 3C, 0B, 57, 00, E8, 28, 01, 00, 00, 39, 1D, 18, AB, 41, 00, 75, 0C, 68, 96, 7A, 41, 00, FF, 15, 58, 82... 
[+]

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

92 KB (94,208 bytes)

Scheduled Task

Task name:

Security Center Update - 3848411966

Trigger:

Daily (Runs daily at 11:00)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to mrs02s05-in-f24.1e100.net (173.194.35.120:80)

Remove ylifacu.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.