» zeulc.exe
Overview
Analysis
File Details
Behaviors (1)
Network (33)

zeulc.exe

Rady

Fastream Technologies

The executable zeulc.exe, “Ubusypi Quz Ebokyl” has been detected as malware by 19 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

zeulc.exe

Publisher:

Fastream Technologies

Product:

Rady

Description:

Ubusypi Quz Ebokyl

Version:

1, 2, 6

MD5:

02fd96b20e571072c5abb9f92bad3016

SHA-1:

c94912648d39a67ceb7d491c3d2a1cf3955b5ed5

SHA-256:

1360f63c5ea760b46b52653f2344ee8ff95d9e9fbc55c159e2a6850eb68ea7ed

Scanner detections:

19 / 68

Status:

Malware

Analysis date:

4/28/2024 10:31:55 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Graftor.147488

936

AhnLab V3 Security

Dropper/Win32.Necurs

2014.07.14

Avira AntiVirus

TR/Crypt.ZPACK.61802

7.11.160.154

avast!

Win32:Necurs-S [Trj]

140617-1

AVG

Trojan horse SHeur4.BYDT

2014.0.3986

Bitdefender

Gen:Variant.Graftor.147488

1.0.20.970

Bkav FE

HW32.CDB

1.3.0.4959

Dr.Web

Trojan.Siggen6.15132

9.0.1.05190

ESET NOD32

Win32/Kryptik.CGLR trojan

7.0.302.0

F-Secure

Gen:Variant.Graftor.147488

11.2014-13-07_1

G Data

Gen:Variant.Graftor.147488

14.7.24

Kaspersky

Trojan-Spy.Win32.Zbot

15.0.0.494

Malwarebytes

Spyware.Zbot.VXGen

v2014.07.13.08

Microsoft Security Essentials

Threat.Undefined

1.177.2397.0

MicroWorld eScan

Gen:Variant.Graftor.147488

15.0.0.582

NANO AntiVirus

Trojan.Win32.Zbot.dcefej

0.28.0.60698

Rising Antivirus

PE:Malware.XPACK-HIE/Heur!1.9C48

23.00.65.14711

Sophos

Mal/Ransom-CV

4.98

VIPRE Antivirus

Threat.4150696

31208

File size:

337 KB (345,088 bytes)

Product version:

1998

Trademarks:

Ujepoq Nity Olehyj Kasykyc Dudexyd Leve Yhyze Napahob

Original file name:

Axws++.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\ospyivme\zeulc.exe

File PE Metadata

Compilation timestamp:

8/9/2011 6:17:37 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

7.0

CTPH (ssdeep):

6144:rKvdNMSlWzN7XOfXnU7JNzLumSiHKRwKnqtjWOV6TLBtp3/h4V:rKl2zcXUNdSmSiCwagKa6vB94V

Entry address:

0x41F7C

Entry point:

49, 81, C7, 00, E3, 00, 00, 43, 3B, D7, 77, 32, EB, 30, 00, 00, 00, 00, 00, 00, B9, 00, 00, 00, 00, 00, 6A, 00, 00, 29, 00, 00, 00, 00, 00, 00, 00, C0, 00, 00, 00, 00, 00, 1A, 00, 00, 00, 00, 00, 00, 00, 9A, 00, 00, 00, 00, 00, 00, 00, 33, 00, 00, 89, 15, 94, FD, 44, 00, 81, 3D, B8, FD, 44, 00, 00, 13, 17, 5C, 77, 27, EB, 25, 00, 00, 00, 00, B4, 00, 00, 00, 00, 00, 07, 00, 00, 00, 2B, 00, 00, 00, 00, 00, 00, 00, 4A, 00, 00, 00, 00, 00, 00, 00, 71, 00, 00, 00, 00, 00, 7E, 3B, F3, 72, 29, EB, 59, 00, 00, 00... 
[+]

Entropy:

7.2840

Code size:

277.5 KB (284,160 bytes)

Scheduled Task

Task name:

Security Center Update - 2005007516

Trigger:

Daily (Runs daily at 8:00 PM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to yts2.yql.vip.ne1.yahoo.com (98.138.243.53:443)

TCP (HTTP SSL):

Connects to syndicate1.nads.vip.bf1.yahoo.com (69.147.78.32:443)

TCP (HTTP):

Connects to server-54-230-20-194.ewr2.r.cloudfront.net (54.230.20.194:80)

TCP (HTTP):

Connects to s3-1.amazonaws.com (54.231.1.128:80)

TCP (HTTP):

Connects to phx2-ss-3-lb.cnet.com (216.239.120.39:80)

TCP (HTTP):

Connects to phx2-dw-cbsi-xw-lb.cnet.com (216.239.120.246:80)

TCP (HTTP):

Connects to map2.hwcdn.net (205.185.216.10:80)

TCP (HTTP):

Connects to iad23s26-in-f23.1e100.net (173.194.121.55:80)

TCP (HTTP):

Connects to iad23s26-in-f13.1e100.net (173.194.121.45:80)

TCP (HTTP):

Connects to iad23s24-in-f25.1e100.net (74.125.228.249:80)

TCP (HTTP):

Connects to iad23s08-in-f31.1e100.net (74.125.228.127:80)

TCP (HTTP):

Connects to iad23s08-in-f15.1e100.net (74.125.228.111:80)

TCP (HTTP):

Connects to iad23s06-in-f9.1e100.net (74.125.228.41:80)

TCP (HTTP):

Connects to float.1250.bm-impbus.prod.nym2.adnexus.net (68.67.152.115:80)

TCP (HTTP SSL):

Connects to edge-star-shv-12-iad1.facebook.com (31.13.69.160:443)

TCP (HTTP):

Connects to ec2-75-101-151-209.compute-1.amazonaws.com (75.101.151.209:80)

TCP (HTTP):

Connects to ec2-54-84-35-63.compute-1.amazonaws.com (54.84.35.63:80)

TCP (HTTP):

Connects to ec2-54-84-234-215.compute-1.amazonaws.com (54.84.234.215:80)

TCP (HTTP):

Connects to ec2-23-23-168-121.compute-1.amazonaws.com (23.23.168.121:80)

TCP (HTTP):

Connects to ec2-23-23-135-193.compute-1.amazonaws.com (23.23.135.193:80)

Remove zeulc.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.