| Visit ThreatExpert web site | | | Close Report |
[Symantec] [Kaspersky Lab] [McAfee] [Trend Micro] [Sophos] [Microsoft] [AhnLab]| What's been found | Severity Level |
| Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system. |  |
| Downloads/requests other files from Internet. |  |
| Contains characteristics of an identified security risk. | |
 | Possible Security Risk |
| Threat Category | Description |
 |
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.) |
 |
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment |
 |
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system |
 | File System Modifications |
| # | Filename(s) | File Size | File Hash | Alias |
| 1 | %Profiles%\NetworkService\Application Data\sysproc64\sysproc32.sys | 108 bytes | MD5: 0x784347DA942E96D58CD91CF29583CFE4 SHA-1: 0x5218C2C2E595B2BE39012BF5B1C265AFBEFF88E2 |
(not available) |
| 2 |
%System%\oembios.exe
|
289,792 bytes | MD5: 0x8A23EE7E3A763879BEFDA72A5853F4D6 SHA-1: 0x6DF77D87D6CEE348D184410C0C3067D5B311CC92 |
Suspicious.BredoLab [Symantec] Trojan-Spy.Win32.Zbot.emq [Kaspersky Lab]TROJ_DLOADER.DAM [Trend Micro]Mal/EncPk-CZ [Sophos]PWS:Win32/Zbot.B [Microsoft]Trojan-Spy.Win32.Zbot.B4 [Ikarus] Win32/IRCBot.worm.variant [AhnLab] |
| 3 | [file and pathname of the sample #1] | 84,480 bytes | MD5: 0x15E7FB1DC026B6F3A1477013CFC4197D SHA-1: 0x3554D3147BF48D72B374B386A8992C11404B1BD0 |
Backdoor.Paproxy [Symantec] Trojan-Spy.Win32.Zbot.emq [Kaspersky Lab]Spy-Agent.cf [McAfee]TROJ_DLOADER.DAM [Trend Micro]Troj/FakeAle-GN [Sophos]PWS:Win32/Zbot.B [Microsoft]Trojan-Spy.Win32.Zbot.B4 [Ikarus] Win32/IRCBot.worm.variant [AhnLab] |
| 4 |
%System%\sysproc64\sysproc32.sys
|
206 bytes | MD5: 0xD67C4D2FCCFA92171B09C6E5934C5A82 SHA-1: 0x11B4602B2C1905A449D9D2BD80692E452C90674E |
(not available) |
| 5 |
%System%\sysproc64\sysproc86.sys
|
0 bytes | MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 |
(not available) |
 | Memory Modifications |
| Process Name | Process Filename | Main Module Size |
| [filename of the sample #1] | [file and pathname of the sample #1] | 17,395,712 bytes |
 | Registry Modifications |
 | Other details |
 |
Russian Federation |
| Server Name | Server Port | Connect as User | Connection Password |
| malafikarubik.ru | 80 | (null) | (null) |
All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.
The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.
Copyright © 2013 ThreatExpert. All rights reserved.