Submission Summary:

What's been foundSeverity Level
Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.


Technical Details:


Possible Security Risk

Threat CategoryDescription
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system


File System Modifications

#Filename(s)File SizeFile HashAlias
1 %AppData%\Opybh\omyms.exe 127,996 bytes MD5: 0x7CEBB7567D1F534FDA0F6E1C8E358AD0
SHA-1: 0x0DA990F236F4AB581897119EAC05379550B39F9C
Mal/EncPk-NS, Mal/Zbot-U [Sophos]
PWS:Win32/Zbot.gen!Y [Microsoft]
2 %Temp%\tmpdc48d442.bat 168 bytes MD5: 0xEA5E68F2E0857CE93E8CD1EFB25CD41F
SHA-1: 0xE3DE88F35132905A8C5C3E333E12A071E2C178AE
(not available)
3 %Temp%\tmpf9187626\pt.exe 32,768 bytes MD5: 0xEBD63056FFA39555353AA01B92FF3CE7
SHA-1: 0xF2ED50C7404E510CA49558BA93B5B73259AD8938
Trojan.Gen [Symantec]
Trojan.Win32.Agent.dstv [Kaspersky Lab]
Mal/EncPk-OC [Sophos]
Trojan:Win32/Killav.EG [Microsoft]
Trojan.Win32.Agent [Ikarus]
4 [file and pathname of the sample #1] 167,424 bytes MD5: 0x3FE968C21349A898D99154A2AD3ACFAA
SHA-1: 0xB480AEAC34D60CC58320BF01C6C550C1CA6C1AE9
Trojan.Zbot [Symantec]
Trojan-Spy.Win32.Zbot.ahzu [Kaspersky Lab]
Mal/FakeAV-CX [Sophos]
PWS:Win32/Zbot.gen!Y [Microsoft]
PWS.Win32 [Ikarus]
Win-Trojan/Zbot.167424 [AhnLab]


Memory Modifications

Process NameProcess FilenameAllocated Size
cmd.exe%System%\cmd.exe212,992 bytes
cmd.exe%System%\cmd.exe118,784 bytes


Registry Modifications


Other details

Russian Federation

Remote HostPort Number



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 ThreatExpert. All rights reserved.