Backdoor

Backdoor.Agent.Zegost (file analysis)

Malware Removal

The Backdoor.Agent.Zegost is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Backdoor.Agent.Zegost virus can do?

  • Executable code extraction
  • A process attempted to delay the analysis task.
  • Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
  • Reads data out of its own binary image
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • The binary likely contains encrypted or compressed data.
  • The executable is compressed using UPX
  • Uses Windows utilities for basic functionality
  • Deletes its original binary from disk
  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • Installs itself for autorun at Windows startup
  • Creates a hidden or system file
  • Creates a copy of itself

Related domains:

z.whorecord.xyz
a.tomx.xyz

How to determine Backdoor.Agent.Zegost?



File Info:

crc32: C995C8F3
md5: a573a45276c988b367c12b5e60b545a9
name: sht.exe
sha1: 9d280515c6615dd9af3f788c55d53468c9ca8b47
sha256: bfefdd6a5ab29cb3f49132dc9d8425b7ac9fbefb6d8d490089c380b732127b52
sha512: a23a61357750f002a4771e8a44bf38a47c9b88013a9ea622c0aff7f42e9a27e2db414653da7e369f35bd4f649f655c596c25d490bbb0d549f410ea7d468e4bf4
ssdeep: 3072:nobZWgTq/chM47QtQn1ikAK+3HF1Xs4cx1IqwW2R/xf8:obZWaqUZQtQne3l1XsnxmqwT
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed


Version Info:

LegalCopyright: (C) 360.cn All Rights Reserved.
InternalName: 360Restore
FileVersion: 2, 0, 0, 3065
CompanyName: 360.cn
ProductName: 360x5b89x5168x536bx58eb
ProductVersion: 2, 0, 0, 3065
FileDescription: 360x5b89x5168x536bx58eb x9694x79bbx533ax6a21x5757
OriginalFilename: 360Restore.exe
Translation: 0x0409 0x04b0

Backdoor.Agent.Zegost also known as:

MicroWorld-eScanDeepScan:Generic.ZegostB.3EF0BB49
CAT-QuickHealTrojan.MauvaiseRI.S5264015
McAfeeArtemis!A573A45276C9
CylanceUnsafe
CrowdStrikewin/malicious_confidence_90% (W)
BitDefenderDeepScan:Generic.ZegostB.3EF0BB49
K7GWTrojan ( 004d3cae1 )
K7AntiVirusTrojan ( 004d3cae1 )
ArcabitDeepScan:Generic.ZegostB.3EF0BB49
TrendMicroBKDR_ZEGOST.SM13
F-ProtW32/Zegost.CM
SymantecML.Attribute.HighConfidence
ESET-NOD32Win32/Farfli.BLH
APEXMalicious
AvastWin32:Malware-gen
ClamAVWin.Dropper.Gh0stRAT-6992432-0
KasperskyHEUR:Trojan.Win32.Generic
AlibabaVirTool:Win32/CeeInject.84ccab41
NANO-AntivirusTrojan.Win32.Farfli.fduear
RisingTrojan.Kryptik!1.B340 (CLASSIC)
Endgamemalicious (moderate confidence)
EmsisoftTrojan.Agent (A)
ComodoBackdoor.Win32.Farfli.CJT@7jjkro
F-SecureHeuristic.HEUR/AGEN.1016091
DrWebTrojan.MulDrop3.45645
ZillyaTrojan.Siscos.Win32.4981
McAfee-GW-EditionGenericRXEW-AK!4971D29A630F
FortinetW32/Generic.AC.40bdaf
Trapminemalicious.high.ml.score
FireEyeDeepScan:Generic.ZegostB.3EF0BB49
SophosTroj/AutoG-GH
IkarusTrojan.Win32.Farfli
CyrenW32/Zegost.ETSA-0213
JiangminTrojan.Siscos.gu
WebrootW32.Malware.Gen
AviraHEUR/AGEN.1016091
MAXmalware (ai score=81)
MicrosoftVirTool:Win32/CeeInject.TD!bit
SUPERAntiSpywareTrojan.Agent/Gen-ZegostB
ZoneAlarmHEUR:Trojan.Win32.Generic
AhnLab-V3Trojan/Win32.Farfli.C2477292
Acronissuspicious
VBA32BScope.Trojan.Siscos
ALYacBackdoor.Agent.Zegost
TACHYONBackdoor/W32.Zegost.444416
Ad-AwareDeepScan:Generic.ZegostB.3EF0BB49
PandaTrj/Genetic.gen
ZonerTrojan.Win32.71586
TrendMicro-HouseCallBKDR_ZEGOST.SM13
TencentMalware.Win32.Gencirc.10b3fbcb
YandexTrojan.Siscos!e0zZncRhRW8
eGambitUnsafe.AI_Score_85%
GDataDeepScan:Generic.ZegostB.3EF0BB49
BitDefenderThetaGen:NN.ZexaF.33558.jmKfa4j0N7ij
AVGWin32:Malware-gen
Cybereasonmalicious.276c98
Paloaltogeneric.ml
Qihoo-360HEUR/QVM11.1.FB15.Malware.Gen

How to remove Backdoor.Agent.Zegost?

Backdoor.Agent.Zegost removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment