Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Zapchast.B

Trojan.Zapchast.B

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 1,395
Threat Level: 80 % (High)
Infected Computers: 1,315
First Seen: December 3, 2012
Last Seen: March 26, 2026
OS(es) Affected: Windows

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
AVG Dropper.Generic6.BACF
GData MSIL:Downloader-FT
Kaspersky Trojan-Dropper.Win32.Dapato.bqjc
Avast MSIL:Downloader-FT [Trj]
Symantec Trojan.ADH.2
Panda Trj/OCJ.A
AVG Dropper.Generic6.CNQH
Fortinet W32/Zapchast.KNK!tr
Ikarus Trojan.Msil
Microsoft Trojan:MSIL/Zapchast.B
AntiVir TR/Dropper.Gen
Sophos Mal/Generic-L
Kaspersky Trojan.MSIL.Zapchast.knk
Avast Win32:Dropper-gen [Drp]
Symantec Trojan.Gen

SpyHunter Detects & Remove Trojan.Zapchast.B

File System Details

Trojan.Zapchast.B may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. 8515eb34d8f9de5af815466e9715b3e5.exe 3a5063a17da20d0e0661893e82dbeb19 12
2. wscntfy.exe 6ae3751038bbaf0d72c3d80b4532e2d0 1

Analysis Report

General information

Family Name: Trojan.Zapchast.B
Signature status: No Signature

Known Samples

MD5: f2287fd5e45c7e59a8bbbc5d5214c0c2
SHA1: 853b1165e3e2bb03b44a7a4a214a89fbeaf27c91
SHA256: 282C1B47718E46569558A682901AD4CF42B77A4CE70B526FB2DC5A0A8DF91E47
File Size: 5.26 MB, 5256778 bytes
MD5: 1576bf779580fe781379648a4ce237af
SHA1: ef3fc3fea185a6dab9cc7c7162dd08b314e2476d
SHA256: 8D8913532F4E9755ED13AFC9852070C61083C726669A6566ECFF0B75D87A23F6
File Size: 6.83 MB, 6833787 bytes
MD5: 56755e0b91011cd0604b223d7ca23b16
SHA1: cdba6c96a435a7f3eb29b6c28455e2f2830638b5
SHA256: C56783214AF950553023508328368557A5F15ED5507961DABB07C3B353AF0147
File Size: 8.12 MB, 8116665 bytes
MD5: da0c266c6ab6c60af20c59f73d2876f4
SHA1: 44d0cdb16b1f1eb8e60fb8b0647b9e697c4b14df
SHA256: AFF7AF21381BDF17C3ADFDA37F45367BCDD588ED21382B49A7B232E75B71892A
File Size: 8.37 MB, 8368480 bytes
MD5: 70860a9442b1960311166c66901f00d0
SHA1: 607ef9fcb9d68b8f150612076a09c1adaa28ce1d
SHA256: 47A70A0B27D8C65B136AE381408B51D189F7C701E892E69E037358CBB456DA04
File Size: 6.01 MB, 6009145 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Builder 558486505 15:48:11 17/05/2022
Comments
  • Removes, Installs, Updates and Controls Devices, Drivers, Servies and Processes on your local System.
  • This installation was built with Inno Setup.
Company Name
  • acrisoft
  • Kerem Gumrukcu
  • Novicorp
Created 7z SFX Constructor v4.6.0.0 (http://usbtor.ru/viewtopic.php?t=798)
File Description
  • Device Remover
  • Novicorp WinToFlash Professional Setup
  • Self-Extracting Package for AC -BUS
File Version 1.0.0.0
Internal Name DeviceRemover.exe
Legal Copyright
  • Copyright by acrisoft
  • Copyright © 2008-2014 by Kerem Gumrukcu
Legal Trademarks Made with Paquet Builder, http://www.installpackbuilder.com
Original Filename DeviceRemover.exe
Product Name
  • AC-BUS
  • Device Remover
  • Novicorp WinToFlash Professional
Product Version
  • 1.6.0001
  • 1.0.0.0
Web No homepage

File Traits

  • 7-zip (In Overlay)
  • 7-zip SFX
  • Installer Version
  • x86

Files Modified

File Attributes
c:\users\user\appdata\local\temp\is-14vtb.tmp\ef3fc3fea185a6dab9cc7c7162dd08b314e2476d_0006833787.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-2e1jj.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-2e1jj.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsh26ff.tmp\langdll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl310b.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsq312b.tmp\langdll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\pb36fa7384\pbcore.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\pb36fa7384\pbdlg.dat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\pb36fa7384\pbfprop.dat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\pb36fa7384\pbheader.bmp Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\pb36fa7384\pblng.dat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\pb36fa7384\pbremove.dat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\add.reg Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\add.reg Synchronize,Write Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\deviceremover.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\deviceremover.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\deviceremover.pdb Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\deviceremover.pdb Synchronize,Write Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\killduplicate.cmd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\killduplicate.cmd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\tools Synchronize,Write Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\tools\deviceremovercleanup32.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\tools\deviceremovercleanup32.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\tools\deviceremovercleanup64.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\tools\deviceremovercleanup64.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\tools\deviceremoverstartuphelper.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tweaks\devrm\tools\deviceremoverstartuphelper.exe Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 袙ꀫ붔ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䵐ꀰ붔ǜ RegNtPreCreateKey

Windows API Usage

Category API
Keyboard Access
  • GetKeyState
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
User Data Access
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Anti Debug
  • IsDebuggerPresent
Process Terminate
  • TerminateProcess

Shell Command Execution

"C:\Users\Mkglxozr\AppData\Local\Temp\is-14VTB.tmp\ef3fc3fea185a6dab9cc7c7162dd08b314e2476d_0006833787.tmp" /SL5="$20198,6347655,119296,c:\users\user\downloads\ef3fc3fea185a6dab9cc7c7162dd08b314e2476d_0006833787"
(NULL) cmd /c ""C:\Users\Dexeircf\AppData\Local\Temp\Tweaks\DevRm\KillDuplicate.cmd" "C:\Users\Dexeircf\AppData\Local\Temp\Tweaks\DevRm" "607ef9fcb9d68b8f150612076a09c1adaa28ce1d_0006009145""
WriteConsole: The system canno
(NULL) regedit.exe /s "Add.reg"

Trending

Most Viewed

Loading...