Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Backdoor:Win32/Zegost.BD is a trojan that allows unauthorized access and control of an affected computer.
Installation
When it runs, Backdoor:Win32/Zegost.BD copies itself to %windir%\068be3c7\svchsot.exe.
The malware modifies the following registry entry so that it runs each time you start your PC:
Adds value: "068BE3C7" With data: "c:\windows\068be3c7\svchsot.exe" To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The malware creates the following files on your computer:
%windir%\tasks\at10.job
%windir%\tasks\at11.job
%windir%\tasks\at12.job
%windir%\tasks\at13.job
%windir%\tasks\at14.job
%windir%\tasks\at15.job
%windir%\tasks\at16.job
%windir%\tasks\at17.job
%windir%\tasks\at18.job
%windir%\tasks\at19.job
%windir%\tasks\at20.job
%windir%\tasks\at21.job
%windir%\tasks\at22.job
%windir%\tasks\at23.job
%windir%\tasks\at24.job
%windir%\tasks\at7.job
%windir%\tasks\at8.job
%windir%\tasks\at9.job
Payload
Allows backdoor access and control
Backdoor:Win32/Zegost.BD allows unauthorized access and control of your PC. A hacker can perform a number of different actions, including:
Downloading and runnning files
Uploading files
Spreading to other computers
Logging your keystrokes or stealing your sensitive data
Modifying your system settings
Running or terminating applications
Deleting files
This malware description was produced and published using our automated analysis system's examination of file SHA1 86d565b9efa9f5bfe1053e435db343d3a4cb5993.
