Backdoor:Win32/Zegost!pz - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Backdoor:Win32/Zegost!pz

Backdoor:Win32/Zegost!pz - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Backdoor:Win32/Zegost!pz

Classification:

Type:Backdoor

Platform:Win32

Family:Zegost

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!pz

Packed or compressed to evade detection

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for 32-bit Windows platform, family Zegost

Summary:

Backdoor:Win32/Zegost!pz is a sophisticated backdoor that establishes persistence by masquerading as legitimate system components, primarily abusing Svchost. It communicates with command-and-control servers using dynamic DNS and HTTP, allowing remote control over the compromised system and exhibiting anti-analysis capabilities by targeting security software.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - mIcRoSoFt\wINDoWS nt\currentVerSioN\sVChoST (PEHSTR_EXT)
 - %sot%%\System32\svc%s %s%s%s (PEHSTR_EXT)
 - k- exe.tsoh (PEHSTR_EXT)
 - reMOTeReGIScrY (PEHSTR_EXT)
 - ik\labolGs%s (PEHSTR_EXT)
 - PROFILE%\Application Data\ (PEHSTR_EXT)
 - SOFTWARE\mIcRoSoFt\wINDoWS nt\currentVerSioN\sVChoST (PEHSTR_EXT)
 - .3322.org (PEHSTR_EXT)
 - dhcpcsvc.dll (PEHSTR_EXT)
 - llX%ik\labolGs%s% (PEHSTR)
 - k- exe.tsoh (PEHSTR)
 - .3322.org (PEHSTR)
 - %sot%%\System32\svc%s %s%s%s (PEHSTR)
 - \xhjmjj.dat (PEHSTR)
 - Referer: http://%s:80/http://%s (PEHSTR)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost (PEHSTR_EXT)
 - taskkill /f /t /im ZhuDongFangYu.exe (PEHSTR_EXT)
 - %s:\Documents and Settings\Local Server (PEHSTR_EXT)
 - %ProgramFiles%\Google\ (PEHSTR_EXT)
 - %s\%d_res.tmp (PEHSTR_EXT)
 - %SystemRoot%\System32\svchost.exe -k netsvcs (PEHSTR_EXT)
 - C:\svchest%i%i%i.Zip (PEHSTR_EXT)
 - %s\%sex.dll (PEHSTR_EXT)
 - %s\%s32.dll (PEHSTR_EXT)
 - \syslog.dat (PEHSTR_EXT)
 - %d.bak (PEHSTR_EXT)
 - \kb-x6808125.iso (PEHSTR_EXT)
 - <body><h1>403 Forbidden</h1></body> (PEHSTR_EXT)
 - %s\kb0x%d~.tmp (PEHSTR_EXT)
 - Global\Gh0st %d (PEHSTR_EXT)
 - \\.\Dark (PEHSTR_EXT)
 - %u.193.%d.%d (PEHSTR_EXT)
 - WinSta0\Default (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - SYSTEM\CurrentControlSet\Services\%s (PEHSTR_EXT)
 - %s/updata.aspx?mac=%s&ver=%s (PEHSTR_EXT)
 - %s/work.aspx?query=%s (PEHSTR_EXT)
 - fproxy.dl (PEHSTR_EXT)
 - %s\%d_ttt.tmp (PEHSTR_EXT)
 - RsTray.exe (PEHSTR_EXT)
 - plication Data\Microsoft\Network\Connections\pbk\rasphone.pbk (PEHSTR_EXT)
 - Applications\iexplore.exe\shell\open\command (PEHSTR_EXT)
 - Global\dfg%d8d4g (PEHSTR_EXT)
 - \systemwin.log (PEHSTR_EXT)
 - %s%c%c%i%i%c%i.exe (PEHSTR_EXT)
 - \cmd.exe (PEHSTR_EXT)
 - ServiceDll (PEHSTR_EXT)
 - \Parameters (PEHSTR_EXT)
 - Global\ki%Xll (PEHSTR_EXT)
 - %s\nt%s.dll (PEHSTR_EXT)
 - \drivers\MsRmCtrl.sys (PEHSTR_EXT)
 - ccenter.exe (PEHSTR_EXT)
 - \\.\msrmctrlvip (PEHSTR_EXT)
 - \com\syslog.dat (PEHSTR_EXT)
 - %s\%d.bak (PEHSTR_EXT)
 - \MyInformations.ini (PEHSTR_EXT)
 - %s:\Program Files\Common Files\%c%c%c%c%c%c%c.%c%c%c%c%c (PEHSTR_EXT)
 - \Angel.cc (PEHSTR_EXT)
 - \temp\Plguins.txt (PEHSTR_EXT)
 - \syslog.dat (PEHSTR)
 - ,Applications\iexplore.exe\shell\open\command (PEHSTR)
 - DragonNest.exe (PEHSTR)
 - \Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk (PEHSTR_EXT)
 - cmd.exe /c rundll32.exe %s hi (PEHSTR_EXT)
 - DLL (PEHSTR_EXT)
 - %s\mt%xm.dll (PEHSTR_EXT)
 - %s\nt%xz.dll (PEHSTR_EXT)
 - %sKB%d\ (PEHSTR_EXT)
 - \update\HlInit.dat (PEHSTR_EXT)
 - \Plugin\ (PEHSTR_EXT)
 - 3389.exe (PEHSTR_EXT)
 - tencent://message/?uin=243107&Site=243107&Menu=yes (PEHSTR_EXT)
 - C:\3389.bat (PEHSTR_EXT)
 - [%02d/%02d/%d %02d:%02d:%02d] (%s) (PEHSTR_EXT)
 - DNAMMOC\NEPO\LLEHS\EXE.EROLPXEI\SNOITACILPPa (PEHSTR_EXT)
 - HeartBeat Fail ReConnect.. OK! (PEHSTR_EXT)
 - Proxy-agent: redapp1e Http Proxy v%.2f%s %s (PEHSTR_EXT)
 - %systemroot%\system32\svchost.exe -k netsvcs (PEHSTR_EXT)
 - CentralProcessor\0 (PEHSTR_EXT)
 - _dll_Delete_Me__.bat (PEHSTR_EXT)
 - _Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{1b55460a-c650-4bb7-ad7a-63a629dc7d3a} (PEHSTR)
 - $CurrentVersion\Policies\Explorer\Run (PEHSTR)
 - C:\Program Files\a..\synec.exe (PEHSTR)
 - C:\hwsig.dll (PEHSTR)
 - C:\haotu.dat (PEHSTR)
 - \Windows\CurrentVersion\App Paths\IEXPLORE.EXE (PEHSTR_EXT)
 - GET /h.gif?pid = (PEHSTR_EXT)
 - Global\Gh0st (PEHSTR_EXT)
 - ddos.hackxk.com (PEHSTR_EXT)
 - nuR\noisreVtnerruC\swodniW\tfosorciM\ERAWTFOS (PEHSTR_EXT)
 - ping 127.0.0.1 -n 3&del "%s" (PEHSTR_EXT)
 - wscript.exe (PEHSTR_EXT)
 - %s\ms%d.dll (PEHSTR_EXT)
 - /stub.dat (PEHSTR_EXT)
 - Server.Dat (PEHSTR_EXT)
 - Global\UUPP %d (PEHSTR_EXT)
 - \systeminfo.key (PEHSTR_EXT)
 - aPPLICATIONS\IEXPLORE.EXE\SHELL\OPEN\COMMAND (PEHSTR_EXT)
 - %s:\Windows\System32 (PEHSTR_EXT)
 - \WinCmder (PEHSTR_EXT)
 - \xhjmjj.dat (PEHSTR_EXT)
 - Global\Net_%d (PEHSTR_EXT)
 - Http/1.1 403 Forbidden (PEHSTR_EXT)
 - pbk\rasphone.pbk (PEHSTR_EXT)
 - %s\BaiDu%c%c.exe (PEHSTR_EXT)
 - \CreateSafeProcess.inf (PEHSTR_EXT)
 - %s%d.%s (PEHSTR_EXT)
 - exe (PEHSTR_EXT)
 - http://qwst1t.3322.org:8087 (PEHSTR_EXT)
 - Common Files\News%i%i%i.doc (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - %s\%d_tep.dll (PEHSTR_EXT)
 - \uninstall.log (PEHSTR_EXT)
 - SvcHost.DLL.log (PEHSTR_EXT)
 - HTTPEXE (PEHSTR_EXT)
 - \update.temp (PEHSTR_EXT)
 - \command.pak (PEHSTR_EXT)
 - \DarkShell\DS_Server (PEHSTR)
 - sese-av.in (PEHSTR)
 - %s/cgi/command.asp?hostname=%s&command=test&del=delfile (PEHSTR_EXT)
 - /cgi/textup.asp (PEHSTR_EXT)
 - online.asp?hostname=%s&httptype=%s (PEHSTR_EXT)
 - %s\system\%d.txt (PEHSTR_EXT)
 - http://%s/cgi/%s.txt (PEHSTR_EXT)
 - \helpmsg.temp (PEHSTR_EXT)
 - >nul del %0 /s/q/a/f (PEHSTR_EXT)
 - Hardware\Description\System\CentralProcessor\0 (PEHSTR_EXT)
 - microsoft\windows nt\currentversion\winlogon (PEHSTR_EXT)
 - http://%s:%d/%d%s (PEHSTR_EXT)
 - \csrss.exe (PEHSTR_EXT)
 - %s\rundll32.exe (PEHSTR_EXT)
 - \start.lnk (PEHSTR_EXT)
 - %s\data.mdb (PEHSTR_EXT)
 - %s %s,ALSTS_ExecuteAction (PEHSTR_EXT)
 - \\.\moon (PEHSTR_EXT)
 - cmd.exe /c rd /q /s "c:\%s" (PEHSTR_EXT)
 - \6C4DA6FB\svchsot.exe (PEHSTR_EXT)
 - taskkill /f /im (PEHSTR_EXT)
 - [print screen] (PEHSTR_EXT)
 - Global\air %d (PEHSTR_EXT)
 - exe.dmc\ (PEHSTR_EXT)
 - [EXECUTE_key] (PEHSTR_EXT)
 - [Print Screen] (PEHSTR_EXT)
 - SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp (PEHSTR_EXT)
 - \keylog.dat (PEHSTR_EXT)
 - rundll32.exe %s,hi (PEHSTR_EXT)
 - http/1.1 403 forbidden (PEHSTR_EXT)
 - winsta0\default (PEHSTR_EXT)
 - Global\Torrent %d (PEHSTR_EXT)
 - RegQueryValueEx(Svchost\netsvcs) (PEHSTR_EXT)
 - rdpwd\Tds\tcp (PEHSTR_EXT)
 - \\.\RESSDTDOS (PEHSTR_EXT)
 - \LogOfSystem.key (PEHSTR_EXT)
 - yek.metsySfOgoL\ (PEHSTR_EXT)
 - svchost.dll (PEHSTR)
 - GET %s HTTP/1.0 (PEHSTR)
 - ServiceDll (PEHSTR)
 - %s\%sex.dll (PEHSTR)
 - ,%SystemRoot%\System32\svchost.exe -k netsvcs (PEHSTR)
 - SetSecurityDescriptorControl (PEHSTR)
 - 4SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost (PEHSTR)
 - QQWry.Dat (PEHSTR_EXT)
 - CRASH CODE:0x%.8x ADDR=0x%.8x FLAGS=0x%.8x PARAMS=0x%.8x (PEHSTR_EXT)
 - SYSTEM\CurrentControlSet\Ser (PEHSTR_EXT)
 - \install.dat (PEHSTR_EXT)
 - \shell\open\command (PEHSTR_EXT)
 - svchost.exe -k netsvcs (PEHSTR_EXT)
 - cmd.exe /c ping 127.0.0.1 -n 2&%s "%s" (PEHSTR_EXT)
 -  %.2fms,  (PEHSTR_EXT)
 - ltZy4yMDExMTY4LmNvbS90ZW1wL2kwLmpwZw== (PEHSTR_EXT)
 - \windows.tdl (PEHSTR_EXT)
 - %s\%d_ade.aaast (PEHSTR_EXT)
 - 0\rossecorPlartneC\metsyS\NOITPIRCSED\ERAWDRAH (PEHSTR_EXT)
 - %s\%c%c%c%c%c.exe (PEHSTR_EXT)
 - ggf%c%c%c%c%cck.exe (PEHSTR_EXT)
 - HARDWARE\ (PEHSTR_EXT)
 - Http/1.1 403 ForbiddeN (PEHSTR_EXT)
 - cmd /c ping 127.0.0 .1 -n 1&del "%s" (PEHSTR_EXT)
 - TEsLORTNOcTNERRUc\metsys (PEHSTR_EXT)
 - DNAMMOC\NEPO\LLEHS\EXE.EROLPXEI\ (PEHSTR_EXT)
 - /1/mubiao.htm (PEHSTR_EXT)
 - 20rj. (PEHSTR_EXT)
 - C:\QQ.exe (PEHSTR_EXT)
 - net user Administrator /fullname (PEHSTR_EXT)
 - C:\1.tmp (PEHSTR_EXT)
 - .vir,main (PEHSTR_EXT)
 - %s\%d_mz.url (PEHSTR_EXT)
 - Global\zwj %d (PEHSTR_EXT)
 - s%\secivres\teslortnoctnerruc\metsys (PEHSTR_EXT)
 - file:C:\Progra~1\%%Progr~1\DEST.BAT (PEHSTR_EXT)
 - Global\guige %d (PEHSTR_EXT)
 - rossecorPlartneC\metsyS\ (PEHSTR_EXT)
 - <H1>403 Forbidden</H1> (PEHSTR_EXT)
 - <body><h1>403 Forbidden</h1> (PEHSTR_EXT)
 - SYSTEM\Group\Group (PEHSTR_EXT)
 - Global\airky (PEHSTR_EXT)
 - rundll32.exe "%s",HighSystem (PEHSTR_EXT)
 - \\.\agmkis2 (PEHSTR_EXT)
 - Common Files\svcchost.exe (PEHSTR_EXT)
 - Programs\Startup\server.exe (PEHSTR_EXT)
 - \svcchost.exe (PEHSTR_EXT)
 - \Startup\server.exe (PEHSTR_EXT)
 - %s /v "%s\config\sam" "%sdfer.dat (PEHSTR_EXT)
 - CRASH CODE:0x%.8x ADDR=0x%.8x FLAGS=0x%.8x (PEHSTR_EXT)
 - del /q /s /a c:\URatCache (PEHSTR_EXT)
 - \Update\Server.Dat (PEHSTR_EXT)
 - DllF (PEHSTR_EXT)
 - %ProgramFiles%\AppPatch\ (PEHSTR_EXT)
 - Loader.dll (PEHSTR_EXT)
 - \\.\dhwrt4 (PEHSTR_EXT)
 - QQGame\xx.dat (PEHSTR_EXT)
 - COMSPEC (PEHSTR_EXT)
 - \Sougou.key (PEHSTR_EXT)
 - 360sd.exe (PEHSTR_EXT)
 - \\.\PHYSICALDRIVE0 (PEHSTR_EXT)
 - DllMain.dll (PEHSTR_EXT)
 - \Tencent\Users\*.* (PEHSTR_EXT)
 - %SystemRoot%\system32\termsrv_t.dll (PEHSTR_EXT)
 - 360tray.exe (PEHSTR_EXT)
 - nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT)
 - C:\Windows\System32\wscript.exe (PEHSTR_EXT)
 - \server.exe (PEHSTR_EXT)
 - \Programs\Startup\server.exe (PEHSTR_EXT)
 - .?AVCScreenSpy@@ (PEHSTR_EXT)
 - Windows Media Player\csrss.exe (PEHSTR)
 - %s\%d.bak (PEHSTR)
 - DllFuUpgradrs (PEHSTR_EXT)
 - \WetFish (PEHSTR_EXT)
 - \cfg.ini (PEHSTR_EXT)
 - svp7. (PEHSTR_EXT)
 - %s\admin$\hackshen.exe (PEHSTR_EXT)
 - %s\SHELL\OPEN\COMMAND (PEHSTR_EXT)
 - \CurrentVersion\netcache (PEHSTR_EXT)
 - KvMonXP.exe (PEHSTR_EXT)
 - svchsot.exe (PEHSTR_EXT)
 - hanabenk.com (PEHSTR_EXT)
 - epostbenk.go (PEHSTR_EXT)
 - bduninstall.exe (PEHSTR_EXT)
 - bctrl.exe (PEHSTR_EXT)
 - undoabledisk.dll (PEHSTR_EXT)
 - drivers\undovol.sys (PEHSTR_EXT)
 - h:\$udjour$.$$$ (PEHSTR_EXT)
 - bitnet2005\install\Win32\Release\deinstall.pdb (PEHSTR_EXT)
 - programB.exe (PEHSTR_EXT)
 - taskkill /f /im ipaip2.exe (PEHSTR_EXT)
 - /c rmdir /s /q (PEHSTR_EXT)
 - Sea.Working.Mou (PEHSTR_EXT)
 - TrojanHunter.exe (PEHSTR_EXT)
 - KSWebShield.exe (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: 87B9F4B07D80515E2D441F15A9500197.exe

d4a4ce5b1dfc4d0f26383c38951b420e1f922ce070123ae0e835a86f384a9056

16/11/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected system from the network. Conduct a full system scan with updated security software and thoroughly investigate for established persistence mechanisms and C2 communication. Due to the high risk of compromise, re-imaging the system is strongly recommended to ensure complete eradication.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 16/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Backdoor:Win32/Zegost!pz - Windows Defender Threat Analysis