Skip to main content

Trojan.Win32.Ransom_e955f70948


Trojan.Win32.Ransom.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Ransom, Trojan, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: e955f70948cbd1a494c1ecd1524c355c

SHA1: fb4c904ad8bf43727ef03af1b79aa1f4a876d34f

SHA256: 85ac4e4c680d938b7f76f978eab94931ad3cf2f2af43621fef509e8b10c3780c

SSDeep: 98304:KwPTZ0mIRj w6crAMEZsK8a4rb9/Du0Vk/MH:KQmmy 1qAtqVL6/MH

Size: 5722743 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2008-09-16 17:17:44

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:2984

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2984 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMDLOGO.GIF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMD_MCE_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMD_BADGE.BMP (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMD_BADGE.BMP (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABIT_BADGE.BMP (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACERLOGO.GIF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARE_MCE_LOGO.PNG (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMDLOGO.GIF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\OOBE.XML (469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMDLOGO.GIF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMD_BAR.PNG (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMD_BADGE.PNG (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABITLOGO.GIF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMD_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMDLOGO.GIF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMD_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABIT_LOGO.PNG (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMD_MCE_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMD_BAR.PNG (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMD_BADGE.PNG (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENTLOGO.GIF (843 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMD_BADGE.PNG (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARELOGO.GIF (923 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACER_BADGE.PNG (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARE_BADGE.PNG (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACER_MCE_LOGO.PNG (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\OOBE.XML (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMDLOGO.GIF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_MCE_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMD_MCE_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_BAR.PNG (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMD_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\OOBE.XML (465 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARE_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMD_BAR.PNG (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACER_BADGE.BMP (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMD_BADGE.PNG (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABIT_BAR.PNG (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\oem.exe (9605 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\OOBE.XML (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENT_BAR.PNG (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMD_BAR.PNG (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\OOBE.XML (466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACER_LOGO.PNG (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\OOBE.XML (475 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_BADGE.PNG (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMD_BADGE.BMP (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMD_MCE_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AOPEN\info\AOPENLOGO.GIF (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENT_BADGE.PNG (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENT_MCE_LOGO.PNG (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AOPEN\info\AOPEN_BADGE.PNG (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARE_BADGE.BMP (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENT_BADGE.BMP (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMD_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABIT_MCE_LOGO.PNG (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\OOBE.XML (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABIT_BADGE.PNG (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARE_BAR.PNG (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_BADGE.bmp (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMD_BADGE.bmp (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AOPEN\info\AOPEN_BADGE.BMP (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\OOBE.XML (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\OOBE.XML (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENT_LOGO.PNG (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACER_BAR.PNG (6 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_425258 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AOPEN\info\AOPEN_BADGE.PNG (0 bytes)

Registry activity

Dropped PE files

MD5 File path
518b045d78c5dc367634563d68d6aa7ec:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\oem.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2984

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMDLOGO.GIF (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMD_MCE_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMD_BADGE.BMP (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMD_BADGE.BMP (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABIT_BADGE.BMP (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACERLOGO.GIF (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARE_MCE_LOGO.PNG (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMDLOGO.GIF (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\OOBE.XML (469 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMDLOGO.GIF (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMD_BAR.PNG (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMD_BADGE.PNG (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABITLOGO.GIF (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMD_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMDLOGO.GIF (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMD_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABIT_LOGO.PNG (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMD_MCE_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMD_BAR.PNG (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMD_BADGE.PNG (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENTLOGO.GIF (843 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMD_BADGE.PNG (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARELOGO.GIF (923 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACER_BADGE.PNG (24 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARE_BADGE.PNG (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACER_MCE_LOGO.PNG (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\OOBE.XML (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMDLOGO.GIF (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_MCE_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMD_MCE_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_BAR.PNG (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMD_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\OOBE.XML (465 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARE_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMD_BAR.PNG (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACER_BADGE.BMP (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMD_BADGE.PNG (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABIT_BAR.PNG (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\oem.exe (9605 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\OOBE.XML (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENT_BAR.PNG (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\AMD_BAR.PNG (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\OOBE.XML (466 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACER_LOGO.PNG (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\OOBE.XML (475 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_BADGE.PNG (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMD_BADGE.BMP (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMD\info\AMD_MCE_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AOPEN\info\AOPENLOGO.GIF (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENT_BADGE.PNG (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENT_MCE_LOGO.PNG (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AOPEN\info\AOPEN_BADGE.PNG (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARE_BADGE.BMP (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENT_BADGE.BMP (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\AMD_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABIT_MCE_LOGO.PNG (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDX2\info\OOBE.XML (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ABIT\info\ABIT_BADGE.PNG (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ALIENWARE\info\ALIENWARE_BAR.PNG (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\AMD_BADGE.bmp (35 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH2\info\AMD_BADGE.bmp (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AOPEN\info\AOPEN_BADGE.BMP (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDSemp\info\OOBE.XML (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\AMDPH3\info\OOBE.XML (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\ADVENT\info\ADVENT_LOGO.PNG (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\files\Acer\info\ACER_BAR.PNG (6 bytes)

  4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409681920803844.4941d9c3b0b82d7da6d18b0896fb360cea84
.data860163276825603.41851568dd221456d807ca821813c84d65e70
.idata118784819246083.32828e371e957a1467b935ada3eb6ee88c889
.rsrc1269762785282764805.255141454498947ac1a09f99507bb0bf6e2e6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps


Related articles