Trojan.Win32.Autoit.fee (Kaspersky), Application.GenericKD.4561911 (AdAware), Installer.Win32.SmartIM.FD, InstallerSmartIM.YR (Lavasoft MAS)Behaviour: Trojan, Installer
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d09434dac229e7478a0461c16ab592a4
SHA1: 2c81da4d5811f99dc7c4cc9919074ebe7a37baf3
SHA256: 2c1cf72ea2eee9eef3e840a77585d46e5df456b90ce0f242793379c2a7a18aee
SSDeep: 49152:4AI zmf2yNjqSCwObYrTU4LHk3OuPfEkng5 Pg9odjBFIYnFwE86Ad/r0kX9 y8l:4AI zpyNjq ObYYA2OuPfEkD CFIGFwW
Size: 2760431 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Application creates the following process(es):
%original file name%.exe:2948
The Application injects its code into the following process(es):
amtemu.v0.9.2-painter.exe:2504
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process amtemu.v0.9.2-painter.exe:2504 makes changes in the file system.
The Application creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)
The process %original file name%.exe:2948 makes changes in the file system.
The Application creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\svcarm.exe (19234 bytes)
%Program Files%\PainteR\ProxyEmu\amtemu.v0.9.2-painter.exe (37602 bytes)
%Program Files%\PainteR\ProxyEmu\Uninstall.exe (3727 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (68 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (3070 bytes)
%Program Files%\PainteR\ProxyEmu\Uninstall.ini (2 bytes)
The Application deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (0 bytes)
Registry activity
The process %original file name%.exe:2948 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProxyEmu 0.9.2.0]
"InstallSource" = "c:\"
"DisplayIcon" = "%Program Files%\PainteR\ProxyEmu\Uninstall.exe"
"NoRepair" = "1"
"Language" = "1036"
"InstallDate" = "20170326"
"NoModify" = "1"
"InstallLocation" = "%Program Files%\PainteR\ProxyEmu\"
"DisplayVersion" = "0.9.2.0"
"Publisher" = "PainteR"
"UninstallString" = "%Program Files%\PainteR\ProxyEmu\Uninstall.exe"
"EstimatedSize" = "3745"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProxyEmu 0.9.2.0]
"VersionMinor" = "9"
"DisplayName" = "ProxyEmu 0.9.2.0"
"VersionMajor" = "0"
The Application deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
MD5 | File path |
---|---|
bf41da0a5f27daacb869e15bef8d766b | c:\Program Files\PainteR\ProxyEmu\Uninstall.exe |
8abdc20f619641e29aa9ad2b999a0dcc | c:\Program Files\PainteR\ProxyEmu\amtemu.v0.9.2-painter.exe |
41afbf49ba7f6ee164f31faa2cd38e15 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll |
4a4848a3c13da545774f4e905d472a67 | c:\Users\"%CurrentUserName%"\AppData\Roaming\svcarm.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2948
- Delete the original Application file.
- Delete or disinfect the following files created/modified by the Application:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\svcarm.exe (19234 bytes)
%Program Files%\PainteR\ProxyEmu\amtemu.v0.9.2-painter.exe (37602 bytes)
%Program Files%\PainteR\ProxyEmu\Uninstall.exe (3727 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (68 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (3070 bytes)
%Program Files%\PainteR\ProxyEmu\Uninstall.ini (2 bytes) - Reboot the computer.
Static Analysis
VersionInfo
Company Name: PainteR
Product Name:
Product Version:
Legal Copyright: PainteR
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 0.9.2.0
File Description: ProxyEmu 0.9.2.0 Installation
Comments:
Language: English (United States)
Company Name: PainteR Product Name: Product Version: Legal Copyright: PainteR Legal Trademarks: Original Filename: Internal Name: File Version: 0.9.2.0File Description: ProxyEmu 0.9.2.0 Installation Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 148684 | 148992 | 4.57091 | 5e14e4ede2e2215bc7d72837b9871f8f |
DATA | 155648 | 10388 | 10752 | 2.62963 | abafcbfbd7f8ac0226ca496a92a0cf06 |
BSS | 167936 | 4341 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 176128 | 6040 | 6144 | 3.3864 | a4e0ac39d5ed487ceea059fa23dfce5e |
.tls | 184320 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 188416 | 24 | 512 | 0.14174 | c4fdd0c5c9efb616fcc85d66056ca490 |
.reloc | 192512 | 6276 | 6656 | 4.56552 | 867a1120317d51734587a74f6ee70016 |
.rsrc | 200704 | 24360 | 24576 | 4.13029 | 6ed73f87158f61fcfb18220e76d8b0c9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
5cb505a9a998b08c634938cfdf85f294
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Application connects to the servers at the folowing location(s):