not-a-virus:HEUR:AdWare.Win32.DealPly.gen (Kaspersky), Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Installer, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d2678975ff9d74ef2e9f796e78e05f41
SHA1: 5451574d52a54e8a6f47a2b79bd35e63d161792a
SHA256: 0a81792cbc08a853a03bb882f77204c10f549d10a6b2f61c1d44abf680564beb
SSDeep: 24576:fiJCap9rx4sXIQpuZ7 lO6BBohvwrjU/5ygRs7:fwCAr2aIKTvKv U/V
Size: 985088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Kola
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Installer. An installation package.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Installer creates the following process(es):No processes have been created.The Installer injects its code into the following process(es):
%original file name%.exe:3676
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3676 makes changes in the file system.
The Installer creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\ProgressBar.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\61799240_stp.EXE (21070 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\BG.png (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\locale\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Resume_Button.png (718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F1AE.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Progress.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F2A7.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\61799240_stp.EXE.part (909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Pause_Button.png (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Color_Button.png (863 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Close.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\5EAABCDD_stp.CIS.part (819 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\bootstrap_25231.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Color_Button_Hover.png (846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\default_tb.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Close_Hover.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\main.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\5EAABCDD_stp\asgnd.json (6341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Grey_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\5EAABCDD_stp.CIS (980 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\default_wi.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\checkbox.css (190 bytes)
The Installer deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F1AE.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F2A7.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\bootstrap_25231.html (0 bytes)
Registry activity
The process %original file name%.exe:3676 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
"Name" = "%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASMANCS]
"EnableFileTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Installer deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| 49bbedf6727936f028bb9082d5145581 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\61799240_stp.EXE |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Installer file.
- Delete or disinfect the following files created/modified by the Installer:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\ProgressBar.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\61799240_stp.EXE (21070 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\BG.png (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\locale\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Resume_Button.png (718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F1AE.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Progress.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F2A7.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\61799240_stp.EXE.part (909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Pause_Button.png (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Color_Button.png (863 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Close.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\5EAABCDD_stp.CIS.part (819 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\bootstrap_25231.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Color_Button_Hover.png (846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\default_tb.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Close_Hover.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\main.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\5EAABCDD_stp\asgnd.json (6341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Grey_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\default_wi.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\checkbox.css (190 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Kola
Product Name: Seroh
Product Version: 4.3.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: Seroh Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)
Company Name: Kola Product Name: Seroh Product Version: 4.3.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Seroh Setup Comments: This installation was built with Inno Setup.Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 37732 | 37888 | 4.63126 | 62cbd0a17889d3c0e8b06defac0922a5 |
| DATA | 45056 | 588 | 1024 | 1.8986 | d5ea23d4ecf110fd2591314cbaa84278 |
| BSS | 49152 | 3720 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
| .tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
| .reloc | 65536 | 2228 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 69632 | 40728 | 40960 | 4.35134 | 60100ca421829f675ac01e8ab2b22467 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://rp.komputerswiatplcdn.com/?v=2.0&subver=6.21&pcrc=1195742462 | 52.214.247.42 |
| hxxp://info.komputerswiatplcdn.com/?v=1.03&c=05960c55&at=1094620407&cntr=0 | 176.34.130.130 |
| hxxp://rp.komputerswiatplcdn.com/?v=2.0&subver=6.21&pcrc=2097639573 | 52.214.247.42 |
| hxxp://os.komputerswiatplcdn.com/komputerswiat.pl/?v=6.0&c=1421784318&t=1308146 | 52.213.148.235 |
| hxxp://cdneu.komputerswiatplcdn.com/ofr/Solululadul/asgnd.cis | 85.159.237.103 |
| hxxp://files-download.poradnikdogry.pl/SterownikiIPoprawki/Drukarki/HP/HPSupportSolutions/HPSupportSolutionsFramework.exe | 37.26.165.67 |
| hxxp://cdnus.komputerswiatplcdn.com/ofr/Solululadul/asgnd.cis | 199.58.87.155 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Installer connects to the servers at the folowing location(s):