Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, WebToolbar.Win32.InstallCore.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Installer, WebToolbar
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 09058d9b02163e33465a067be1769546
SHA1: 81f29e4d5cce2d77754a390b700b7a6625f8b844
SHA256: c515d5c6f12ba0c4d0d127f0d1bad13d169b3a8eea269389068dc3c6f706e690
SSDeep: 12288:7jFaCqGWcN0QbJ6NKKu JnOBEYSF0iucBWXE28:7jFPqGWc523u JnchSa9XT8
Size: 729592 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Installer. An installation package.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Installer creates the following process(es):No processes have been created.The Installer injects its code into the following process(es):
%original file name%.exe:2060
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2060 makes changes in the file system.
The Installer creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\DE.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\bootstrap_55388.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\FR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Close.png (293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\text-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Grey_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is1933591475\423928_stp.EXE (4081 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\BG.jpg (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\UA.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Color_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006777F.log (8 bytes)
%Program Files%\is423761.log (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\ProgressBar.png (958 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Progress.png (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\IT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\dat\upd.DAT (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\EN.locale (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\main.css (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Close_Hover.png (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\RU.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is1933591475\423928_stp.EXE.part (81 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000675DA.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Logo.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Color_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000677DD.log (8 bytes)
The Installer deletes the following file(s):
%Program Files%\is423761.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000675DA.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\bootstrap_55388.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006777F.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000677DD.log (0 bytes)
Registry activity
The process %original file name%.exe:2060 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\09058d9b02163e33465a067be1769546_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\09058d9b02163e33465a067be1769546_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\09058d9b02163e33465a067be1769546_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
"Name" = "%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\09058d9b02163e33465a067be1769546_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\09058d9b02163e33465a067be1769546_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\09058d9b02163e33465a067be1769546_RASAPI32]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\09058d9b02163e33465a067be1769546_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\09058d9b02163e33465a067be1769546_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\09058d9b02163e33465a067be1769546_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\09058d9b02163e33465a067be1769546_RASAPI32]
"FileDirectory" = "%windir%\tracing"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Installer deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
5fa9bb616fd2b1826bc2e77abf0dd41f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is1933591475\423928_stp.EXE |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Installer file.
- Delete or disinfect the following files created/modified by the Installer:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\DE.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\bootstrap_55388.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\FR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Close.png (293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\text-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Grey_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is1933591475\423928_stp.EXE (4081 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\BG.jpg (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\UA.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Color_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0006777F.log (8 bytes)
%Program Files%\is423761.log (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\ProgressBar.png (958 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Progress.png (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\IT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\dat\upd.DAT (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\EN.locale (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\main.css (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Close_Hover.png (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\locale\RU.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is1933591475\423928_stp.EXE.part (81 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000675DA.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Logo.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish423386\images\Color_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000677DD.log (8 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 37732 | 37888 | 4.628 | 310a73c7478343ed476542b7d130be2c |
DATA | 45056 | 588 | 1024 | 1.89736 | 5d98c64569668b0235ae89005918165a |
BSS | 49152 | 3720 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
.tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
.reloc | 65536 | 2228 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 69632 | 37016 | 37376 | 4.12636 | c556dd3acf57ed59a7c01824696c05de |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 15
ab4dc61bc4acca2686d68f481bd1c988
b831e4225b684cb6da27eeda431179b3
342705a19666e3d139581d6cb10caccf
6cf8ecf6c62783d3bb3e53b50f1b9915
60155e05e26853d806c635d804e052d6
11bfc74592f9c2bddcf40a627b0dba82
7be16d8a475565207b6468fdb54b27e1
4032f18d5ccce06fccbe2b2d8abfdf06
36f757b6f1fb6c28dd67adf78c3f1c8b
418a0f316462eb9248a7494166c95421
f4c1ccb666c840f8c4ae79f1abac2f0a
4be66111a25126fa90d9e81c043c7524
dca65bd28fc8ff83f5698e205330dbf3
2de91af9b5956c6dc174d606aafb6158
3f141f3d15415f21d6c7c8a6f85a801e
Network Activity
URLs
URL | IP |
---|---|
hxxp://d3qor7nx9zb32s.cloudfront.net/exe/FlvPlayerSilent2404.exe | 54.192.203.134 |
hxxp://os.bestusefuldownloads.com/MEDIA/?v=3.0&c=1276920425 | 141.8.225.124 |
hxxp://os.bestusefuldownloads.com/Aff-AD/?v=3.0&c=1276920425 | 141.8.225.124 |
os2.bestusefuldownloads.com | 141.8.225.124 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Installer connects to the servers at the folowing location(s):