Gen:Variant.Graftor.311803 (B) (Emsisoft), Gen:Variant.Graftor.311803 (AdAware), Trojan.Win32.Bumat.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: be458ac03e8a052eb6c6dc4e130de44c
SHA1: e74ecca94abd90d476fa7c1049d29332880d66ad
SHA256: 97174f4c5dd3fc70aa6cd2184caf741f62a1d2fc961ba47b1249ee9ebc4a1afe
SSDeep: 98304:o7P0en3FnGnyh32jjwrV OjkQS7VFTGQA:s0enGnyhGaVBZSnW
Size: 3848448 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-19 16:00:08
Analyzed on: Windows7 SP1 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:2936
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (1448 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1068 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp\log.txt (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (51 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (0 bytes)
Registry activity
The process %original file name%.exe:2936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (1448 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1068 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp\log.txt (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (51 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: www.GameModding.net
Product Name: ModInstall
Product Version: 1.0.0.0
Legal Copyright: www.GameModding.net
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.1.0.0
File Description: ModInstall 3.0
Comments:
Language: English (United States)
Company Name: www.GameModding.netProduct Name: ModInstallProduct Version: 1.0.0.0Legal Copyright: www.GameModding.netLegal Trademarks: Original Filename: Internal Name: File Version: 3.1.0.0File Description: ModInstall 3.0 Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 2793472 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 2797568 | 1265664 | 1263104 | 5.49643 | 0f963dff62ce59a79601d7439af4adf0 |
.rsrc | 4063232 | 77824 | 74752 | 2.13349 | cb8e70395f39a703d3e200112f50a8fb |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 713
d9ef811825b1ee97884ecc253485628d
9706f670385750cc9e55dd675cb8b6ce
ff44f222a0a760bbef58adab93d56ac2
a51af5ff635585379673c594040dd29b
5c5d59dd3f1d56109d9917c805fbdbc5
5c18b4209f1568fa675dd09e5b21be1b
d8160329bf41757fb1dc447b52da182d
f5feb1f087479b09b7192a52328cbd97
8a2ca21f91ed4d7ee1c33f0f1d8fbeee
88c16dacd625d078d60e17d4cc6864d8
f1ac824d74d95d59dfbcdcf950181955
3e51c7a8d0ed04d48e7fd8b66951b596
b64aceb6191eb51a003d4a734c2ed77f
1a7b8804847bbbea66cff40420fa5c13
4d00e484119be896a6924d38ac170da2
f4b36e74bce986ae9cecf7ac18d08382
62d2f84d64acf46a358f4f6d026bb7af
0174ea351a3d87d915332a2323618c44
57d07fa304cfc958f33cf583effd8760
afd1a07be878e472a65b3b7b2d20d6d3
fc15ffba7b8edc332a5e0e684fe52510
2af58ca844ae52c85342ea85d05dd7a1
2b4772ec611456d7b21f861c3232af1e
809143c62ce8e1ac7b6a4d38a54c78d5
5c66d833839123194246dce81ff2d1bd
70f276f4bab4fd118947a9e1c6a2e5a2
Network Activity
URLs
URL | IP |
---|---|
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl | |
hxxp://e8218.dscb1.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== | |
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDsPZHpkl+CK | |
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon | |
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY | |
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon | 172.217.20.174 |
hxxp://crl.geotrust.com/crls/secureca.crl | 23.43.133.163 |
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== | 23.43.139.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY | 172.217.20.174 |
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDsPZHpkl+CK | 172.217.20.174 |
ssl.google-analytics.com | 172.217.20.168 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):