HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.206436 (B) (Emsisoft), Gen:Variant.Zusy.206436 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a1bbca8139bdabe892df787bea434c33
SHA1: e8042c20f5bb729788169526aeb593c0b7fbe6a7
SHA256: 0b14af2ff95be8854ecc788c951e747b3cacbf1a45e64d8c0c28a25bbc528c84
SSDeep: 98304:spdtSgDeSy0mrIgH4xxX2Etg69BEKzgXzu15:Zrz4xxZg6PkXzm
Size: 3493888 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftWindowsShortcutfile, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2016-12-06 17:56:49
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
HC188.exe:2748
WScript.exe:2632
src2011.tmp:372
src2011.exe:3732
bFuAq.exe:3352
1819.exe:3564
rundll32.exe:3404
mm.exe:2712
regsvr32.exe:2260
mmc.exe:3368
guide.exe:2532
guide.exe:672
otqvyruekg.exe:3296
The Trojan injects its code into the following process(es):
%original file name%.exe:2180
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process HC188.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\1819.exe (50 bytes)
C:\Windows\mm.exe (299 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\hyaz2_Y_10031[1].exe (28065 bytes)
C:\Windows\src2011.exe (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\src2011[1].exe (565882 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\yy[1].txt (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\1819[1].exe (527707 bytes)
The process WScript.exe:2632 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Windows\1819.exe (0 bytes)
C:\Windows\tem.vbs (0 bytes)
The process src2011.tmp:372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-B9OOF.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-MF5A3.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\xmlconfig\is-RP6UK.tmp (663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-19N56.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-460JK.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-FVIO4.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-2MIAD.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-IADDD.tmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-NICJE.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-HVUIH.tmp (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-T9LKT.tmp (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-3KJB6.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-J5JMM.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-CAITJ.tmp (13800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-G6L66.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-2VABS.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-B8MLT.tmp (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-065I6.tmp (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-A0FE6.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-9S1N0.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\ISTask.dll (687 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\chromeNativeClient\is-G7L8O.tmp (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-IK8SG.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-7F8IN.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-PBIU3.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-LF318.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-8PHSQ.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-5ICHK.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-20378.tmp (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-LUS01.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-CTN93.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-RPA16.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-UL91T.tmp (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.d (438 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-T50I1.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-BHK2S.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-4EB2H.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-7ON68.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-PEBLC.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-0PTE5.tmp (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\chromeNativeClient\is-SM9S4.tmp (412 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-RVOIL.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-8NQQU.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-SMSJL.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-ULD5Q.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-L3U6R.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-4Q56G.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-9FV32.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-7LBB8.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-SIFLR.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-6SUBS.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-9G0BA.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-R6SC4.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-9T08E.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-UBRU8.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\xmlconfig\is-EPA69.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-K9B92.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-C1SG6.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jyueservice.exe (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-TO7V8.tmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-AGEEL.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-A35DN.tmp (2 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\ISTask.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp (0 bytes)
The process src2011.exe:3732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4SP61.tmp\src2011.tmp (1423 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4SP61.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4SP61.tmp\src2011.tmp (0 bytes)
The process bFuAq.exe:3352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\onest.txt (1 bytes)
C:\Windows\Report.log (7 bytes)
The process 1819.exe:3564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Media\McIe.wav (17 bytes)
C:\Windows\Media\Mcfg.wav (1 bytes)
C:\Windows\tAzJsX\27e.exe (108 bytes)
C:\Windows\tAzJsX\bFuAq.exe (218 bytes)
C:\Windows\tAzJsX\Dqc.exe (108 bytes)
C:\Windows\tAzJsX\G57.exe (108 bytes)
C:\Windows\tAzJsX\BPp.exe (108 bytes)
C:\Windows\onest.txt (1 bytes)
C:\Windows\tAzJsX\PTR.exe (108 bytes)
C:\Windows\Media\hd.wav (1 bytes)
C:\Windows\mcconfig.dat (2 bytes)
C:\Windows\pcq.exe (108 bytes)
C:\Windows\tAzJsX\LiveUDHelper.dll (1 bytes)
C:\Windows\tAzJsX\drH.exe (108 bytes)
C:\Windows\tAzJsX\MIJ.exe (108 bytes)
C:\Windows\tem.vbs (169 bytes)
The process rundll32.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
&with
&action | |
&action | |
&locale&clientType&clientVersion | |
&clientType&clientVersion | |
&mac&pid&did&mid | |
&version&source&uuid | |
&version&source&uuid | |
&version&source&uuid | |
&method&n&_b&_c&_d&_m&source&uuid&version&sign&os&app_name | |
&version&source&uuid&type | |
&action | |
&clientType&clientVersion | |
&mac&pid&did&mid | |
&locale&clientType&clientVersion | |
&action
&action
&action
&action
&version&source&uuid
&version&source&uuid
<<<>>>
&method&n&_b&_c&_d&_m&source&uuid&version&sign&os&app_name
&version&source&uuid&type
&version&source&uuid
&url&url
&version&source&uuid
&version&source&uuid
<<<>>>
&version&source&uuid
&url&url
<><><><><><><><><><><><><><><><><><>
&
<<<>>>
<&<&>&&Iz....g7<<&<<>
<<<>>>
<&<&>&&Iz....g7<<&F.t.V..3..w...4.o.m>&&&>
<<<>>>
&action
&action
<<
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><>
&action
<><><><><><><><><><><><><><><><><><><><><><><><><><>
<><><><><><><><><><><><><><><><><><><><><><>
&action
<><><><><><><><><><><><><><><><><><><><><><><><><><>
<><><><><><><><><><><><><><><><><><><><><><>
&action
<><><><><><><><><><><><><><><><><><><><><><><><><><>
&clientType&clientVersion
<><><><><><><><><><><><><><><><><>
&mac&pid&did&mid
&mac&pid&did&mid
&<><<&&>&<><<&&>
<<<>>>
<<<<<<>>>&hXXps:
<<<>>>
><
<<<>>>
<&&&&&&<<&&&&p<
<<<>>>
&locale&clientType&clientVersion
&clientType&clientVersion
&clientType&clientVersion
&mac
&mac
&
&
&&&&
&&&&
&
&
&
&
&
&
&&
&&
&&
&&
&
&
&mac
&mac
&
&
&
&
&
&
&
&
&
&
&version
&version