Skip to main content

Gen.Variant.Zusy.206436_a1bbca8139


HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.206436 (B) (Emsisoft), Gen:Variant.Zusy.206436 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: a1bbca8139bdabe892df787bea434c33

SHA1: e8042c20f5bb729788169526aeb593c0b7fbe6a7

SHA256: 0b14af2ff95be8854ecc788c951e747b3cacbf1a45e64d8c0c28a25bbc528c84

SSDeep: 98304:spdtSgDeSy0mrIgH4xxX2Etg69BEKzgXzu15:Zrz4xxZg6PkXzm

Size: 3493888 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftWindowsShortcutfile, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6

Company: no certificate found

Created at: 2016-12-06 17:56:49

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):

HC188.exe:2748
WScript.exe:2632
src2011.tmp:372
src2011.exe:3732
bFuAq.exe:3352
1819.exe:3564
rundll32.exe:3404
mm.exe:2712
regsvr32.exe:2260
mmc.exe:3368
guide.exe:2532
guide.exe:672
otqvyruekg.exe:3296

The Trojan injects its code into the following process(es):

%original file name%.exe:2180

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process HC188.exe:2748 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\1819.exe (50 bytes)
C:\Windows\mm.exe (299 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\hyaz2_Y_10031[1].exe (28065 bytes)
C:\Windows\src2011.exe (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\src2011[1].exe (565882 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\yy[1].txt (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\1819[1].exe (527707 bytes)

The process WScript.exe:2632 makes changes in the file system.


The Trojan deletes the following file(s):

C:\Windows\1819.exe (0 bytes)
C:\Windows\tem.vbs (0 bytes)

The process src2011.tmp:372 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-B9OOF.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-MF5A3.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\xmlconfig\is-RP6UK.tmp (663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-19N56.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-460JK.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-FVIO4.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-2MIAD.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-IADDD.tmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-NICJE.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-HVUIH.tmp (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-T9LKT.tmp (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-3KJB6.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-J5JMM.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-CAITJ.tmp (13800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-G6L66.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-2VABS.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-B8MLT.tmp (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-065I6.tmp (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-A0FE6.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-9S1N0.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\ISTask.dll (687 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\chromeNativeClient\is-G7L8O.tmp (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-IK8SG.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-7F8IN.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-PBIU3.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-LF318.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-8PHSQ.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-5ICHK.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-20378.tmp (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-LUS01.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-CTN93.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-RPA16.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-UL91T.tmp (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.d (438 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-T50I1.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-BHK2S.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-4EB2H.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-7ON68.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-PEBLC.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-0PTE5.tmp (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\chromeNativeClient\is-SM9S4.tmp (412 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-RVOIL.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-8NQQU.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-SMSJL.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-ULD5Q.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-L3U6R.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-4Q56G.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-9FV32.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-7LBB8.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-SIFLR.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-6SUBS.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-9G0BA.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-R6SC4.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-9T08E.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-UBRU8.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\xmlconfig\is-EPA69.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-K9B92.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-C1SG6.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jyueservice.exe (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-TO7V8.tmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-AGEEL.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-A35DN.tmp (2 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\ISTask.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp (0 bytes)

The process src2011.exe:3732 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4SP61.tmp\src2011.tmp (1423 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4SP61.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4SP61.tmp\src2011.tmp (0 bytes)

The process bFuAq.exe:3352 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\onest.txt (1 bytes)
C:\Windows\Report.log (7 bytes)

The process 1819.exe:3564 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\Media\McIe.wav (17 bytes)
C:\Windows\Media\Mcfg.wav (1 bytes)
C:\Windows\tAzJsX\27e.exe (108 bytes)
C:\Windows\tAzJsX\bFuAq.exe (218 bytes)
C:\Windows\tAzJsX\Dqc.exe (108 bytes)
C:\Windows\tAzJsX\G57.exe (108 bytes)
C:\Windows\tAzJsX\BPp.exe (108 bytes)
C:\Windows\onest.txt (1 bytes)
C:\Windows\tAzJsX\PTR.exe (108 bytes)
C:\Windows\Media\hd.wav (1 bytes)
C:\Windows\mcconfig.dat (2 bytes)
C:\Windows\pcq.exe (108 bytes)
C:\Windows\tAzJsX\LiveUDHelper.dll (1 bytes)
C:\Windows\tAzJsX\drH.exe (108 bytes)
C:\Windows\tAzJsX\MIJ.exe (108 bytes)
C:\Windows\tem.vbs (169 bytes)

The process rundll32.exe:3404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):





































































































































































&with
































































































































































































































































































































































































































































































&action
&action
&locale&clientType&clientVersion
&clientType&clientVersion
&mac&pid&did&mid
&version&source&uuid
&version&source&uuid
&version&source&uuid
&method&n&_b&_c&_d&_m&source&uuid&version&sign&os&app_name
&version&source&uuid&type
&action
&clientType&clientVersion
&mac&pid&did&mid
&locale&clientType&clientVersion

&action

&action

&action

&action

&version&source&uuid

&version&source&uuid

<<<>>>

&method&n&_b&_c&_d&_m&source&uuid&version&sign&os&app_name

&version&source&uuid&type

&version&source&uuid

&url&url

&version&source&uuid

&version&source&uuid

<<<>>>

&version&source&uuid

&url&url

<><><><><><><><><><><><><><><><><><>

&

<<<>>>

<&<&>&&Iz....g7<<&<<>

<<<>>>

<&<&>&&Iz....g7<<&F.t.V..3..w...4.o.m>&&&>

<<<>>>

&action

&action

<<

<<<>>>

<><><><><><><><><><><><><><><><><><><><><><>

&action

<><><><><><><><><><><><><><><><><><><><><><><><><><>

<><><><><><><><><><><><><><><><><><><><><><>

&action

<><><><><><><><><><><><><><><><><><><><><><><><><><>

<><><><><><><><><><><><><><><><><><><><><><>

&action

<><><><><><><><><><><><><><><><><><><><><><><><><><>

&clientType&clientVersion

<><><><><><><><><><><><><><><><><>

&mac&pid&did&mid

&mac&pid&did&mid

&<><<&&>&<><<&&>

<<<>>>

<<<<<<>>>&hXXps:

<<<>>>

><

<<<>>>

<&&&&&&<<&&&&p<

<<<>>>

&locale&clientType&clientVersion

&clientType&clientVersion

&clientType&clientVersion

&mac

&mac

&

&

&&&&

&&&&

&

&

&

&

&

&

&&

&&

&&

&&

&

&

&mac

&mac

&

&

&

&

&

&

&

&

&

&

&version

&version