HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.71274 (B) (Emsisoft), Gen:Variant.Kazy.71274 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 03b63b1928954b76117b4f943f881c8d
SHA1: 246d5b3efc69f063e3cbfeb78e5b177262c705eb
SHA256: 1e6bfc1ae2373d40b9f18fd67d3a1964f05cbab08b028de2a566c558efcb042c
SSDeep: 6144:5G0w4rrdhvh9Bc/byJT5E17pn2Hhru9dLP/sBPA/g:5w4vRl07V y9WhA/g
Size: 276992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2002-10-04 05:12:45
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1108
The Trojan injects its code into the following process(es):
Explorer.EXE:1684
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\AppPatch\drljflg.exe (1977 bytes)
%System%\config\software (2136 bytes)
%System%\config\SOFTWARE.LOG (3043 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 27 BD 80 17 78 B1 ED 80 8D 4D D4 54 2D 67 83"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\drljflg.exe_, \??\%WinDir%\apppatch\drljflg.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEìX£bÀ¸¬qÄHF‡KöFë9µ®^$YÉòd¼Œ¤Kô1,Å $ë›ÛÌ«â€Â¹l}Ë {Å“zΙC%é[qñl4ì;û´[Ã’#»Û:ÑU„„Ãâ€ÂÂÂÂ\±ª²DÆ’uœ¡Ü¼);¼\Æ’tµ2â€ÂÂkDùâ€ÂÂaâ€ÂÂ*›cü$}Sô|ë$¤ô{¬q³#sÃ…Ã¥\yuJÛËu©|ù¢rKã!$’‹‹b±ÃÄ£ã“ÉUcdÃÂÂÄZ¡r»ôâ€ÂÂ)Û©Š]“QlYÛl]$$D´ƒÌ£Q$aŒ‚*™ü›ÙóÃÂÂÃÂÂ=éÃâ€ÂÑщ¬q9|áÃÂÂù’‘ÃÂÂéšÄR"
Dropped PE files
MD5 | File path |
---|---|
f0f76c78da8fa0511f3eae4d70630074 | c:\WINDOWS\AppPatch\drljflg.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in CRYPT32.dll:
CertVerifyCertificateChainPolicy
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpSendRequestA
InternetCloseHandle
The Trojan installs the following user-mode hooks in USER32.dll:
GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage
The Trojan installs the following user-mode hooks in ADVAPI32.dll:
CryptEncrypt
The Trojan installs the following user-mode hooks in WS2_32.dll:
WSASend
recv
gethostbyname
WSARecv
send
The Trojan installs the following user-mode hooks in kernel32.dll:
CreateFileW
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1108
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\AppPatch\drljflg.exe (1977 bytes)
%System%\config\software (2136 bytes)
%System%\config\SOFTWARE.LOG (3043 bytes) - Reboot the computer.
Static Analysis
VersionInfo
Company Name: platformism
Product Name: Terrella
Product Version: 4.6.0.3
Legal Copyright: Lysidine
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.3.4.4
File Description: Underviewer
Comments:
Language: English (United States)
Company Name: platformismProduct Name: TerrellaProduct Version: 4.6.0.3Legal Copyright: LysidineLegal Trademarks: Original Filename: Internal Name: File Version: 5.3.4.4 File Description: UnderviewerComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.QwfR | 4096 | 38440 | 1536 | 0 | 53e979547d8c2ea86560ac45de08ae25 |
.EAeKTf | 45056 | 13531 | 3072 | 0 | d2a70550489de356a2cd6bfc40711204 |
.ITOkSwi | 61440 | 31332 | 3072 | 0 | d2a70550489de356a2cd6bfc40711204 |
.EeYFtGi | 94208 | 29715 | 1024 | 0 | 0f343b0931126a20f133d67c2b018a3b |
.text | 126976 | 16405 | 16896 | 4.64569 | 8abc11e6d0f390de8907557ceca13c27 |
.pJUewT | 147456 | 799 | 1024 | 3.09873 | 8fdb88bd0f0d6a780602025b29b32045 |
.Ywuy | 151552 | 1300 | 1536 | 3.57656 | 46b99747333135e22a388697e935308f |
.ipAxoYi | 155648 | 2919 | 3072 | 3.30209 | 08b8e22643ef4244cc2729841f02cc24 |
.LVTVh | 159744 | 2399 | 2560 | 3.16979 | e715b8114e976e89ba9ea90641510f3a |
.yLDaz | 163840 | 751 | 1024 | 3.48958 | 978de2e7392ed38473456af1b9c3bdb3 |
.sJDw | 167936 | 584 | 1024 | 2.43225 | 3c063054b31f63b7330c4e41d1063ee0 |
.data | 172032 | 116559 | 7168 | 4.89352 | 2114e1ec63e947caffb185df61f405b2 |
.aKRpo | 290816 | 685 | 1024 | 2.84696 | 5ff4752d21cf700ce7042ad77b002c7f |
.rdata | 294912 | 212173 | 212480 | 5.54 | 227876def98eb46ee032bc8b2caddd97 |
.XvvGFf | 507904 | 1099 | 1536 | 0 | 53e979547d8c2ea86560ac45de08ae25 |
.rsrc | 512000 | 17480 | 17920 | 2.64172 | 55035c2bb389f2edb3013ea36f8af6f4 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_1684_rwx_022A0000_000B2000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
http
http
PASSu98V
PASSu98V
PASSu08V
PASSu08V
FTPQ
FTPQ
12345678
12345678
password1
password1
monkey
monkey
monkey1
monkey1
password
password
Pname.key
Pname.key
\secrets.key
\secrets.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
sysinfo.log
sysinfo.log
scr.jpg
scr.jpg
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.8.14
4.8.14
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
/search.php
/search.php
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
ntdll.dll
ntdll.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
\firefox.exe
\firefox.exe
keygrab
keygrab
u.jpg
u.jpg
IprivLibEx.dll
IprivLibEx.dll
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
sniff.log
sniff.log
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\opera.exe
\opera.exe
\cbmain.ex
\cbmain.ex
\iscc.exe
\iscc.exe
\clmain.exe
\clmain.exe
\wclnt.exe
\wclnt.exe
internal_wutex_0xx
internal_wutex_0xx
%s.dbf
%s.dbf
%s.DBF
%s.DBF
pop2://%s:%s@%s:%i
pop2://%s:%s@%s:%i
pop3://%s:%s@%s:%i
pop3://%s:%s@%s:%i
nntp://%s:%s@%s:%i
nntp://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://anonymous:
PTF://anonymous:
AUTHINFO PASS
AUTHINFO PASS
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
ssleay32.dll
ssleay32.dll
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.jpg
%s\d.jpg
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
cert.pem
cert.pem
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
winmm.dll
winmm.dll
1.2.5
1.2.5
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
%s\%s
%s\%s
#webcam
#webcam
#webcam%d
#webcam%d
RFB d.d
RFB d.d
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
WinExec
WinExec
SetThreadExecutionState
SetThreadExecutionState
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetKeyboardLayoutList
GetKeyboardLayoutList
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
MapVirtualKeyW
MapVirtualKeyW
VkKeyScanW
VkKeyScanW
VkKeyScanExW
VkKeyScanExW
keybd_event
keybd_event
EnumChildWindows
EnumChildWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
SetKeyboardState
SetKeyboardState
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
gdiplus.dll
gdiplus.dll
MSVCRT.dll
MSVCRT.dll
AVICAP32.dll
AVICAP32.dll
MSVFW32.dll
MSVFW32.dll
ShellExecuteW
ShellExecuteW
GetProcessHeap
GetProcessHeap
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
5`6C6Q6}6
5`6C6Q6}6
55
55
;";,;6;
;";,;6;
6&7-737
6&7-737
3"33393>3}3
3"33393>3}3
;#;);/;=;
;#;);/;=;
=}=
=}=
:(:-:8:=:
:(:-:8:=:
7#7)7/7=7
7#7)7/7=7
9&9,929@9
9&9,929@9
0!02090>0
0!02090>0
>$>*>4>9>
>$>*>4>9>
Windows Explorer
Windows Explorer
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
dntdll.dll
dntdll.dll
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
iexplore.exe
HighMemoryEvent_x
HighMemoryEvent_x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.MUTEX.x
MSCTF.Shared.MUTEX.x
.Prev
.Prev
.current
.current
Explorer.EXE_1684_rwx_02E20000_000B8000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
http
http
PASSu98V
PASSu98V
PASSu08V
PASSu08V
FTPQ
FTPQ
12345678
12345678
password1
password1
monkey
monkey
monkey1
monkey1
password
password
Pname.key
Pname.key
\secrets.key
\secrets.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
sysinfo.log
sysinfo.log
scr.jpg
scr.jpg
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.8.14
4.8.14
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
/search.php
/search.php
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
ntdll.dll
ntdll.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
\firefox.exe
\firefox.exe
keygrab
keygrab
u.jpg
u.jpg
IprivLibEx.dll
IprivLibEx.dll
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
sniff.log
sniff.log
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\opera.exe
\opera.exe
\cbmain.ex
\cbmain.ex
\iscc.exe
\iscc.exe
\clmain.exe
\clmain.exe
\wclnt.exe
\wclnt.exe
internal_wutex_0xx
internal_wutex_0xx
%s.dbf
%s.dbf
%s.DBF
%s.DBF
pop2://%s:%s@%s:%i
pop2://%s:%s@%s:%i
pop3://%s:%s@%s:%i
pop3://%s:%s@%s:%i
nntp://%s:%s@%s:%i
nntp://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://anonymous:
PTF://anonymous:
AUTHINFO PASS
AUTHINFO PASS
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
ssleay32.dll
ssleay32.dll
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.jpg
%s\d.jpg
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
cert.pem
cert.pem
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
winmm.dll
winmm.dll
1.2.5
1.2.5
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
%s\%s
%s\%s
#webcam
#webcam
#webcam%d
#webcam%d
RFB d.d
RFB d.d
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
WinExec
WinExec
SetThreadExecutionState
SetThreadExecutionState
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetKeyboardLayoutList
GetKeyboardLayoutList
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
MapVirtualKeyW
MapVirtualKeyW
VkKeyScanW
VkKeyScanW
VkKeyScanExW
VkKeyScanExW
keybd_event
keybd_event
EnumChildWindows
EnumChildWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
SetKeyboardState
SetKeyboardState
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
gdiplus.dll
gdiplus.dll
MSVCRT.dll
MSVCRT.dll
AVICAP32.dll
AVICAP32.dll
MSVFW32.dll
MSVFW32.dll
ShellExecuteW
ShellExecuteW
GetProcessHeap
GetProcessHeap
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
SYSTEM!XP1!F9BE9A8A
SYSTEM!XP1!F9BE9A8A
%WinDir%\apppatch\drljflg.exe
%WinDir%\apppatch\drljflg.exe
%Documents and Settings%\%current user%\Application Data\
%Documents and Settings%\%current user%\Application Data\
5`6C6Q6}6
5`6C6Q6}6
55
55
;";,;6;
;";,;6;
6&7-737
6&7-737
3"33393>3}3
3"33393>3}3
;#;);/;=;
;#;);/;=;
=}=
=}=
:(:-:8:=:
:(:-:8:=:
7#7)7/7=7
7#7)7/7=7
9&9,929@9
9&9,929@9
0!02090>0
0!02090>0
>$>*>4>9>
>$>*>4>9>
`.data
`.data
Windows Explorer
Windows Explorer
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
dntdll.dll
dntdll.dll
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
iexplore.exe
HighMemoryEvent_x
HighMemoryEvent_x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.MUTEX.x
MSCTF.Shared.MUTEX.x
.Prev
.Prev
.current
.current