Skip to main content

Trojan.GenericKD.2529275_c367f53b57


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.2529275 (B) (Emsisoft), Trojan.GenericKD.2529275 (AdAware), Trojan-Banker.Win32.Banker.FD, Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Banker, Trojan, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: c367f53b571ea3563e6eba42a2ecf524

SHA1: 26e580fc6798012d24a98e23c175ac759fa9bbb2

SHA256: e8ba3f809f1ca121baf3f6c9fed93aa3393f53b2bc845134b25984b7730a23e5

SSDeep: 12288:WA2 cLCbr2GOkD3kp2SyITvjJ7/bEEfrsO47g/Wx:B21Cbr5OkDSuITLJAenl/W

Size: 621568 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: ASPackv212, UPolyXv05_v6

Company: no certificate found

Created at: 2015-07-01 08:37:39

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

setup_30032.exe:1604
-2100_1_ss.exe:1776
JSZS.exe:552

The Trojan injects its code into the following process(es):

copy%original file name%.exe:560
%original file name%.exe:772
JSZS.exe:1860

Mutexes

The following mutexes were created/opened:

CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexShimCacheMutex

File activity

The process setup_30032.exe:1604 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\anote\Alarm.wav (13 bytes)
%Program Files%\anote\anote.exe (36078 bytes)
%Program Files%\anote\about.jpg (9 bytes)
%Program Files%\anote\uninstall.exe (2392 bytes)
%Program Files%\anote\Language\chinese.ini (2 bytes)








































































































































































































































































































































































































&<&&

<<<>>>

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>&lt

<<<>>>

<><><><><><><><><><><><><><>

&&>>>>

<<<>>>

<<<>>>

<

<<<>>>

&

&

&

&

&s

&s

&Cannot

&Cannot

&Cannot

&Cannot

&Error

&Error

&

&

&

&

&s

&s

&Cannot

&Cannot

&Cannot

&Cannot

&Error

&Error

<.fg>

<.fg>

&mianid

&mianid

&DeviceID

&DeviceID

&id

&id

&keyword

&keyword

&appver&userid&softid&signcode&imie&mac&phonenumber&imsi

&appver&userid&softid&signcode&imie&mac&phonenumber&imsi

&appver&userid&advid&styleid&signcode&imie&mac&phonenumber&imsi

&appver&userid&advid&styleid&signcode&imie&mac&phonenumber&imsi

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&V
&
&
&Cannot
&Error
&mac&k
&