Skip to main content

Gen.Variant.Kazy.288402_d9872a07f9


Susp_Dropper (Kaspersky), Gen:Variant.Kazy.288437 (B) (Emsisoft), Gen:Variant.Kazy.288402 (AdAware), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: d9872a07f9990e94feab39de2fa22373

SHA1: 375a2ca5e369f46f53efd625921edda573a458f4

SHA256: 1d56c27c56154845c7931bb54fc5935f82fa51b3b3b501b43a933afa55dc9f8b

SSDeep: 6144:ZbiTBxCdEuTJComYUS/AABLYg9RtrS4KQlpW4GMQ G4kUVCAkpfJNgUuUX7Nyx3f:ZbiTBxCOUJCaTPUg9RgrQlP1Q15UV9YC

Size: 347449 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2013-11-08 17:42:50

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2744
%original file name%.exe:2916
neaz.exe:2492
neaz.exe:2544

The Trojan injects its code into the following process(es):

Explorer.EXE:1948

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2916 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Ejizqy\neaz.exe (2452 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IPM2A89.bat (173 bytes)

The process neaz.exe:2492 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (5848 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6428 bytes)

Registry activity

The process %original file name%.exe:2744 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D DB 77 21 D4 C8 97 88 E2 B5 F7 63 D7 B3 82 E6"

The process %original file name%.exe:2916 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 82 83 DE 86 51 AA 0E BD B0 06 4C FA 8F 9F 13"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process neaz.exe:2492 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 21 E3 F8 33 36 96 6D A9 8D B6 9D 58 C3 B9 A3"

[HKCU\Software\Microsoft\Obxidaule]
"23959ic7" = "umtV2w9fmYTKG2mFQ7s CA==#"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process neaz.exe:2544 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 4E 83 60 92 F2 3C CE 88 67 03 7E D5 83 17 26"

Dropped PE files

MD5 File path
4aac371232ead0e1b127733a6865f363c:\Documents and Settings\"%CurrentUserName%"\Application Data\Ejizqy\neaz.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan installs the following user-mode hooks in Secur32.dll:

UnsealMessage
SealMessage
DeleteSecurityContext

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2744
    %original file name%.exe:2916
    neaz.exe:2492
    neaz.exe:2544

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\Ejizqy\neaz.exe (2452 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IPM2A89.bat (173 bytes)
    %Documents and Settings%\%current user%\ntuser.dat.LOG (5848 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT (6428 bytes)

  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409625944261124.072678426a1495a62c318d53ea1f0fbaa160a
.idata32768353235843.54497c40fd005544f8011a9b339cbb7c52071
.CRT3686445120.0423959b48522a507c88a047d33270e55b537b
.rsrc4096014136368644.84285f866d6cd92f982bb522009d99a2fc76e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

Explorer.EXE_1948_rwx_023F0000_00048000:

.text

.text

`.data

`.data

.reloc

.reloc

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

)"4(7*

)"4(7*

!*

!*

0123456789

0123456789

userenv.dll

userenv.dll

del "%s"

del "%s"

if exist "%s" goto d

if exist "%s" goto d

del /F "%s"

del /F "%s"

hXXp://VVV.google.com/

hXXp://VVV.google.com/

hXXp://VVV.bing.com/

hXXp://VVV.bing.com/

REPORT

REPORT

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

RegDeleteKeyExW

RegDeleteKeyExW

HTTP/1.1

HTTP/1.1

m9.td

m9.td

t.Ht$HHt

t.Ht$HHt

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

GetKeyboardState

GetKeyboardState

USER32.dll

USER32.dll

CryptGetKeyParam

CryptGetKeyParam

CryptImportKey

CryptImportKey

CryptDestroyKey

CryptDestroyKey

RegCreateKeyExW

RegCreateKeyExW

RegCloseKey

RegCloseKey

RegQueryInfoKeyW

RegQueryInfoKeyW

RegDeleteKeyW

RegDeleteKeyW

RegOpenKeyExW

RegOpenKeyExW

RegFlushKey

RegFlushKey

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

PathIsURLW

PathIsURLW

UrlUnescapeA

UrlUnescapeA

SHLWAPI.dll

SHLWAPI.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

Secur32.dll

Secur32.dll

ole32.dll

ole32.dll

GDI32.dll

GDI32.dll

WS2_32.dll

WS2_32.dll

PFXImportCertStore

PFXImportCertStore

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertOpenSystemStoreW

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

InternetCrackUrlA

InternetCrackUrlA

HttpOpenRequestA

HttpOpenRequestA

HttpEndRequestA

HttpEndRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

WININET.dll

WININET.dll

OLEAUT32.dll

OLEAUT32.dll

NETAPI32.dll

NETAPI32.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

VERSION.dll

VERSION.dll

msvcrt.dll

msvcrt.dll

zcÁ

zcÁ

: :$:(:,:0:4:

: :$:(:,:0:4:

7!7%7)7-7175797

7!7%7)7-7175797

4-5}5

4-5}5

:":(:3:9:

:":(:3:9:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s

"%s" %s

"%s" %s

/c "%s"

/c "%s"

kernel32.dll

kernel32.dll

urlmon.dll

urlmon.dll

launchpadshell.exe

launchpadshell.exe

dirclt32.exe

dirclt32.exe

wtng.exe

wtng.exe

prologue.exe

prologue.exe

pcsws.exe

pcsws.exe

fdmaster.exe

fdmaster.exe

shell32.dll

shell32.dll

\StringFileInfo\xx\%s

\StringFileInfo\xx\%s

cabinet.dll

cabinet.dll

Wadvapi32.dll

Wadvapi32.dll

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data

Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}

Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}