Skip to main content

HackTool.Win32.PassView_f6ba711fc8


UDS:DangerousObject.Multi.Generic (Kaspersky), Trojan.Agent.BDIY (AdAware), GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)Behaviour: Trojan, Worm, HackTool, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: f6ba711fc8973f0957d72eb4909ca514

SHA1: 5810dbd6c075bbb7a8f5d39e1779f272a0d9c5d4

SHA256: b84961f37bc4de2dd268f555a0d20c42518e40830b01450ea278ca3e58db1d72

SSDeep: 24576:ht24uI/UvI338DEu06Os5M0x8tTRBNQ962u68GGUEtsh7N1e:9eQ3sz0dy8DsK68OXe

Size: 1188470 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Piriform Ltd

Created at: 2013-08-22 16:00:50

Analyzed on: WindowsXP SP3 32-bit

Summary: HackTool. Can be used to investigate, analyze or compromise the system security. Some HackTools are multi-purpose programs, while others may have legitimate uses.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the HackTool's file once a user opens a drive's folder in Windows Explorer.


Process activity

The HackTool creates the following process(es):

CzZdrfStRyx.exe:1692
%original file name%.exe:220
vbc.exe:1748
vbc.exe:1180

The HackTool injects its code into the following process(es):

RegSvcs.exe:416

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process RegSvcs.exe:416 makes changes in the file system.


The HackTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (32 bytes)
%System%\wbem\Logs\wbemprox.log (152 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (57 bytes)

The HackTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (0 bytes)

The process %original file name%.exe:220 makes changes in the file system.


The HackTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\88qlotaa5l\YDjWslNLY.XDD (249023 bytes)
%Documents and Settings%\%current user%\88qlotaa5l\OlUKB.EUD (1800 bytes)
%Documents and Settings%\%current user%\88qlotaa5l\ihxztCbuQwWn.NLQ (31 bytes)
%Documents and Settings%\%current user%\88qlotaa5l\CzZdrfStRyx.exe (31505 bytes)

The HackTool deletes the following file(s):

%Documents and Settings%\%current user%\88qlotaa5l\__tmp_rar_sfx_access_check_2148937 (0 bytes)

The process vbc.exe:1748 makes changes in the file system.


The HackTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes)

Registry activity

The process CzZdrfStRyx.exe:1692 makes changes in the system registry.


The HackTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 5B 41 C0 FF 91 91 BC 77 92 FA BE EE 6A 19 61"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process RegSvcs.exe:416 makes changes in the system registry.


The HackTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\RegSvcs\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 DF 3C 68 30 3E A1 06 5B B8 64 E7 E3 27 E8 14"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

To automatically run itself each time Windows is booted, the HackTool adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe"

The HackTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\RegSvcs\DEBUG]
"Trace Level"

The process %original file name%.exe:220 makes changes in the system registry.


The HackTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 EB 30 98 69 46 B6 88 EC 9E D0 52 FA 8B AD F3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\88qlotaa5l]
"CzZdrfStRyx.exe" = "AutoIt v3 Script"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The HackTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The HackTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The HackTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process vbc.exe:1748 makes changes in the system registry.


The HackTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 2B 59 FA D8 F8 A5 FE 51 86 9E 35 8B 73 83 F0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The process vbc.exe:1180 makes changes in the system registry.


The HackTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 21 61 D1 1F 25 F1 75 54 87 54 86 B5 D5 E9 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

MD5 File path
e01ced5c12390ff5256694eda890b33ac:\Documents and Settings\"%CurrentUserName%"\88qlotaa5l\CzZdrfStRyx.exe
faa8ea9027ed6b6c875c247e59285270c:\Documents and Settings\"%CurrentUserName%"\Application Data\WindowsUpdate.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the HackTool's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    CzZdrfStRyx.exe:1692
    %original file name%.exe:220
    vbc.exe:1748
    vbc.exe:1180

  2. Delete the original HackTool file.
  3. Delete or disinfect the following files created/modified by the HackTool:

    %Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
    %Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (32 bytes)
    %System%\wbem\Logs\wbemprox.log (152 bytes)
    %Documents and Settings%\%current user%\Application Data\pidloc.txt (57 bytes)
    %Documents and Settings%\%current user%\88qlotaa5l\YDjWslNLY.XDD (249023 bytes)
    %Documents and Settings%\%current user%\88qlotaa5l\OlUKB.EUD (1800 bytes)
    %Documents and Settings%\%current user%\88qlotaa5l\ihxztCbuQwWn.NLQ (31 bytes)
    %Documents and Settings%\%current user%\88qlotaa5l\CzZdrfStRyx.exe (31505 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40961519341520644.6444492abffc6a56a40e47e60620bc02b652e
.rdata15974420291204803.691443bc937cdae1248917ecca2bfbd21ec86
.data18022413667251201.76024ec6b38244c52a1c8d4b504f9e1522d10
.rsrc31948813764138243.140296aff86817f1888aaf7f45ab2e0e6827c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 11
943a95c939056afb263c54d43c2dc686
06b9fdbfdd54a090f023f0f05cbe0985
df3e22ed233b583251e71430dbe8b197
fd635d68dff11feeb71a50711cafdb9c
56db250fa9e5656b9068f2d109b9c8d1
67caeb64f372efabd815f7efd0b8d828
33a0b599d47b05fd03f4a63696abc2ee
ccc5052d6c541dbb0fe13b152f919db4
915fa5fb0e0d96385e8ac15db8ca4f24
54c382daa0ec7baafa85f078b43e6227
f0863b455ad2db7a1774031d9fb5c1c6

Network Activity

URLs

URL IP
hxxp://whatismyipaddress.com/66.171.248.172
smtp.mail.ru217.69.139.160

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The HackTool connects to the servers at the folowing location(s):

Strings from Dumps