Behaviour: PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5d89275fc9d257e3d15d375bfcfd8e1f
SHA1: 1158c31515a261a52e072640f248f2b9b9c10288
SHA256: 59287b948ad9d1a61ce479b8f9d876b64415b3a2d244d4f1529115b888b6e2b1
SSDeep: 6144:lz 92mhAMJ/cPl3iwzkozlx/LVXHSPF0MfM:lK2mhAMJ/cPll97VX1
Size: 212224 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID:
Company: no certificate found
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsAda SP3 32-bit
Summary: PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):No processes have been created.The Malware injects its code into the following process(es):No processes have been created.
File activity
No files have been created.
Registry activity
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Delete the original Malware file.
Static Analysis
VersionInfo
Company Name:
Product Name: 1.3.9.0.140504.0
Product Version: 1.3.9.
Legal Copyright: (c) 2014 ClientConnect Ltd
Legal Trademarks:
Original Filename: tb_mywebsearch.ex
Internal Name: tb_mywebsearch.ex
File Version: 1.3.9.
File Description: Setup.ex
Comments:
Language: Language Neutral
Company Name: Product Name: 1.3.9.0.140504.0Product Version: 1.3.9.Legal Copyright: (c) 2014 ClientConnect LtdLegal Trademarks: Original Filename: tb_mywebsearch.exInternal Name: tb_mywebsearch.exFile Version: 1.3.9.File Description: Setup.exComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 74526 | 74752 | 4.54396 | a8692f5ba740240ef0f9a827376f76f9 |
.rdata | 81920 | 7445 | 7680 | 3.46159 | d4f36accffde0bf520f52486679ccf0d |
.data | 90112 | 96036 | 512 | 2.46008 | b6c7edb5b7fec47a37a622cc5d71f3f4 |
.CRT | 188416 | 32 | 512 | 0.273198 | 439411041ee0b8261668525c5c132cd9 |
.rsrc | 192512 | 13700 | 13824 | 3.14118 | cbcea9fa4163e21cdbdaa30cebc88663 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 8
5780482b2d8c28acade7bb48409e189e
c7fe7201fb4e9b90647ab87c7a1fd86c
13ecf4abe78d616085e57a9a17620de2
17dd129a70f7b56f68835e624cfaaa29
03a821dbe71fa467d7c65e6f8d6d5697
66fbe16109c455e8015b336694ec59be
dba443ff4c721697f806b7d7c3aa8ff2
87feb1838f77426bc9e5eebc141a03b6
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Malware connects to the servers at the folowing location(s):
Strings from Dumps
Rundll32.exe_3712:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
unsecapp.exe_176:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
wbemcomn.dll
wbemcomn.dll
ole32.dll
ole32.dll
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
unsecapp.pdb
unsecapp.pdb
RegCloseKey
RegCloseKey
RegCreateKeyW
RegCreateKeyW
RegDeleteKeyW
RegDeleteKeyW
RegOpenKeyW
RegOpenKeyW
Microsoft WBEM %s
Microsoft WBEM %s
5.1.2600.0 (xpclient.010817-1148)
5.1.2600.0 (xpclient.010817-1148)
unsecapp.dll
unsecapp.dll
Windows
Windows
Operating System
Operating System
5.1.2600.0
5.1.2600.0