MD5: d09434dac229e7478a0461c16ab592a4
SHA1: 2c81da4d5811f99dc7c4cc9919074ebe7a37baf3
SHA256: 2c1cf72ea2eee9eef3e840a77585d46e5df456b90ce0f242793379c2a7a18aee
SSDeep: 49152:4AI zmf2yNjqSCwObYrTU4LHk3OuPfEkng5 Pg9odjBFIYnFwE86Ad/r0kX9 y8l:4AI zpyNjq ObYYA2OuPfEkD CFIGFwW
Size: 2760431 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

%original file name%.exe:2948

The Application injects its code into the following process(es):

amtemu.v0.9.2-painter.exe:2504

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process amtemu.v0.9.2-painter.exe:2504 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)

The process %original file name%.exe:2948 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\svcarm.exe (19234 bytes)
%Program Files%\PainteR\ProxyEmu\amtemu.v0.9.2-painter.exe (37602 bytes)
%Program Files%\PainteR\ProxyEmu\Uninstall.exe (3727 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (68 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (3070 bytes)
%Program Files%\PainteR\ProxyEmu\Uninstall.ini (2 bytes)

The Application deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2948 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProxyEmu 0.9.2.0]
"InstallSource" = "c:\"
"DisplayIcon" = "%Program Files%\PainteR\ProxyEmu\Uninstall.exe"
"NoRepair" = "1"
"Language" = "1036"
"InstallDate" = "20170326"
"NoModify" = "1"
"InstallLocation" = "%Program Files%\PainteR\ProxyEmu\"
"DisplayVersion" = "0.9.2.0"
"Publisher" = "PainteR"
"UninstallString" = "%Program Files%\PainteR\ProxyEmu\Uninstall.exe"
"EstimatedSize" = "3745"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProxyEmu 0.9.2.0]
"VersionMinor" = "9"
"DisplayName" = "ProxyEmu 0.9.2.0"
"VersionMajor" = "0"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: PainteR
Product Name:
Product Version:
Legal Copyright: PainteR
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 0.9.2.0
File Description: ProxyEmu 0.9.2.0 Installation
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
5cb505a9a998b08c634938cfdf85f294

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Application connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2948

2. Delete the original Application file.
   
3. Delete or disinfect the following files created/modified by the Application:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\svcarm.exe (19234 bytes)
   %Program Files%\PainteR\ProxyEmu\amtemu.v0.9.2-painter.exe (37602 bytes)
   %Program Files%\PainteR\ProxyEmu\Uninstall.exe (3727 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (68 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (3070 bytes)
   %Program Files%\PainteR\ProxyEmu\Uninstall.ini (2 bytes)

4. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.