MD5: 323b8d804782f4c62a74124af458b462
SHA1: c3907bb34e8e49d810c235ae9c2997958ee496e1
SHA256: c53fcba6417b1c8e9285d78d9dae8d08fbdcb8e90ad5675f42e6c6335fa30980
SSDeep: 49152:vXY9jTYkCn2a1rkLdc36FVFM5xSeYTbHY1qHEOCosMvIim/dQS:vo9wjt1oj0SNHY1qHHtssINQS
Size: 2944761 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-01-03 13:34:21
Analyzed on: Windows7 SP1 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1908
Software.exe:1776

The Backdoor injects its code into the following process(es):

254CHEAT CS GO V3.4.exe:2924
svchost.exe:160
iexplore.exe:2996

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1908 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

The Backdoor deletes the following file(s):

The process Software.exe:1776 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\254CHEAT CS GO V3.4.exe (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\254CHEAT CS GO V3.4.exe.exe (4 bytes)

The Backdoor deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)

Registry activity

The process %original file name%.exe:1908 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\WinRAR SFX]
"%" = "\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Software.exe:1776 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\H2h9te]
"254CHEAT CS GO V3.4.exe" = "OK"

[HKCU\Software\XtremeRAT]
"Mutex" = "H2h9te"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

ole32.dll

ntdll.dll

_amsg_exit

RegCloseKey

RegOpenKeyExW

GetProcessHeap

svchost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

<description>Host Process for Windows Services</description>

<requestedExecutionLevel

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

Windows

Operating System

6.1.7600.16385

svchost.exe_160_rwx_10000000_00273000:

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ShellExecuteW

ntdll.dll

1 1$1(1,10141

dY.LLL\VU

\.Wyn)6h

???.FFF

KWindows

TServerKeylogger

?qB.Yh

%U%zT@

ßw.

p=.bL

.RD$I

R]G%d

2.WwZL

F%s S"n

h#%dS

%Uk*W

.fE8@;\

1W.KHA

.sp4x

t%S\:

.jNx{

x`%xn

.lG6R

%h.Eb

df%dQc

Qf.hU

%F@^#

]4el.vr

.cNEH

.Sva:

-CO%S)e

c.oI{

uRLy

%fLO14

]<.pJ

.TkXd

!).WA

Y:.aV

4{.xDX5`

B.kubo

8kR@NX.Ys,

%dji\

.Es=:

9AI.KTG

7.iBF

~|'%d

yy%Xw

S*M.KV

.GGZq

NY3%D{

6.KCO

F.ch?

|.lMk

[!%%U

.XZ-4e

JkEy'

%xGg)tu

.utYm;.

i~R%U

!n 

.qYz K

 .Xyv~

-^.Tp

k#%U/66h

.WHVU

.gHbFD

je.YJ0F

x;.As4

'.CJO

g<?9X.Ra

k*fTP

].wML

%cH Vx

-%SV>er?@

Ãf5

Za-v}

?.xGazzQ

l.jTR

.Zb?Q

\y.ZL

.ofYE

W$C.pC

%s_ui

.mlyE

%U^JZr

,).QP

.ZHpC

.FjEhu

iPk%cmz

.tWMM

.Ori9

r4F.Ux

E%SCu

.Uo" OS

.hh9G

.dQuDn

Z.iU,!MY%

%CotO_|

\%F@ug

6.QeU

òJgwBG$|

3soi.NfH

`-R.dx&;

NV%Umd

-o}9d

GQ%C(

%XOBP

'2V.NH

7Z0%U}8

-bM}gG

.Bm)w

T%xwV

Z.DiR?

$%sm|

.XDHN

RE%SW

qX.FD

F^%e.vF{

-x}w4

[.Dm}?

@.eAF

G.a%Xh

.Uw&i

.gZ5T

.kN{5|

.wjC.

Q%s"H

O%UCV

P_e%C%

L.Ffq

.eV?Kh

Vo.%X

;!>`269)

W.Coc{C

9/.IA.S

.HJ{2E1

%X{t("

qu%Xl

%; l%FG

;q.UH

`r.gF

f%x 0

g^n.Ng

I%DteG4T

Buv%.f

3h=.Sg&

g{s{ÑWX!

hÊs

I%x 0,

'.HY|2M

4.rq1

U&.oN)

0:.mP

H0;%s

.ws3$

~.pyhh_

{.HNBA

f%FH1

]%f:L

puD.Qc

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

krypton52.hopto.org

C:\ongame

Server.EXE

C:\Wallpapers

{0KU3RWFM-0DA2-1N32-WS86-27VX4HPY22PV}

inal.blogspo

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

al.blogspoHKCU

pro%SERVER%

C:\TIGRE

C:\SkinPack

PTF.ftpserver.com

ftpuser

iexplore.exe_2996:

.text

`.data

.rsrc

@.reloc

Bv.TBv

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_2996_rwx_10000000_00273000:

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ShellExecuteW

ntdll.dll

1 1$1(1,10141

dY.LLL\VU

\.Wyn)6h

???.FFF

KWindows

TServerKeylogger

?qB.Yh

%U%zT@

ßw.

p=.bL

.RD$I

R]G%d

2.WwZL

F%s S"n

h#%dS

%Uk*W

.fE8@;\

1W.KHA

.sp4x

t%S\:

.jNx{

x`%xn

.lG6R

%h.Eb

df%dQc

Qf.hU

%F@^#

]4el.vr

.cNEH

.Sva:

-CO%S)e

c.oI{

uRLy

%fLO14

]<.pJ

.TkXd

!).WA

Y:.aV

4{.xDX5`

B.kubo

8kR@NX.Ys,

%dji\

.Es=:

9AI.KTG

7.iBF

~|'%d

yy%Xw

S*M.KV

.GGZq

NY3%D{

6.KCO

F.ch?

|.lMk

[!%%U

.XZ-4e

JkEy'

%xGg)tu

.utYm;.

i~R%U

!n 

.qYz K

 .Xyv~

-^.Tp

k#%U/66h

.WHVU

.gHbFD

je.YJ0F

x;.As4

'.CJO

g<?9X.Ra

k*fTP

].wML

%cH Vx

-%SV>er?@

Ãf5

Za-v}

?.xGazzQ

l.jTR

.Zb?Q

\y.ZL

.ofYE

W$C.pC

%s_ui

.mlyE

%U^JZr

,).QP

.ZHpC

.FjEhu

iPk%cmz

.tWMM

.Ori9

r4F.Ux

E%SCu

.Uo" OS

.hh9G

.dQuDn

Z.iU,!MY%

%CotO_|

\%F@ug

6.QeU

òJgwBG$|

3soi.NfH

`-R.dx&;

NV%Umd

-o}9d

GQ%C(

%XOBP

'2V.NH

7Z0%U}8

-bM}gG

.Bm)w

T%xwV

Z.DiR?

$%sm|

.XDHN

RE%SW

qX.FD

F^%e.vF{

-x}w4

[.Dm}?

@.eAF

G.a%Xh

.Uw&i

.gZ5T

.kN{5|

.wjC.

Q%s"H

O%UCV

P_e%C%

L.Ffq

.eV?Kh

Vo.%X

;!>`269)

W.Coc{C

9/.IA.S

.HJ{2E1

%X{t("

qu%Xl

%; l%FG

;q.UH

`r.gF

f%x 0

g^n.Ng

I%DteG4T

Buv%.f

3h=.Sg&

g{s{ÑWX!

hÊs

I%x 0,

'.HY|2M

4.rq1

U&.oN)

0:.mP

H0;%s

.ws3$

~.pyhh_

{.HNBA

f%FH1

]%f:L

puD.Qc

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

krypton52.hopto.org

C:\ongame

Server.EXE

C:\Wallpapers

{0KU3RWFM-0DA2-1N32-WS86-27VX4HPY22PV}

inal.blogspo

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

al.blogspoHKCU

pro%SERVER%

C:\TIGRE

C:\SkinPack

PTF.ftpserver.com

ftpuser

D:\Software.exe

%Program Files%\Internet Explorer\iexplore.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1908
   Software.exe:1776
   

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\254CHEAT CS GO V3.4.exe (50 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\254CHEAT CS GO V3.4.exe.exe (4 bytes)

4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.