Backdoor.Win32.Xtrat_b9b91a1f64

by malwarelabrobot on May 21st, 2017 in Malware Descriptions.

Gen:Variant.Zusy.235964 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Starter.2890 (DrWeb), Gen:Variant.Zusy.235964 (B) (Emsisoft), GenericRXBM-AB!B9B91A1F6422 (McAfee), ML.Attribute.HighConfidence (Symantec), Gen:Variant.Zusy.235964 (FSecure), Generic38.BLSJ (AVG), Win32:Malware-gen (Avast), Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, WormAutorun, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: b9b91a1f6422b361f5331f2c0999e089
SHA1: 3da301055b98ba3900ba5e3e765468974a34d10d
SHA256: 4a2899ce25de8f7f795621d6ce80f7b70049f9a14d712f632361d55be8c3b4d6
SSDeep: 6144:behVBpJIIMM9YShcxEpHBtwUCv1ptOboIdJf7zW1vr2fb5jFG6S6S R3xXdAUY:b63WIveeIzIvzW1vKRFG63R3hdAH
Size: 330346 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-05-02 18:11:16
Analyzed on: Windows7 SP1 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:3700

The Backdoor injects its code into the following process(es):

calc.exe:1804

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process calc.exe:1804 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Windows\InstallDir\Server.exe (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\CA2xd91.dat (308 bytes)

Registry activity

The process calc.exe:1804 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\calc_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\calc_RASAPI32]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\calc_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\calc_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\calc_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{T5E6TC2B-S8JR-368R-KP14-6F2IKR0M1BYH}]
"StubPath" = "C:\Windows\InstallDir\Server.exe restart"

[HKCU\Software\CA2xd91]
"ServerStarted" = "20/05/2017 05:28:19"

[HKLM\SOFTWARE\Microsoft\Tracing\calc_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\calc_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\calc_RASMANCS]
"FileTracingMask" = "4294901760"

"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "C:\Windows\InstallDir\Server.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "C:\Windows\InstallDir\Server.exe"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:3700 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\XtremeRAT]
"Mutex" = "CA2xd91"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version: 1.555.555.55
Legal Copyright:
Legal Trademarks:
Original Filename: WindowsApplication1.exe
Internal Name: WindowsApplication1.exe
File Version: 1.555.555.55
File Description:
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	176216	176640	4.97726	4490e5b0bad195b2022e92a04c694600
.reloc	188416	12	512	0.070639	d2a4d8d444d28322d8d2dd8b0d2532f1
.rsrc	196608	107448	107520	5.18402	9a8f445b44155bf6044ec3d39d237f3c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

calc.exe_1804:

.text

`.data

.rsrc

@.reloc

SHELL32.dll

SHLWAPI.dll

gdiplus.dll

ADVAPI32.dll

ntdll.DLL

OLEAUT32.dll

UxTheme.dll

ole32.dll

COMCTL32.dll

KERNEL32.dll

USER32.dll

RPCRT4.dll

WINMM.dll

VERSION.dll

GDI32.dll

msvcrt.dll

j.KXK

FTPWSjr

FtPWSjP

SSShG

.u&SSh

Invalid parameter passed to C runtime function.

WindowsCodecs.dll

ntdll.dll

ShellExecuteExW

GdiplusShutdown

RegEnumKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegCreateKeyExW

RegCloseKey

GetProcessHeap

EnumChildWindows

EnumDesktopWindows

GetKeyState

__crtGetStringTypeW

__crtLCMapStringW

_acmdln

_amsg_exit

calc.pdb

name="Microsoft.Windows.Shell.calc"

version="5.1.0.0"

<description>Windows Shell</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

KEYWp

>6441111,5

.Zu,]

>z.jO`

.nsEm

5Url]GOqE

6"%CM

B<$$.HpB

W.Ft6#

9 9(9-949@9

5(5.575=5

99x9

; ;%; ;1;

<%<*<0<6<

5%5S5

^[\ \-]?{\d*}\%c?{\d*}(e[\ \-]?{\d*})?\b*$

USER32.DLL

hXXp://VVV.microsoft.com/applets/calc/templates/v1

xmlns:calcTemplate='hXXp://VVV.microsoft.com/applets/calc/templates/v1'

\StringFileInfo\xx\OriginalFilename

\sppsvc.exe

\slui.exe

\sppuinotify.dll

imageres.dll

datetime_operation

Software\Microsoft\Windows\CurrentVersion\Applets\

mshelp://windows/?id=f15f7d3e-ee9c-465a-a7e8-4e6af5cfee5d

ErrorCode: %d, Line: %d Column: %d; Error: %s

^{[\ \-]?}{\d*\%c?\d*}({e}[\ \-]?{\d*})?$

kernel32.dll

Microsoft-Windows-Calculator/Diagnostic

Microsoft-Windows-Calculator/Debug

Windows Calculator

6.1.7601.17514 (win7sp1_rtm.101119-1850)

CALC.EXE

Windows

Operating System

6.1.7601.17514

calc.exe_1804_rwx_10000000_0004D000:

`.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

5.4.7

u2.5.4.8

u2.5.4.9

u2.5.4.6

u2.5.4.4

 juXqhu2.iu

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExA

RegCloseKey

RegOpenKeyExW

RegCreateKeyW

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

URLD!M

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

x4everx.myq-see.com

Server.exe

calc.exe

{T5E6TC2B-S8JR-368R-KP14-6F2IKR0M1BYH}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

2.8.3

PTF.ftpserver.com

ftpuser

c:\%original file name%.exe

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:3700
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:

C:\Windows\InstallDir\Server.exe (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\CA2xd91.dat (308 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "C:\Windows\InstallDir\Server.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "C:\Windows\InstallDir\Server.exe"
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.