DeepScan.Generic.Malware.SLNg.DF912DEA_0704f553c4

Trojan.GenericKD.30598445 (BitDefender), Worm:Win32/Cambot.A (Microsoft), Trojan.Win32.Llac.llzl (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), BackDoor.BotSiggen.51 (DrWeb), Trojan.GenericKD.30598445 ...
Blog rating:1.8 out of5 with4 ratings

DeepScan.Generic.Malware.SLNg.DF912DEA_0704f553c4

by malwarelabrobot on June 22nd, 2018 in Malware Descriptions.

Trojan.GenericKD.30598445 (BitDefender), Worm:Win32/Cambot.A (Microsoft), Trojan.Win32.Llac.llzl (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), BackDoor.BotSiggen.51 (DrWeb), Trojan.GenericKD.30598445 (B) (Emsisoft), W32/Generic.worm!p2p (McAfee), ML.Attribute.HighConfidence (Symantec), P2P-Worm.Win32.BlackControl (Ikarus), Trojan.GenericKD.30598445 (FSecure), Win32:Banker-IZK [Trj] (AVG), Win32:Banker-IZK [Trj] (Avast), TSPY_VB_GA250A05.UVPM (TrendMicro), DeepScan:Generic.Malware.SLN!g.DF912DEA (AdAware), GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Worm, P2P-Worm, WormAutorun, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0704f553c46d80e21f1e7b498f3545cc
SHA1: 2b900e3e6626855bf8e0d25f32a0439564570c06
SHA256: 77138029cb7ab443afd219deb7d0ebdaf2e0dabdaf8b8e15ca96222ad203e263
SSDeep: 3072:3Hjk 0oLnWFnzBHv/xWFsg8WatFBGFVWPE5ac0pG/1z QVMbg1d:Xo/BHng5HaVG4G/1z QVMbg1d
Size: 202696 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualBasicv50v60
Company: Crawler.com, LLC
Created at: 2011-06-29 03:05:34
Analyzed on: Windows7 SP1 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The DeepScan creates the following process(es):

%original file name%.exe:3940

The DeepScan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3940 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe (60060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\JNPEXYM8RIU5I (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ag58fpqon.exe.jpg (18300 bytes)

Registry activity

The process %original file name%.exe:3940 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe"

To automatically run itself each time Windows is booted, the DeepScan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe"

Dropped PE files

MD5 File path
d6f506d83193d21db84e7890cbc5a1ca c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ag58fpqon.exe.jpg
d6f506d83193d21db84e7890cbc5a1ca c:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 189928 192512 4.47684 66c3b26fe4151f9acbcac382daaaf952
.data 196608 9180 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 208896 16 4096 0 620f0b67a91f7f74151bc5be745b7110

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://migsel.com/system/classes/alive.php?key=Blackshades_Key&pcuser=adm&pcname=WIN-UK0FFOO83I6&hwid=10F5F7ED&country=United States 95.128.128.129
hxxp://migsel.com/system/classes/fg.php?key=Blackshades_Key 95.128.128.129


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VirTool-Win32-VBInject.gen-FA Reporting

Traffic

Web Traffic was not found.

The DeepScan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3940

  2. Delete the original DeepScan file.
  3. Delete or disinfect the following files created/modified by the DeepScan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe (60060 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\JNPEXYM8RIU5I (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ag58fpqon.exe.jpg (18300 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 1.8 (4 votes)

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now