MD5: 1d4670f5f7021ef4a8c94e6da77a8664
SHA1: 9424b6716fa804c7c2afdc0a81d99de496c60aac
SHA256: 2e92426e39d0e31ad4d61f381d55f9c56e4b4d59b2804d0f424945a576722f3a
SSDeep: 98304:W2maRwMHcROZPSTTpFvi7nWwvxhBgERi8ul41hbKoq4xV1LBQdifUiz6og8VWkrl:WbNMXZYiTWwvtNRhh an1LWfiuoxVWkx
Size: 6882304 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

%original file name%.exe:3852
xTSR-build.exe:2600

The Dropped injects its code into the following process(es):

Xtsr.exe:2264

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3852 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR.exe (1024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR-build.exe (356 bytes)

The process xTSR-build.exe:2600 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Windows\System32\Xtsr\Xtsr.exe (2105 bytes)

The process Xtsr.exe:2264 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\logs\04-18-2017 (224 bytes)

Registry activity

The process %original file name%.exe:3852 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Dropped deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process xTSR-build.exe:2600 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASMANCS]
"FileDirectory" = "%windir%\tracing"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Xtsr" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR-build.exe"

The process Xtsr.exe:2264 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASAPI32]
"MaxFileSize" = "1048576"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ip-api.com/json/
teredo.ipv6.microsoft.com	157.56.106.189
update.minecraft-alex.ru	46.201.216.194
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /json/ HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0

Host: ip-api.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Content-Type: application/json; charset=utf-8

Date: Tue, 18 Apr 2017 09:20:09 GMT

Content-Length: 279
{"as":"AS31561 Pitline Ltd","city":"Kharkiv","country":"Ukraine","coun
tryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.2527,"org":"P
itline Ltd","query":"194.242.96.226","region":"63","regionName":"Khark
ivs'ka Oblast'","status":"success","timezone":"Europe/Kiev","zip":""}H
TTP/1.1 200 OK..Access-Control-Allow-Origin: *..Content-Type: applicat
ion/json; charset=utf-8..Date: Tue, 18 Apr 2017 09:20:09 GMT..Content-
Length: 279..{"as":"AS31561 Pitline Ltd","city":"Kharkiv","country":"U
kraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.
2527,"org":"Pitline Ltd","query":"194.242.96.226","region":"63","regio
nName":"Kharkivs'ka Oblast'","status":"success","timezone":"Europe/Kie
v","zip":""}..

GET /json/ HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0

Host: ip-api.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Content-Type: application/json; charset=utf-8

Date: Tue, 18 Apr 2017 09:20:04 GMT

Content-Length: 279
{"as":"AS31561 Pitline Ltd","city":"Kharkiv","country":"Ukraine","coun
tryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.2527,"org":"P
itline Ltd","query":"194.242.96.226","region":"63","regionName":"Khark
ivs'ka Oblast'","status":"success","timezone":"Europe/Kiev","zip":""}H
TTP/1.1 200 OK..Access-Control-Allow-Origin: *..Content-Type: applicat
ion/json; charset=utf-8..Date: Tue, 18 Apr 2017 09:20:04 GMT..Content-
Length: 279..{"as":"AS31561 Pitline Ltd","city":"Kharkiv","country":"U
kraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.
2527,"org":"Pitline Ltd","query":"194.242.96.226","region":"63","regio
nName":"Kharkivs'ka Oblast'","status":"success","timezone":"Europe/Kie
v","zip":""}..

The Dropped connects to the servers at the folowing location(s):

.MmiX

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3852
   xTSR-build.exe:2600
   

2. Delete the original Dropped file.
   
3. Delete or disinfect the following files created/modified by the Dropped:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR.exe (1024 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR-build.exe (356 bytes)
   C:\Windows\System32\Xtsr\Xtsr.exe (2105 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\logs\04-18-2017 (224 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Xtsr" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR-build.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.