Dropped.Generic.Malware.Sdld.C425D330_5241da8711

by malwarelabrobot on November 10th, 2016 in Malware Descriptions.

Dropped:Generic.Malware.Sdld.C425D330 (BitDefender), Trojan:Win32/Bagsu!rfn (Microsoft), Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Trojan.Win32.Luiha.bn (v) (VIPRE), Trojan.Siggen3.61286 (DrWeb), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Generic BackDoor.ww (McAfee), Backdoor.Trojan (Symantec), Trojan-Dropper.Delf (Ikarus), Dropped:Generic.Malware.Sdld.C425D330 (FSecure), BackDoor.Generic14.CFDD (AVG), Win32:IRCBot-EXE [Trj] (Avast), TROJ_GEN.R031C0CK216 (TrendMicro), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor, Worm, IRC-Worm, IRCBot, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5241da871170d9dd6ba25a685bc1fbe5
SHA1: e84e892a1c78819edaeeeb50fe0226959e491aa9
SHA256: 93b27330ba3067d5ab3be57885aa7d8097db548f8cb4e533e9be8508e442bc3f
SSDeep: 24576:/gFkg R9SDI5xJyyUACeB3gJxL9CC/XV/1VMvoDg3amvsI Wz7UKpz7PJT:IKgI9SGJpU8BQPL9CeVSoDgqmR WzRLT
Size: 1313439 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ??????????? ???????????, 2007-2009
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Behaviour Description
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Dropped creates the following process(es):

%original file name%.exe:1672

The Dropped injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1672 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Windows\win32dc\Counter-Strike codes.exe (8907 bytes)
C:\Windows\win32dc\Doom 3 crack.exe (16769 bytes)
C:\Windows\win32dc\Doom 3_fix.exe (11415 bytes)
C:\Windows\win32dc\Doom 3 crack.exe (8281 bytes)
C:\Windows\win32dc\Silent Hill 4_hack.exe (8907 bytes)
C:\Windows\win32dc\Sims 2 cheat.exe (19302 bytes)
C:\Windows\win32dc\Silent Hill 4(hack).exe (19302 bytes)
C:\Windows\win32dc\Counter-Strike_codes.exe (11415 bytes)
C:\Windows\win32dc\Sims 2 serial.exe (19302 bytes)
C:\Windows\win32dc\BattleField 1942_trainer.exe (11415 bytes)

Registry activity

Dropped PE files

MD5 File path
de8daff5530345b5840f0ad11e2e2aee c:\Windows\win32dc\BattleField 1942_trainer.exe
98edfd274338588741192d43b5d4db2a c:\Windows\win32dc\Counter-Strike codes.exe
960519ab486cba95ff577f7af6abc2a9 c:\Windows\win32dc\Counter-Strike_codes.exe
c5a2afb67653e9e3782a77b700069802 c:\Windows\win32dc\Doom 3 crack.exe
29747b2d53986f78d30c34c8f378f871 c:\Windows\win32dc\Doom 3_fix.exe
c7b234b49f3c46a402569995fccb5abc c:\Windows\win32dc\Silent Hill 4(hack).exe
ef34af0f10fefe98c4d1874b1f4e423f c:\Windows\win32dc\Silent Hill 4_hack.exe
9cd6b123f3aebba383bc844260d5d484 c:\Windows\win32dc\Sims 2 cheat.exe
f554fa06f04069230b675825331d8ec7 c:\Windows\win32dc\Sims 2 serial.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 40592 40960 4.37354 4599c8e48266467f9472d9c0076da0aa
DATA 45056 416 512 2.59038 6723f313105be59e8f34015bac1ef0c6
BSS 49152 4493 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 57344 2332 2560 2.95832 1f3c6fef94d61a4d2beebca25d327785
.tls 61440 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 65536 24 512 0.129329 bf98d008e3e41c32258f4ddad0423dfc
.reloc 69632 2396 2560 4.48773 c247e5d4f27055db8d87da84767714bb
.rsrc 73728 1536 1536 2.62048 b115dc78febf3048a6accb9f8efeb1de

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 882
ef2d2eb0996329df1775d6f51f5b214a
f740ff60d0ec233f7e955ede5e77fb83
fe0def9a55452507fdff638358d8a1ff
f4f5bba4d4f4086afbb878c2f541a7e0
f3aa4d1b4394101bf8d3dd967c20f3c3
ecfbd936a27de98dab895d92238b5b78
e6062045d1835907af3dd28ed4e13997
c82648bf52942ee83e639e5019c417e2
c050cd1b809541253ff88ee562eaa9f8
bfa30611ed105bbbaa4fcfda3554507c
bc4f499e10f6550c18eb2735e724e135
b653fa5261b9e7c496d436078e5a54e0
b64d60a1ef01cfe7f7954a2f84d923d3
9dc8f82010d6947f9eb4ca2ef89448c2
9d44bba5914e846bb87f0a768adebcb3
9d90741ff90c9a8c5503909f8f65edca
ad4cd03b5eaeff7c70e29a564f7fba2a
a567fd1311445aefe3897b924bde36cf
a1a2076501ac91abde0ceef2574d8f7e
9b2737ede92e073aa7c93aae769a2dcd
958f0a7ee5d4012536f27b118216e67e
90d2d6104645a20c41cc5565a5469bea
8ae0dbf986d8a093b90cf6e0d9dd064e
8765e4dc9a0f039a5c287ba7b2070b04
80410d3e36eba7f4c898207b506eebe9
7e79c96343b3a37db0259a0a695c593d

URLs

URL IP
irc.lcirc.net 206.41.117.114
time.windows.com 13.80.12.54
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Dropped connects to the servers at the folowing location(s):

%original file name%.exe_1672:

.idata
.rdata
P.reloc
P.rsrc
PRIVMSG
JOIN
login
PRIVMSG
:File Executed
(netbios_invalidpass:
File(%cur%\
File(%sys%\
rndnick
NICK
join
%sys%\
%cur%\
%rnddir%\%rand%.exe
system.ini
explorer.exe
.com "win2k" :
DCPlusPlus.xml
dcplusplus.xml
%sys%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
%rnddir%\%rand%.com
irc.lcirc.net
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
GetWindowsDirectoryA
mpr.dll
wsock32.dll
shell32.dll
ShellExecuteA
wininet.dll
URLMON.DLL
URLDownloadToFileA
KWindows
&pWebServer


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1672

  2. Delete the original Dropped file.
  3. Delete or disinfect the following files created/modified by the Dropped:

    C:\Windows\win32dc\Counter-Strike codes.exe (8907 bytes)
    C:\Windows\win32dc\Doom 3 crack.exe (16769 bytes)
    C:\Windows\win32dc\Doom 3_fix.exe (11415 bytes)
    C:\Windows\win32dc\Doom 3 crack.exe (8281 bytes)
    C:\Windows\win32dc\Silent Hill 4_hack.exe (8907 bytes)
    C:\Windows\win32dc\Sims 2 cheat.exe (19302 bytes)
    C:\Windows\win32dc\Silent Hill 4(hack).exe (19302 bytes)
    C:\Windows\win32dc\Counter-Strike_codes.exe (11415 bytes)
    C:\Windows\win32dc\Sims 2 serial.exe (19302 bytes)
    C:\Windows\win32dc\BattleField 1942_trainer.exe (11415 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now