Gen.Trojan.Heur.cuWdhw1lg_a0532ca709
Gen:Trojan.Heur.cuW@!dhw1lg (BitDefender), Trojan.Win32.Agent.wfn (v) (VIPRE), Gen:Trojan.Heur.cuW@!dhw1lg (B) (Emsisoft), RDN/Generic PUP.z (McAfee), Trojan.Gen.2 (Symantec), Gen:Trojan.Heur.cuW@!dhw1lg (FSecure), Win32:Patcher-AK [PUP] (Avast), TROJ_GEN.R00UC0EC317 (TrendMicro), Gen:Trojan.Heur.cuW@!dhw1lg (AdAware), HackTool.Win32.DiabloPatcher.FD, PUPDiabloCrack.YR (Lavasoft MAS)
Behaviour: Trojan, HackTool, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: a0532ca709d7c51d1afefad223927d94
SHA1: 100e6e5cbbb621d408d140c729ff082a8dc69720
SHA256: d046c9c26419fdb9df49fdb4b8da634c83ea7b941df46f9d09a92eb0f0e3562a
SSDeep: 768:pg3Gr4AT8vY5SzUYRc0f759UkaB3KplhQMIYRV7B4C3jV1RI2r:W35A3gc/aplWMNVeMLRI2r
Size: 32768 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Socosokuno
Created at: 2012-12-21 22:59:46
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:4032
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:4032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dup2patcher.dll (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\A1D76FF97175BF79025AB7AA1DDF0A2A.dll (7 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 70a3b98d4dcd9c7bf08d228334fbcab4 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\A1D76FF97175BF79025AB7AA1DDF0A2A.dll |
| 47eadbcab61ccc502bd13ce28537c15d | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\dup2patcher.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 502 | 512 | 3.51015 | 4c584307e5aa70f515ee8c3d942e5f6c |
| .rdata | 8192 | 472 | 512 | 2.96018 | e5aa65265e17d8a1b524adbc10c0a1ad |
| .data | 12288 | 52 | 512 | 0.394392 | f8fedf1be1122ff5cd0e5b4716311cc5 |
| .rsrc | 16384 | 29228 | 29696 | 5.48822 | c78ac12b314676ca0310ed27b6ff202b |
| .reloc | 49152 | 82 | 512 | 0.510189 | 2e6554ffc943448b686d85ad68f9ec9a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.rdata
@.data
.rsrc
@.reloc
kernel32.dll
\dup2patcher.dll
".3#*6#'
%D-nz
.Fq<!
d-s}/
Nt%xq7b
version="2.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
%original file name%.exe_4032_rwx_10001000_0002B000:
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_DYN_DATA
user32.dll
\bassmod.dll
Exe Files [*.exe]
*.exe
All Files [*.*]
Imagehlp.dll
kernel32.dll
during file attachment export
/setvar <content> : set content of %dup2_cmd_var%
dup2_cmd_var
<>[]|$^!%&/\(){}=?`* -'#.:;,@~"\regpatch.reg
regedit.exe
\pcre.dll
pcre_exec
.text
`.rdata
@.data
.reloc
AddMsg
dup2patcher.dll
backup_switch_patcherdll.dll
Directory Monitor PRO 2.10.8.0
*.exe;*.dll
directorymonitor.com
DevEnterprise.Utility.dll
wintrust.dll
DevEnterprise.DirectoryMonitor.Common.dll
DirectoryMonitor.exe
DirectoryMonitorConsole.exe
DirectoryMonitorService.exe
Plugins\DevEnterprise.DirectoryMonitor.Plugin.Enterprise.dll
wintrust32.dll
WINTRUST.DLL
wintrust64.dll
InstallerHelper.exe
ngenfix.bat
set cl=%WinDir%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall
if not defined ProgramFiles(x86) set cl=%cl:64=%
%cl% Plugins\Deventerprise.DirectoryMonitor.Plugin.Enterprise.dll /nologo
for %%a in (DirectoryMonitor DirectoryMonitorConsole DirectoryMonitorService) do %cl% %%a.exe /nologo
del /f /s /q "%WinDir%\Assembly\DevEnterprise.Utility.ni.dll*"
del /f /s /q "%WinDir%\Assembly\DevEnterprise.DirectoryMonitor.Common.ni.dll*"
ren wintrust64.dll xintrust.dll
del /f /q wintrust32.dll
ren wintrust32.dll xintrust.dll
del /f /q wintrust64.dll
del /f /q wintrust.dll
_startDm.bat
fc /b xintrust.dll wintrust%a%.dll>nul
if errorlevel 1 copy /y wintrust%a%.dll xintrust.dll
if not "%*"=="/NoStart" start DirectoryMonitor.exe
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
ShellExecuteA
ShellExecuteExA
GetKeyState
.rdata
.rsrc
[URL]
filename.exe
hXXp://diablo2oo2.cjb.net
[EXPORT FILE]
...done!
'Can not find the file. Search the file?%File is in use -> using rename methodvCan not access the file. Maybe it's in use...
File Export : Failed
File Export : OK
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dup2patcher.dll (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\A1D76FF97175BF79025AB7AA1DDF0A2A.dll (7 bytes) - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
