Gen.Variant.Application.Razy.62899_c6c95ad804

by malwarelabrobot on March 28th, 2017 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.Sokuxuan.gen (Kaspersky), Gen:Variant.Application.Razy.62899 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c6c95ad80483ce6c13c6da1474f3c0e0
SHA1: b47e4ef7ef399320e36669f43c9bfb81f995d88c
SHA256: 99343e9c869d284331fcefb334a2bb4e72426580e98b9acb91b277aedb309b06
SSDeep: 24576: J2MdazmND9jeSDjPblXiZNOdgyVG4SZuMALkPXT:dMMzKiSDjhXQajS/ALkvT
Size: 1492992 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-13 14:44:39
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

MD5 File path
20e131fa17e8605d2484628420525c2a c:\Program Files\Maoha\MaohaAP\7z.dll
cf73c3a03582408d422d4f7a01190d00 c:\Program Files\Maoha\MaohaAP\DIFxAPI.dll
24d6f19ca07a2ac3bfd6ff1ab3896b85 c:\Program Files\Maoha\MaohaAP\ICSDHCP.dll
8dd69fb54e5c29e07b8725c3c19ccfbd c:\Program Files\Maoha\MaohaAP\MaoHaCD.dll
c610588fa9f5065f19d735cc72ad351a c:\Program Files\Maoha\MaohaAP\MaoHaWiFiNet.sys
292f9a2632605d6591e0ea6ed62b6726 c:\Program Files\Maoha\MaohaAP\MaoHaWiFiNet64.sys
82bfea273392f5fcb0f19fe1e62a4440 c:\Program Files\Maoha\MaohaAP\MaohaDevMng.dll
bde7beffd77d80bfbfd47399ba467e49 c:\Program Files\Maoha\MaohaAP\MaohaWiFi.exe
d83716a9bb89a83d1089cf7c5ef231e2 c:\Program Files\Maoha\MaohaAP\MaohaWifiBase.dll
993921373facaef60cb9f9e84aab8301 c:\Program Files\Maoha\MaohaAP\MaohaWifiSvr.exe
c23979c42db65b1d10e733e50ba90bd3 c:\Program Files\Maoha\MaohaAP\MaohaWifiWin7.dll
d3006eb32933300b7da1b121b74b7ce5 c:\Program Files\Maoha\MaohaAP\MaohaWifiXP.dll
cd4d3d1cfdce0becb435a970b8e6a576 c:\Program Files\Maoha\MaohaAP\MyTheme.dll
41fbc54be444b267ad13711b20cbe6e5 c:\Program Files\Maoha\MaohaAP\RaAPAPI.dll
1877c1fc206cc00f602f268c97217291 c:\Program Files\Maoha\MaohaAP\RaWifi.dll
14c49377642096f9a6d7f3dfc00044f2 c:\Program Files\Maoha\MaohaAP\ResLoader.dll
491c3dfceb37cde6fd0086ef5fc225fb c:\Program Files\Maoha\MaohaAP\SkinBase.dll
c1dd873243befea71d0dc939f38f5afd c:\Program Files\Maoha\MaohaAP\SmartAction.dll
53924a7da2fd9056b71b1dea9a35fb1c c:\Program Files\Maoha\MaohaAP\Uninstall.exe
e1ecdad5c7ff885de6f241437e7a44f9 c:\Program Files\Maoha\MaohaAP\Updater\CheckUpdate.dll
9b6e41d5fd9c63c709bda83c0359b7f9 c:\Program Files\Maoha\MaohaAP\Updater\MaohaWiFiUpg.exe
0f43af2015ee8f94e9b7061cedc8783d c:\Program Files\Maoha\MaohaAP\WifiDhcpSvr.dll
22c9997dcf3d23ede6dbe1ed6a3b0af1 c:\Program Files\Maoha\MaohaAP\WifiHelp64.exe
540a232e81e4e5d67c215af689515e3b c:\Program Files\Maoha\MaohaAP\YunExplorer.exe
072f2457e70e081384edd61c821c419b c:\Program Files\Maoha\MaohaAP\driver\DriverInstall.exe
0f43a42e493fbfdee5f8bd0999c3af20 c:\Program Files\Maoha\MaohaAP\driver\DriverInstall_X64.exe
ef7f7d21d627753e4148bc1724b4d639 c:\Program Files\Maoha\MaohaAP\driver\DriverTool.dll
2b903da63c57da124f22e1e79ccec479 c:\Program Files\Maoha\MaohaAP\driver\MaohaWifiProNat.sys
b8f760633541da35bcff7087e710bcb4 c:\Program Files\Maoha\MaohaAP\driver\MaohaWifiProNat64.sys
1a2e5109c2bb5c68d499e17b83acb73a c:\Program Files\Maoha\MaohaAP\drv64\DIFxAPI.dll
2fb4b755ba2e98ca459d420d34b3e3d7 c:\Program Files\Maoha\MaohaAP\drv64\drv64.exe
a3f1268c29c18452fa7aa902642710d3 c:\Program Files\Maoha\MaohaAP\dt.exe
cadb1a29c7863c1ddbec3e309741d915 c:\Program Files\Maoha\MaohaAP\ext\1.dll
a9b884aae19f1785fd51382809fded7f c:\Program Files\Maoha\MaohaAP\ext\3.dll
5d53b78f8d73e81d162d62876e4bd1cc c:\Program Files\Maoha\MaohaAP\ext\4.dll
dbb04e987b4a6b620bf1664b96db616e c:\Program Files\Maoha\MaohaAP\ext\5.dll
1f0f865b1fea713bb9dc480c7c786197 c:\Program Files\Maoha\MaohaAP\ext\6.dll
68b2a121a539371262af32004abd2b20 c:\Program Files\Maoha\MaohaAP\gzipdll.dll
f96221d6c46ce19751c43c423b7c3ba1 c:\Program Files\Maoha\MaohaAP\maohasubstat.dll
1d66e130dac29c706a1005268d98dab0 c:\Program Files\Maoha\MaohaAP\pcid.dll
b493c0cdee36755385cee0057c25175f c:\Program Files\Maoha\MaohaAP\pcidetect.dll
0a2041af48f0fbda65876fc7efdc5c9a c:\Program Files\Maoha\MaohaAP\softconfig.dll
618b8336c03c31a3f79a39d9e89983ea c:\Program Files\Maoha\MaohaAP\tips.exe
02d316a6166508f4bd5fc478562f2bc1 c:\Program Files\Maoha\MaohaAP\tipsdll.dll
0a2ec8bd4f918532798fc4ae82051862 c:\Program Files\Maoha\MaohaAP\uninstall.dll
1394468655afebe17af9fe99900cee4d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\00027660\UCBrowser_V6.1.2107.204_4775_(Build1703071827)_ChannelU_03081433.exe
bfae8cde6902549029fa33b95983778d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\00027689\MaoHaWiFiSetup_257.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%Program Files%\Maoha\MaohaAP\MaoHaWiFiNet.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1147503 1147904 4.30283 c8e6b841b47407b80590fd32bfe49216
.rdata 1155072 250632 250880 3.302 7ef0487f1b34e17be881c8ef93adb6de
.data 1409024 58124 31232 3.60055 dbb5f3c1860a3d07e8813a0181d6a07e
.rsrc 1470464 488 512 3.30772 bc0a992bcfbef2cc29fb6c19f25f5374
.reloc 1474560 61396 61440 4.52964 d11292eb2f2d27e0246ceb29e700f2e6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://xiaobingdou.com/anzhuang.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNENCRkRDMjlFQUEzOUFDRjRGNTlBOUM0M0NEMEI0RUQ2RTcyNEY5MzREODM5QkY2MzFDOTk0QThDRENGOEU1MzE= 23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3ODE0NjgxOTdDMTlFMUU0NzQ0NDhDQ0JFQkY2N0FFMzk5NDBFQ0IxNDAyQkY5NDg4NkFFNTg2QUZDNzg5RTk4RTIwQkJCRDFBNUVDRDk2MjMxMEE4QzEwMjA2QzA4MDE1 23.252.160.20
hxxp://xiaobingdou.com/jihuo.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNENCM0YyN0U3MTIzM0JGODY2QUZDM0MzMkYwRjYyNzhERDBFMzIwREU5RkUxRDU1NTczMUQ4Rjg1RDA5QUNCNEFFNjBEODc2NTAzNzQzRDc5Qjg5MDJGNEUyMTNDQkI1NTM2QTRBN0YzMkI3NUFDNUNEQzEzNDRGNDMwRURGNEI2 23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3RUFDNjNGNjlBOUY1QkIyNDBBODM5MTY0NzZDMEY3M0NFRDM1MTFFMTc2RkE4QkUwMTkyNjkxNDI3RUE2QUFCODU4NkUxNjI2ODdGQTVDMkQwNjY3QjVDMkY3OURGQzNENTVGRTM4ODI2MUQwNjFEOUMxMTcwQjFFMURGRDM4MzY= 23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3NzlCOUFFMkNCODk3NjMxRTc5QTQzNzEzREFDOTg4NjNDQzQ3MjQ4RERERDI0REUxNjI5NzEyNENCQTY1M0VFMUM5QjRCRUUzNDEzMDAwNDA2QzA5OTI2RDc4OTkxRTIyMzc0QzlDODYxQ0QwQkFFREE3RTEwQzFENzA3RjRDRTQ= 23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3OTkzNDIyNzZGRDJGQTFBQTE0MTVBOEE0N0E5OTY2RjVGMzRDMjk2OTc0QTBEQ0QxOUEyQzlEQTlCQTE4QzlBMDk3QjE0OUU3RTUzMTRBQzNCMkI3NzNERTg1QjIyNTIzQTM2NUI0Nzk5OTJBRTg1OTIwOEFBNDMwOTA0QTQ1QjNFODQ3MUE0NjJBOTk4MTQ4RkI1Q0QyN0RBNzA1MDBBMjg5QURCM0VCODQxNDFDNkRCMUM0ODU0RDhCQzNBOEM0Q0VFMEJFMkM2M0QyQjdFRENBNjA2NEM4MEFENkMxQkI= 23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3OTkzNDIyNzZGRDJGQTFBQTE0MTVBOEE0N0E5OTY2RjU3OTI0NDJFMUZCMUYwNDBFQTYzNDg3NzQzRDc3NTI4QzIzMzZCMDA5REEwNThEOUQzNDY4QTE1MTY4RDRFNzQ4RTY4NEREQTY1RkY5MDYzNzJDMDNEQzk0NkMwOTYwQUM5RjE1QkNCNUM2OUNCOEJCOTM3N0E5NTM4RTFGMjU4MjNFNkIwMzdCODNEN0IxRDQ4RThCQUZENUJGNTA1MkQwRkRDRTY0RjVCMzlGMTM3NTIwNjgxNUI3QzNGREM1M0EwNDNGMkVDMTc1NTZFRjRCNTczRkU4QTBEMEYwM0IyMDlGOEE0RjkzNDQ3REM3NzExQkI0OTM4RjhBMDUxMjIz 23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3RUQ0RkRDQjQ2NDkzNDM1MkRCODI2RjI4QzgyMzhFQzVERUVBRDFCNEQwRTAxNjUxMzZCNEVFMEQ5MkZGREFGMTY0QzA5RkI5NDA1QjUzMzA3MzdGNjcyMzAzOTM0REM2ODA5MkI0QkVCRkYwREI0NDQyNUEyODQ0MDgxODgxNkM= 23.252.160.20
hxxp://dns.union.uc.cn/pcbrowser/down.php?pid=4775
hxxp://545042.p23.tc.cdntip.com/kz2zzlm/KuaiZip_Setup_2915511984_zzlm_014.exe
hxxp://umcdn.uc.cn.w.alikunlun.com/down/4775/UCBrowser_V6.1.2107.204_4775_(Build1703071827)_ChannelU_03081433.exe 195.27.31.253
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3MjZFNTA0M0I1NkY3MkUxRkQ2NkY2OEYyOTY1Q0E2OUI4MTg3NjU3MkU3M0VBNjNFMzY2NzhEQzg2ODI3Q0VGNEI1MTY0NTRCODA3MUEwMDY0Mzk0NDEzRDlCOTY2MUI1QTkxQzgwMUI3RUY5RUNBNjc4MjM0N0I3NTM0OEE2OTUzMjcyOTIzQzAzQTdCM0I4Q0RBNzg3QjJBMDhBREEzQTMwQjA2NUZBQjhCQUMzODk5NEE5OTJBQzdBRjA1ODIz 23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3OTkzNDIyNzZGRDJGQTFBQTE0MTVBOEE0N0E5OTY2RjUwODg2QkQ5NEZDQjQyMkVCNEYwN0U1ODk5REQ2M0QxN0QyRDAyNUNFM0FBRThDNENBQjI0NkNEQzY4RDY4QkYzQ0U5NDY4QkRFNDQwNkQ2Qzg1QzJGMzkxNDQyNUEwRTMzMTRCOUJCMkNERThGNEU5MDMxRjNEQzA5RjhGQjQ5QkNDN0E5N0RDOTExQjAyQzZFODJFQzY4MTgyRDlDQ0M0N0U4QTc4ODIwNTY1QTdERUE4MjBBNjFGM0VGQkUzM0RFRTI2MzkwNEU5NjhDQUY4QzQxRkYzQTc4N0ZBMUI1Mw== 23.252.160.20
hxxp://umcdn.uc.cn.w.alikunlun.com/biz-data/sec/channel/test/config/av_config.ini 195.27.31.253
hxxp://dns.union.uc.cn/pcbrowser/down.php?type=dll&pid=4775
hxxp://1st.dl.ourdvs.com/soft/mhwifi/MaoHaWiFiSetup_257.exe
hxxp://umcdn.uc.cn.w.alikunlun.com/down/4775/UCBrowser_V6.1.2107.204_4775_(Build1703071827)_ChannelU_03081433.dll 195.27.31.253
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3MjZFNTA0M0I1NkY3MkUxRkQ2NkY2OEYyOTY1Q0E2OUI5MjREMEMzMjM2NzgwMDc4MzAzQzg1NjNFRTI1NTdCQkUxNzUwN0MwQTgwOTk0QjgxM0E5MTZFMTY2RDMyMjc1RkM4MzlEQ0IxMEUyODg5MkY1OTEwMEJGNDU4QTdBNkVCRUJGMDk0RjY3RUREOUYxNEUyNTZGOTM2RjJCMjFFMjJCQ0IzMEI4MzIxMTg3QzBCQUVGRkE1OTYyRDhCMjAyNjEyRDE1NzYyQjUxQjlBNzZEODM1MzFGQTI4QTlBRDU= 23.252.160.20
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://down2.uc.cn/pcbrowser/down.php?type=dll&pid=4775 123.150.188.19
hxxp://umcdn.uc.cn/down/4775/UCBrowser_V6.1.2107.204_4775_(Build1703071827)_ChannelU_03081433.dll 195.27.31.253
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 62.140.236.170
hxxp://umcdn.uc.cn/down/4775/UCBrowser_V6.1.2107.204_4775_(Build1703071827)_ChannelU_03081433.exe 195.27.31.253
hxxp://wow.uc.cn/biz-data/sec/channel/test/config/av_config.ini 195.27.31.253
hxxp://dl.kkdownload.com/kz2zzlm/KuaiZip_Setup_2915511984_zzlm_014.exe 118.212.234.21
hxxp://down2.uc.cn/pcbrowser/down.php?pid=4775 123.150.188.19
hxxp://res.maoha.com/soft/mhwifi/MaoHaWiFiSetup_257.exe 203.130.56.136
update.ss.maohawifi.com 121.10.143.40
dns.msftncsi.com 131.107.255.255
service.maohawifi.com 121.10.143.40
unin.maohawifi.com 121.10.143.40


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Abnormal User-Agent No space after colon - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Delete the original Trojan file.
  3. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now