MD5: be458ac03e8a052eb6c6dc4e130de44c
SHA1: e74ecca94abd90d476fa7c1049d29332880d66ad
SHA256: 97174f4c5dd3fc70aa6cd2184caf741f62a1d2fc961ba47b1249ee9ebc4a1afe
SSDeep: 98304:o7P0en3FnGnyh32jjwrV OjkQS7VFTGQA:s0enGnyhGaVBZSnW
Size: 3848448 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-19 16:00:08
Analyzed on: Windows7 SP1 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2936

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (1448 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1068 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp\log.txt (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (51 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"EnableConsoleTracing" = "0"

"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: www.GameModding.net
Product Name: ModInstall
Product Version: 1.0.0.0
Legal Copyright: www.GameModding.net
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.1.0.0
File Description: ModInstall 3.0
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 713
d9ef811825b1ee97884ecc253485628d
9706f670385750cc9e55dd675cb8b6ce
ff44f222a0a760bbef58adab93d56ac2
a51af5ff635585379673c594040dd29b
5c5d59dd3f1d56109d9917c805fbdbc5
5c18b4209f1568fa675dd09e5b21be1b
d8160329bf41757fb1dc447b52da182d
f5feb1f087479b09b7192a52328cbd97
8a2ca21f91ed4d7ee1c33f0f1d8fbeee
88c16dacd625d078d60e17d4cc6864d8
f1ac824d74d95d59dfbcdcf950181955
3e51c7a8d0ed04d48e7fd8b66951b596
b64aceb6191eb51a003d4a734c2ed77f
1a7b8804847bbbea66cff40420fa5c13
4d00e484119be896a6924d38ac170da2
f4b36e74bce986ae9cecf7ac18d08382
62d2f84d64acf46a358f4f6d026bb7af
0174ea351a3d87d915332a2323618c44
57d07fa304cfc958f33cf583effd8760
afd1a07be878e472a65b3b7b2d20d6d3
fc15ffba7b8edc332a5e0e684fe52510
2af58ca844ae52c85342ea85d05dd7a1
2b4772ec611456d7b21f861c3232af1e
809143c62ce8e1ac7b6a4d38a54c78d5
5c66d833839123194246dce81ff2d1bd
70f276f4bab4fd118947a9e1c6a2e5a2

URLs

URL	IP
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDsPZHpkl+CK
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon	172.217.20.174
hxxp://crl.geotrust.com/crls/secureca.crl	23.43.133.163
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY	172.217.20.174
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDsPZHpkl+CK	172.217.20.174
ssl.google-analytics.com	172.217.20.168

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (1448 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1068 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (463 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp\log.txt (315 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (51 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.