MD5: b9a7ccaa93b62602da643efd34f361fe
SHA1: 5cbf069ed5f1e41f96f70bbe000b27ef442d1467
SHA256: ed60253c2b23ff1a44ade5c59add87219c6ceea3229fd40aa5f7fd9653a26b04
SSDeep: 6144: MWSaGrkmFrLazBGx c8mOgLBLjcyOItTxS:mGrrLs/ce2cyOItk
Size: 208648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2011-08-14 06:51:21
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3400

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe (953 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mirc (33 bytes)

Registry activity

The process %original file name%.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"Svchost" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe"

[HKCU\Software\Microsoft\Active Setup\Installed Components\{5E197F8B-DAA2-BABD-EDBF-DEFDFDFEBEEB}]
"StubPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5E197F8B-DAA2-BABD-EDBF-DEFDFDFEBEEB}]
"StubPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"HFGW2HEVRP" = "n0$crypter"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"HFGW2HEVRP" = "January 12, 2017"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Svchost" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Svchost" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

`.rsrc

WebHide

bss_server.usrReverseRelay

bss_server.usrRelay

tmrWebHide

bss_server.Socket

mswinsck.ocx

MSWinsockLib.Winsock

modLaunchWeb

C:\Windows\SysWOW64\ieframe.dll

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

winmm.dll

user32.dll

advapi32.dll

shell32.dll

kernel32.dll

avicap32.dll

advpack.dll

GetAsyncKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

GetKeyboardState

GetKeyState

PSAPI.DLL

SHFileOperationA

CreatePipe

CHAT_ADDMSG

GetTcpTable

ExitWindowsEx

EnumWindows

WinInet.dll

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

ShellExecuteA

keybd_event

VBA6.DLL

C:\Windows\SysWow64\msvbvm60.dll\3

ws2_32.dll

AddMsg

GdiplusShutdown

RemotePort

LocalPort

WSOCK32.DLL

RegCloseKey

RegOpenKeyExA

ntdll.dll

RegCreateKeyA

ole32.dll

crypt32.dll

oleaut32.dll

RegOpenKeyA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

imgLoginPressed

imgLogin

txtPassword

RegDeleteKeyA

RegEnumKeyExA

gdi32.dll

olepro32.dll

InternetOpenUrlA

FtpGetCurrentDirectoryA

FtpGetFileA

FtpPutFileA

FtpSetCurrentDirectoryA

FtpOpenFileA

FtpGetFileSize

FtpDeleteFileA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpRenameFileA

FtpDownload

FtpUpload

FtpGetDirectory

Http_DownloadFile

tmrTCP

UDPSocket

J%Program Files% (x86)\Microsoft Visual Studio\VB98\vbc14663.oca

tmrUDP

UDPFlood

cmdShowfiles

msvbvm60.dll

?8??8??8??8??8?

.QX0WPp

uMsg

strMsg

MsgNum

AllMsgs

lngPort

Port

Password

WebURL

Returns/Sets the port to be connected to on the remote computer

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

.text

`.data

.rsrc

KERNEL32.DLL

MSVBVM60.DLL

*\AC:\Users\Admin\Desktop_old\Blackshades project\Blackshades NET\server\server.vbp

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5

{00020404-0000-0000-C000-000000000046}

4.6.1

\nir_cmd.bss speak text

\nir_cmd.bss setsysvolume 65535

\nir_cmd.bss mutesysvolume 1

\nir_cmd.bss mutesysvolume 0

\nir_cmd.bss screensaver

\nir_cmd.bss monitor off

\nir_cmd.bss monitor on

PORT

TRANSFERPORT

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Keylog

Wscript.Shell

HKEY_CLASSES_ROOT\HTTP\shell\open\command\

\winlogon.exe

iexplore.exe

hXXp://VVV.facebook.com/?ref=home

hXXp://VVV.facebook.com

ADVAPI32.dll

Windows Firewall/Internet Connection Sharing (ICS)

WebCamCapture

\Vuze\Azureus.exe

\LimeWire\LimeWire.exe

\uTorrent\uTorrent.exe

\uTorrent\uTorrent.exe /HIDE

\BitTorrent\bittorrent.exe

\cmd.exe

\data.dat

\steam\steam.exe

nkey

dkey

\MSWINSCK.OCX

regsvr32.exe

\pws_mail.bss

\pws_mess.bss

\pws_cdk.bss

\nir_cmd.bss

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "

:*:Enabled:Windows Messanger" /f

winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2

00000000

winmgmts:\\.\root\cimv2

Select * from Win32_Keyboard

api.ipinfodb.com

GET /v2/ip_query.php?key=

&timezone=off HTTP/1.1

Host: api.ipinfodb.com

GET /v2/ip_query_country.php?key=

Portable

winmgmts:\\.\root\SecurityCenter

\wallpaper.bmp

\wallpaper.jpg

WScript.Shell

WinServer 2003, Web Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

__oxFrame.class__

Scripting.FileSystemObject

Autorun.ini

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

CSocketMaster.SocketExists

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

mozsqlite3.dll

sqlite3.dll

sqlite3_open

sqlite3_close

sqlite3_prepare_v2

sqlite3_step

sqlite3_finalize

sqlite3_column_text

abe2869f-9b47-4cd9-a358-c22904dba7f7

/stext mess.dat

\mess.dat

/stext mail.dat

\mail.dat

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion

Windows

plc4.dll

SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command

\Mozilla Firefox\

mozcrt19.dll

nspr4.dll

plds4.dll

nssutil3.dll

softokn3.dll

nss3.dll

\Mozilla\Firefox\

profiles.ini

\signons.sqlite

select * from moz_logins

PK11_GetInternalKeySlot

http\shell\open\command

127.0.0.1

\dump.txt

\uTorrent\uTorrent.exe /DIRECTORY

255.255.255.255

finalizarprocessoportas

CONNECT %s:%i HTTP/1.0

SOFTWARE\Classes\http\shell\open\command

Software\Classes\http\shell\open\command

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

code.is.a.winner

Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId

bps1.exe

bhookpl.dll

bnfa.exe

drvloadn.dll

drvloadx.dll

VNCHooks.dll

xr4tdwa.exe

shutdown.exe

TCnRawKeyBoard

HuntHTTPDownload

autorun.inf

hXXps://onlineeast#.bankofamerica.com

winlogon.exe

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

\system32\userinit.exe,

steam.exe

hl.exe

@*\AC:\Users\Admin\Desktop_old\Blackshades project\Blackshades NET\server\server.vbp

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3400
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe (953 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\mirc (33 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Svchost" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Svchost" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.