MD5: a9e40c3d37e74ed20cf7763408075d9f
SHA1: d7d6e8cc726bdff753506871cfe967f1ef545828
SHA256: 611433a0d9c287daa0c1029545cd1c32f6665d8e6859a5197a7c66cfe9ca77a9
SSDeep: 6144:76SyRGg5KaU1s6hzLKwT5jyLLPD4QBU22K6vlhHQe:x5wZu2gVb
Size: 199169 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Spy. Spy program intended for stealing user's confidential data.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2748

The Trojan injects its code into the following process(es):

taskhost.exe:872
Dwm.exe:1376
Explorer.EXE:1440
conhost.exe:1648
TPAutoConnect.exe:2160
conhost.exe:2168

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Erukhe\quwuy.exe (399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp457008e2.bat (179 bytes)

Registry activity

The process %original file name%.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Ifaq]
"Uvhipeq" = "06 D7 B1 86 F6 99 C4 32 64 6C F6 B7 9C 94 8B C1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExW
InternetReadFileExA
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
ReleaseCapture
SetCapture
GetMessagePos
DefDlgProcW
CallWindowProcA
DefMDIChildProcA
DefFrameProcA
GetUpdateRgn
DefFrameProcW
DefMDIChildProcW
DefDlgProcA
GetClipboardData
GetMessageW
TranslateMessage
PeekMessageW
EndPaint
BeginPaint
GetDC
ReleaseDC
DefWindowProcW
GetWindowDC
GetDCEx
CallWindowProcW
PeekMessageA
GetMessageA
RegisterClassExW
RegisterClassW
RegisterClassA
DefWindowProcA
GetUpdateRect
GetCursorPos
GetCapture
RegisterClassExA
OpenInputDesktop
SwitchDesktop

The Trojan installs the following user-mode hooks in WS2_32.dll:

send
WSASend
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
ZwCreateUserProcess

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.reloc

6%6.6;6#6

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

hXXp://VVV.google.com/webhp

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

tp~~9lx6plvqddj.ncfghfc&dp#nhnZ

#'$#7%"'

7* 37 0&0

"#"!/&&6

'!?9 '$-/5

2/b%5#5.

!-"("$.rw?11=&8$&SW

i}mohnlU#T[ 21u^;/.hE>( c9`mf

9(:, !?%-73

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

timeout=%s&value=%s

PR_OpenTCPSocket

.info

SSShl3X

SSShx0X

GetProcessHeap

KERNEL32.dll

MapVirtualKeyW

ExitWindowsEx

MsgWaitForMultipleObjects

SetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

GetKeyboardState

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

0 060@0_0

5 5-5:5^5~5

3!4)454<4

2 2'222?2{2

gnspr4.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SysShadow

Global\XXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Lury\lymyu.ows

C:\Users\"%CurrentUserName%"\AppData\Roaming\Lury

lymyu.ows

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

Dwm.exe_1376_rwx_00110000_00028000:

.text

`.data

.reloc

6%6.6;6#6

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

hXXp://VVV.google.com/webhp

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

tp~~9lx6plvqddj.ncfghfc&dp#nhnZ

#'$#7%"'

7* 37 0&0

"#"!/&&6

'!?9 '$-/5

2/b%5#5.

!-"("$.rw?11=&8$&SW

i}mohnlU#T[ 21u^;/.hE>( c9`mf

9(:, !?%-73

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

timeout=%s&value=%s

PR_OpenTCPSocket

.info

SSShl3

SSShx0

GetProcessHeap

KERNEL32.dll

MapVirtualKeyW

ExitWindowsEx

MsgWaitForMultipleObjects

SetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

GetKeyboardState

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

0 060@0_0

5 5-5:5^5~5

3!4)454<4

2 2'222?2{2

gnspr4.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SysShadow

Global\XXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

Explorer.EXE_1440_rwx_02D70000_00028000:

.text

`.data

.reloc

6%6.6;6#6

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

hXXp://VVV.google.com/webhp

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

tp~~9lx6plvqddj.ncfghfc&dp#nhnZ

#'$#7%"'

7* 37 0&0

"#"!/&&6

'!?9 '$-/5

2/b%5#5.

!-"("$.rw?11=&8$&SW

i}mohnlU#T[ 21u^;/.hE>( c9`mf

9(:, !?%-73

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

timeout=%s&value=%s

PR_OpenTCPSocket

.info

SSShl3

SSShx0

GetProcessHeap

KERNEL32.dll

MapVirtualKeyW

ExitWindowsEx

MsgWaitForMultipleObjects

SetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

GetKeyboardState

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

0 060@0_0

5 5-5:5^5~5

3!4)454<4

2 2'222?2{2

gnspr4.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SysShadow

Global\XXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

conhost.exe_1648_rwx_00120000_00028000:

.text

`.data

.reloc

6%6.6;6#6

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

hXXp://VVV.google.com/webhp

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

tp~~9lx6plvqddj.ncfghfc&dp#nhnZ

#'$#7%"'

7* 37 0&0

"#"!/&&6

'!?9 '$-/5

2/b%5#5.

!-"("$.rw?11=&8$&SW

i}mohnlU#T[ 21u^;/.hE>( c9`mf

9(:, !?%-73

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

timeout=%s&value=%s

PR_OpenTCPSocket

.info

SSShl3

SSShx0

GetProcessHeap

KERNEL32.dll

MapVirtualKeyW

ExitWindowsEx

MsgWaitForMultipleObjects

SetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

GetKeyboardState

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

0 060@0_0

5 5-5:5^5~5

3!4)454<4

2 2'222?2{2

gnspr4.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SysShadow

Global\XXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

TPAutoConnect.exe_2160_rwx_00390000_00028000:

.text

`.data

.reloc

6%6.6;6#6

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

hXXp://VVV.google.com/webhp

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

tp~~9lx6plvqddj.ncfghfc&dp#nhnZ

#'$#7%"'

7* 37 0&0

"#"!/&&6

'!?9 '$-/5

2/b%5#5.

!-"("$.rw?11=&8$&SW

i}mohnlU#T[ 21u^;/.hE>( c9`mf

9(:, !?%-73

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

timeout=%s&value=%s

PR_OpenTCPSocket

.info

SSShl39

SSShx09

GetProcessHeap

KERNEL32.dll

MapVirtualKeyW

ExitWindowsEx

MsgWaitForMultipleObjects

SetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

GetKeyboardState

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

0 060@0_0

5 5-5:5^5~5

3!4)454<4

2 2'222?2{2

gnspr4.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SysShadow

Global\XXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

conhost.exe_2168_rwx_000B0000_00028000:

.text

`.data

.reloc

6%6.6;6#6

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

hXXp://VVV.google.com/webhp

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

tp~~9lx6plvqddj.ncfghfc&dp#nhnZ

#'$#7%"'

7* 37 0&0

"#"!/&&6

'!?9 '$-/5

2/b%5#5.

!-"("$.rw?11=&8$&SW

i}mohnlU#T[ 21u^;/.hE>( c9`mf

9(:, !?%-73

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

timeout=%s&value=%s

PR_OpenTCPSocket

.info

SSShl3

SSShx0

GetProcessHeap

KERNEL32.dll

MapVirtualKeyW

ExitWindowsEx

MsgWaitForMultipleObjects

SetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

GetKeyboardState

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

0 060@0_0

5 5-5:5^5~5

3!4)454<4

2 2'222?2{2

gnspr4.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SysShadow

Global\XXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2748
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\Erukhe\quwuy.exe (399 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp457008e2.bat (179 bytes)

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.