MD5: 2c6b390d859d50b1d947085a46cd874d
SHA1: c337215806271587c6d05ca74944c0ea6b96a4c6
SHA256: 8dbb92749ac0e03fcd78db9f763c100ef1b66e30786c41a56450851b8b49d709
SSDeep: 6144:Y9owb7su 4ZYfcjxBEwTVti5xovSeVBqh:YDd16tgtDMh
Size: 205312 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Spy. Spy program intended for stealing user's confidential data.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2748

The Trojan injects its code into the following process(es):

taskhost.exe:872
Dwm.exe:1376
Explorer.EXE:1440
conhost.exe:1648
TPAutoConnect.exe:2160
conhost.exe:2168

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9ed3e115.bat (179 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Atek\qawu.exe (413 bytes)

Registry activity

The process %original file name%.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Geys]
"Nuassocyo" = "5E 3C C6 52 64 DD 74 C5 E2 79 0F BD 88 C0 B8 B8"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExW
InternetReadFileExA
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
ReleaseCapture
SetCapture
GetMessagePos
DefDlgProcW
CallWindowProcA
DefMDIChildProcA
DefFrameProcA
GetUpdateRgn
DefFrameProcW
DefMDIChildProcW
DefDlgProcA
GetClipboardData
GetMessageW
TranslateMessage
PeekMessageW
EndPaint
BeginPaint
GetDC
ReleaseDC
DefWindowProcW
GetWindowDC
GetDCEx
CallWindowProcW
PeekMessageA
GetMessageA
RegisterClassExW
RegisterClassW
RegisterClassA
DefWindowProcA
GetUpdateRect
GetCursorPos
GetCapture
RegisterClassExA
OpenInputDesktop
SwitchDesktop

The Trojan installs the following user-mode hooks in WS2_32.dll:

send
WSASend
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
ZwCreateUserProcess

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
dns.msftncsi.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.reloc

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

hXXp://VVV.google.com/webhp

PR_OpenTCPSocket

SQUVudpzY~k}\fanz

.' 6,7* 9&0

*042 &0<;

'!>8% $-

*'&)'**>

:).6604:90

)"4(7*</

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

.info

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

timeout=%s&value=%s

SSSh,GX

SSSh`GX

SSShR

GetProcessHeap

KERNEL32.dll

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

ExitWindowsEx

MapVirtualKeyW

SetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpSendRequestA

InternetCrackUrlA

HttpOpenRequestA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

11^1w1

6%6U6e6w6

2,2v2

nspr4.dll

SysShadow

Global\XXX

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

e.dat

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ytfe\ukcos.tam

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ytfe

ukcos.tam

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

Dwm.exe_1376_rwx_00110000_00028000:

.text

`.data

.reloc

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

hXXp://VVV.google.com/webhp

PR_OpenTCPSocket

SQUVudpzY~k}\fanz

.' 6,7* 9&0

*042 &0<;

'!>8% $-

*'&)'**>

:).6604:90

)"4(7*</

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

.info

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

timeout=%s&value=%s

SSSh,G

SSSh`G

SSShR

GetProcessHeap

KERNEL32.dll

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

ExitWindowsEx

MapVirtualKeyW

SetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpSendRequestA

InternetCrackUrlA

HttpOpenRequestA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

11^1w1

6%6U6e6w6

2,2v2

nspr4.dll

SysShadow

Global\XXX

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

e.dat

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

Explorer.EXE_1440_rwx_02D70000_00028000:

.text

`.data

.reloc

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

hXXp://VVV.google.com/webhp

PR_OpenTCPSocket

SQUVudpzY~k}\fanz

.' 6,7* 9&0

*042 &0<;

'!>8% $-

*'&)'**>

:).6604:90

)"4(7*</

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

.info

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

timeout=%s&value=%s

SSSh,G

SSSh`G

SSShR

GetProcessHeap

KERNEL32.dll

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

ExitWindowsEx

MapVirtualKeyW

SetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpSendRequestA

InternetCrackUrlA

HttpOpenRequestA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

11^1w1

6%6U6e6w6

2,2v2

nspr4.dll

SysShadow

Global\XXX

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

e.dat

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

conhost.exe_1648_rwx_001B0000_00028000:

.text

`.data

.reloc

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

hXXp://VVV.google.com/webhp

PR_OpenTCPSocket

SQUVudpzY~k}\fanz

.' 6,7* 9&0

*042 &0<;

'!>8% $-

*'&)'**>

:).6604:90

)"4(7*</

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

.info

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

timeout=%s&value=%s

SSSh,G

SSSh`G

SSShR

GetProcessHeap

KERNEL32.dll

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

ExitWindowsEx

MapVirtualKeyW

SetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpSendRequestA

InternetCrackUrlA

HttpOpenRequestA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

11^1w1

6%6U6e6w6

2,2v2

nspr4.dll

SysShadow

Global\XXX

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

e.dat

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

TPAutoConnect.exe_2160_rwx_00390000_00028000:

.text

`.data

.reloc

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

hXXp://VVV.google.com/webhp

PR_OpenTCPSocket

SQUVudpzY~k}\fanz

.' 6,7* 9&0

*042 &0<;

'!>8% $-

*'&)'**>

:).6604:90

)"4(7*</

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

.info

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

timeout=%s&value=%s

SSSh,G9

SSSh`G9

SSShR

GetProcessHeap

KERNEL32.dll

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

ExitWindowsEx

MapVirtualKeyW

SetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpSendRequestA

InternetCrackUrlA

HttpOpenRequestA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

11^1w1

6%6U6e6w6

2,2v2

nspr4.dll

SysShadow

Global\XXX

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

e.dat

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

conhost.exe_2168_rwx_000B0000_00028000:

.text

`.data

.reloc

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

%sX-ID: %u=%s=%s

X-ID: %u=%s=%s

HTTP/1.1 200 OK

Content-Length: %u

hXXp://VVV.google.com/webhp

PR_OpenTCPSocket

SQUVudpzY~k}\fanz

.' 6,7* 9&0

*042 &0<;

'!>8% $-

*'&)'**>

:).6604:90

)"4(7*</

echo "Press any key to run Internet Explorer (32-bit OS)."

"%PROGRAMFILES%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

echo "Press any key to run Internet Explorer (64-bit OS)."

"%PROGRAMFILES(X86)%\Internet Explorer\iexplore.exe" hXXps://bankieren.rabobank.nl/klanten

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

RapportUtil

.info

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.0

urlmon.dll

cabinet.dll

timeout=%s&value=%s

SSSh,G

SSSh`G

SSShR

GetProcessHeap

KERNEL32.dll

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

ExitWindowsEx

MapVirtualKeyW

SetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegEnumKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpSendRequestA

InternetCrackUrlA

HttpOpenRequestA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

11^1w1

6%6U6e6w6

2,2v2

nspr4.dll

SysShadow

Global\XXX

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

e.dat

Global\{946BDEC6-0EA8-1585-1B40-3488A5272D7D}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{02106CE3-BC8D-83FE-1B40-3488A5272D7D}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2748
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9ed3e115.bat (179 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Atek\qawu.exe (413 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.