Gen.Variant.MSILKrypt.11_41a3b21650
HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.MSILKrypt.11 (B) (Emsisoft), Gen:Variant.MSILKrypt.11 (AdAware), Installer.Win32.InnoSetup.FD, Installer.Win32.InnoSetup.2.FD, InstallerInnoSetup.YR (Lavasoft MAS)
Behaviour: Trojan, Installer
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 41a3b216506a5d101d29a315ccaf6583
SHA1: 2224aed3bb6009fe0df3018422cebbc659ca1aa9
SHA256: fff395dcd71403883707e08fd47aadc4479e86005b10da0be6f67ec43eb6fd9f
SSDeep: 196608:Go/norgNjbCuoPsiVDE5Y5Z57a7747WCr/I:Go/dQPsiZZJGy/I
Size: 7720960 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-01-31 11:48:48
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
1.exe:2944
%original file name%.exe:2956
2.exe:440
The Trojan injects its code into the following process(es):
2.tmp:796
wuapp.exe:2600
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process 1.exe:2944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\aZos091\explorer.exe (742 bytes)
The process %original file name%.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.exe (1487 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2.exe (1024 bytes)
The process 2.exe:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8EQLT.tmp\2.tmp (1423 bytes)
Registry activity
The process 1.exe:2944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"2aZos0912" = "C:\Users\"%CurrentUserName%"\AppData\Local\aZos091\explorer.exe"
The process %original file name%.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
| MD5 | File path |
|---|---|
| 9c4f9dd9612fa215dcd6db114c137e94 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.exe |
| 31fa5823920098fb54bd71bcea4ceca4 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\2.exe |
| ffcf263a020aa7794015af0edee5df0b | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8EQLT.tmp\2.tmp |
| 9c4f9dd9612fa215dcd6db114c137e94 | c:\Users\"%CurrentUserName%"\AppData\Local\aZos091\explorer.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: ipvanish-setup.exe
Internal Name: ipvanish-setup.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 7708020 | 7708672 | 5.54182 | 80416975f89d92b1e4e9fb65712f0f80 |
| .rsrc | 7716864 | 704 | 4096 | 0.491397 | 2bb00d5a2d4297ef1d1bb8490c2ea1b7 |
| .reloc | 7725056 | 12 | 4096 | 0.011373 | 1e06198277f8c9b226bec5fe88fe3a23 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| pool.minexmr.com |  188.165.214.76 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET POLICY BitCoinMiner Cpuminer Login
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
1.exe:2944
%original file name%.exe:2956
2.exe:440 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\aZos091\explorer.exe (742 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.exe (1487 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2.exe (1024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8EQLT.tmp\2.tmp (1423 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"2aZos0912" = "C:\Users\"%CurrentUserName%"\AppData\Local\aZos091\explorer.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
