Gen.Variant.Symmi.49705_e0d0a0f4c9

Gen:Variant.Symmi.49705 (BitDefender), Backdoor:Win32/Zegost.BZ (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.DownLoader24.29133 (DrWeb), Gen:Variant.Symmi.49705 (B) (Emsisoft), GenericR-...
Blog rating:2 out of5 with1 ratings

Gen.Variant.Symmi.49705_e0d0a0f4c9

by malwarelabrobot on May 11th, 2017 in Malware Descriptions.

Gen:Variant.Symmi.49705 (BitDefender), Backdoor:Win32/Zegost.BZ (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.DownLoader24.29133 (DrWeb), Gen:Variant.Symmi.49705 (B) (Emsisoft), GenericR-JMA!E0D0A0F4C985 (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan-Downloader.Win32.Agent (Ikarus), Gen:Variant.Symmi.49705 (FSecure), Inject3.CGHI (AVG), Win32:Malware-gen (Avast), Gen:Variant.Symmi.49705 (AdAware), DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e0d0a0f4c9853c4890e67e11920b28be
SHA1: 2567809417d64c23b69880155ef9fab8fdbb2584
SHA256: 2b68a868e93f177e947749abe2513ce8511b6fab061a4a57c24640faa4c6db6c
SSDeep: 6144:0lLRfO7GXjKss65vFfaVh0oG9EZ9FJhe8B3P2EwaW:Ih 5G9fKhAO9j4EwaW
Size: 258048 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2017-04-20 09:12:03
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3380
Bcse.exe:3416

The Trojan injects its code into the following process(es):

Bcse.exe:3508

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\cd97c775a784abd6fd6a36168e701fa5\Bcse.exe (5096955 bytes)

Registry activity

The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\Hijklm Opqstuv Xya]
"Description" = "Hijklmno Qrsvwxy Jklmnopq Stu"

The process Bcse.exe:3508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum]
"Version" = "7"

Dropped PE files

MD5 File path
1c261745207e83a8e9774468769a3ca4 c:\Windows\System32\cd97c775a784abd6fd6a36168e701fa5\Bcse.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Alpha Applicazione
Product Version: 1, 0, 0, 1
Legal Copyright: Copyright (C) 2017
Legal Trademarks:
Original Filename: MoldyBaby.EXE
Internal Name: Alpha
File Version: 1, 0, 0, 1
File Description: Alpha MFC
Comments:
Language: Italian (Italy)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 6834 8192 3.81406 5ee45a66dc80e104386aaca759559cab
.rdata 12288 4323 8192 2.33194 bc76cc5cde7e855cd5f38d00d53c23f4
.data 20480 228644 229376 5.46854 353f02db39e7dab260b70630214ead39
.rsrc 249856 4504 8192 1.71873 a2b67841317b57e695fcb16f8a88441d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
supes.pw 123.184.33.207


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

Bcse.exe_3508:

.text
`.rdata
@.data
.rsrc
.lyA/l
<4,$?7/'
(3-!0,1'8"5.*2$
MFC42.DLL
MSVCRT.dll
_acmdln
GetProcessHeap
KERNEL32.dll
USER32.dll
Load.dat
MoldyBaby.Application
%X(`,
%C<R9
FH.Np
.UU2?
[,u"-R.tU
xr|
@.LG_
%S;&`
 (.JOx
K.HH>
RDFG(JKJH.aspa*
deflate 1.2.8 C
PL XviD co>c (1.3.0).
t?%d *
gL.PAX
r%s HTTP/
g.gzip
*~fwkey
87''''6543
iX:
f.aqqGVh
t-.hr
dÍ%
%uI(H4p
KeyEx
.buf@DU"
.tY";y
{UrlA#
%%C@k
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
MSVCP60.dll
NETAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
WININET.dll
WINMM.dll
WS2_32.dll
WTSAPI32.dll
ShellExecuteA
Love.True
Bcse.exe
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
5, 1, 0, 1082
AdobeUpdater.dll
5.1.0.1082 (BuildVersion: 46.278103; BuildDate: Wed Feb 28 2007 17:43:17)
46.278103
1, 0, 0, 1
MoldyBaby.EXE

Bcse.exe_3508_rwx_10001000_0011F000:

v.jBPR
|$@.th
SSSh`
t%SQPJWt
t%UQPJSt
@43434343
hu2.iu
?GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.htmlGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.asp
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
1.2.8
inflate 1.2.8 Copyright 1995-2013 Mark Adler
This software is derived from the GNU GPL XviD codec (1.3.0).
%d * %d:
%d.%d.%d.%d
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Host: %s
self.location=
GET %s%s HTTP/1.1
jdfwkey
Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
%s %s%s
%s\%s
Microsoft\Network\Connections\pbk\rasphone.pbk
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
advapi32.dll
RasDialParams!%s#0
%s\shell\open\command
shell32.dll
%s\*.*
Shlwapi.dll
xcopy "%s" "%s" /e /i /y
SendFileSize ERRO CODE : %d
%s%s%s
%s%s*.*
Program Files\Internet Explorer\IEXPLORE.EXE
%s\%s\%s.key
:]%d-%d-%d %d:%d:%d
%s\%s\%d%s
%s\%s.lnk
dwmapi.dll
\cmd.exe
Mozilla/4.0 (compatible)
hXXps://
hXXp://
Oleaut32.dll
Ole32.dll
SOFTWARE\QVMwarePay\%s
kernel32.dll
ntdll.dll
X:X:X:X:X:X
%s %d
%s:%s
@del 3596799a1543bc9f.aqq
afc9fe2f418b00a0.bat
Kernel32.dll
userenv.dll
%s %s
\\.\aeuli
\??\%s\%s.lnk
%s.lnk
%s\%s\%s
Http/1.1 403 Forbidden
HTTP/1.0 200 OK
\termsrv_t.dll
127.0.0.1
PortNumber
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
00000%s
SAM\SAM\Domains\Account\Users\Names\%s
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
drwtsn32.exe
csrss.exe
\termsrv.dll
cmd.exe /c net stop SharedAccess /y && sc delete SharedAccess
%SystemRoot%\system32\termsrv_t.dll
SOFTWARE\Policies\Microsoft\Windows\Installer
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
RDP-Tcp
Ýay %dHour %dMin
Win %s SP%d Build %d x86
Win %s SP%d Build %d x64
%d Kb
GetExtendedUdpTable
%s:%d
GetExtendedTcpTable
iphlpapi.dll
OperatingSystem
ParentKeyName
%ddd
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
explorer.exe
nsocket-di:%d
xvid-1.3.2
%d st:%lld if:%d
XviDd%c
supes.pw
Bcse.exe
GetWindowsDirectoryA
CreatePipe
DisconnectNamedPipe
PeekNamedPipe
WinExec
GetProcessHeap
RegEnumKeyExA
RegQueryInfoKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
RegDeleteKeyA
RegCloseKey
ShellExecuteA
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
EnumWindows
ExitWindowsEx
GetAsyncKeyState
GetKeyState
MapVirtualKeyA
keybd_event
InternetOpenUrlA
8>5>5>54
.text
`.rodata
`.rotext
`.rdata
@.data
.rsrc
@.reloc
.tY";y
{UrlA#
%%C@k
""""$$$$&&&&((((****,,,,....00002222444466668888::::<<<<>>>>
#*1892 $
%,3:;4-&
'.5<=6/7>?
"#()01* $%&',-./2389:;4567<=>?
"*2:# 3;
$,4<%-5=
&.6>'/7?


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3380
    Bcse.exe:3416

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\System32\cd97c775a784abd6fd6a36168e701fa5\Bcse.exe (5096955 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now