MD5: b9c21ff7ad4180f71e07e293b7fc1e0a
SHA1: 0eb4114ae4d16d23e84fa607a1e6c033e9bddfa7
SHA256: d80310025c4ae04b22b3c60f3d1d5170a7f1f79848b8907209c1d227528f5e4d
SSDeep: 12288:BEDi/pjXb8KWvvPtSeMvleMEWzihphThg4vVNcAwSuOSKtPY3:BmGG7v3wvjEpPAOsFn73
Size: 814858 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: InstallShield Software Corporation
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan-Banker creates the following process(es):
No processes have been created.
The Trojan-Banker injects its code into the following process(es):

%original file name%.exe:3628

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3628 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3628-0.jpg (80 bytes)

The Trojan-Banker deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3628-0.jpg (0 bytes)

Registry activity

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.2
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name: Cheat Engine Trainer
File Version: 1.8.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
teredo.ipv6.microsoft.com	157.56.106.189
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan-Banker connects to the servers at the folowing location(s):

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

Proportional

MAPI32.DLL

PasswordChar

OnKeyDown

OnKeyPresslHC

OnKeyUp

ssHorizontal

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

AutoHotkeysTvD

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState8xD

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

There was an error while trying to read the trainer. Or the file got changed(like a exe-compresser), or you're using an old unpatched version of win 95 or earlier

.undo

undefined hotkey

Kernel32.dll

PSAPI.dll

TProcessHandlerU

No kernel32.dll loaded

Failed to execute the dll loader

The injection thread took longer than 10 seconds to execute. Injection routine not freed

Failed executing the function of the dll

Addresses.TMP

Memory.TMP

variableType=%d

variablesize=%d

fastscanalignsize=%d

TScanController.firstScan

threadcount=%d

startaddress=%x

memRegionPos=%d

i: %d B=%x S=%x SA=%p

totalProcessMemorySize=%x (%d)

Allocating %xKB for previousMemoryBuffer

Splitting up the workload between %d threads

Blocksize = %x

Creating scanner %d

startregion = %d

stopregion = %d

startaddress = %x

stopaddress = %x

j = %d

leftfromprevious = %x

offsetincurrentregion = %x

maxregionsize = %x

TScanController.execute

Addresses.UNDO

Memory.UNDO

ScanController: Have set AddressFile.size to %d

ScanController: Writing results from scanner %d

ScanController: Freeing scanner %d

Wrong syntax. Include(filename.cea)

00000000

HotkeyHandler

ThotkeythreadS

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

GetCPInfo

version.dll

gdi32.dll

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

shell32.dll

ShellExecuteA

comdlg32.dll

IMAGEHLP.DLL

winmm.dll

;&>/>6???

=!=*=6===

4!4%4)4-4145494K4c4y6}6

3 3$3(3,3034383<3@3

01T1a1

? ?$?(?,?0?4?

1-1P1X1u1}1

? ?,?8?<?[?

9-9O9l9}9

6}7K7

%1S1a1

= =$=(=,=0=

11S1~1

;);?;`;|;

=#='= =/=3=7=;=?=

6(6>6]6|6

8 8$8(8,8084888

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

,ProcessHandlerUnit

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Hotkey:

Lines.Strings

Mr_Gamer@HotMail.com

54875678

version="1.0.0.0"

<requestedExecutionLevel level="requireAdministrator"/>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

No help keyword specified.&Cannot change the size of a JPEG image

JPEG error #%d

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Value must be between %d and %d Clipboard does not support Icons

Text exceeds memo capacity/Menu '%s' is already being used by another form

!Cannot change the size of an icon$Unknown picture file extension (.%s)

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error reading %s%s%s: %s

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

ECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Ancestor for '%s' not found

Cannot assign a %s to a %s

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

I/O error %d

Integer overflow Invalid floating point operation

1.8.0.0

hXXp://VVV.cheatengine.org/

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan-Banker file.
   
3. Delete or disinfect the following files created/modified by the Trojan-Banker:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3628-0.jpg (80 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.