Trojan.Crypt.Gen.1_ac201467f6

by malwarelabrobot on July 25th, 2017 in Malware Descriptions.

Trojan.Crypt.Gen.1 (BitDefender), Trojan:Win32/Tinba!rfn (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.PWS.Tinba.161 (DrWeb), Trojan.Crypt.Gen.1 (B) (Emsisoft), Emotet-FGNI!AC201467F60E (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan.Win32.Tinba (Ikarus), Trojan.Crypt.Gen.1 (FSecure), Win32:Emotet-AI [Trj] (AVG), Win32:Emotet-AI [Trj] (Avast), TROJ_TINBA.SMH (TrendMicro), Trojan.Crypt.Gen.1 (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ac201467f60ee37ac746e4b8d584d410
SHA1: 2634a7aa3662e342436a0ccc91aad7523f3f7e12
SHA256: 14fb966a10774ffd1fb7f6569ccfb1ca24363854cfac8a3ceecaa2e91d69b995
SSDeep: 1536:wgRgWWUD0NGfQpi7MSsiHdfA4qPfUfwgRgHctK24sRx odp:DGWWUDsiHgEDGPodp
Size: 72445 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualBasicv50v60
Company: Delarularo
Created at: 2013-11-05 00:22:38
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1796

The Trojan injects its code into the following process(es):

taskhost.exe:872
Dwm.exe:1376
Explorer.EXE:1440
conhost.exe:1648
TPAutoConnect.exe:2160
conhost.exe:2168

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1796 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DF54288F61999D1C1B.TMP (0 bytes)

Registry activity

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

ZwResumeThread
NtQueryDirectoryFile
ZwEnumerateValueKey
ZwCreateUserProcess
NtCreateThread
ZwCreateProcessEx

Propagation

VersionInfo

Company Name: REW is room acoustics analysis software for measuring
Product Name: REW is room acoustics analysis software for measuring
Product Version: 1.00
Legal Copyright: REW is room acoustics analysis software for measuring
Legal Trademarks: REW is room acoustics analysis software for measuring
Original Filename: TextConv.exe
Internal Name: TextConv
File Version: 1.00
File Description: REW is room acoustics analysis software for measuring
Comments: REW is room acoustics analysis software for measuring
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 37284 40960 3.42003 0a2de5af433f99992ce343c0acd16fbb
.data 45056 8928 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 57344 10756 12288 3.46607 72cee484c9187f145c073e98be0659c4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5
dfa8ff4f1117fa4fcf462c23ebaff710
b07db8e583db35604ea4c96445bf2c70
c67ab1e9621872e1322e59da32c0aad0
d99b99a75d44ae96a696d42d53268410
b7673648cf6f844c3d26393d9e7e5a80

URLs

URL IP
hxxp://recdataoneveter.cc/vet7sdfh678sdjjs7er0k/ 216.218.185.162


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Tinba Checkin 2

Traffic

POST /vet7sdfh678sdjjs7er0k/ HTTP/1.0
Host: recdataoneveter.cc
Content-Length: 157

........#.........GM...............a[.A.M.O.N..`DR.\..N'8.rS.D..O.....G.G/"..%v.'......].......ww...X..-..U....."....p..q...>........O0...
....,V4.....@".-o
HTTP/1.1 200 OK
Server: nginx/1.11.6
Date: Mon, 24 Jul 2017 16:15:08 GMT
Content-Type: application/octet-stream
Connection: close
ZHTTP/1.1 200 OK..Server: nginx/1.11.6..Date: Mon, 24 Jul 2017 16:15:0
8 GMT..Content-Type: application/octet-stream..Connection: close..Z..

The Trojan connects to the servers at the folowing location(s):

taskhost.exe_872_rwx_00580000_00006000:

RegCreateKeyExA
RegEnumKeyExA
RegCloseKey
CryptDestroyKey
CryptImportPublicKeyInfo
NtEnumerateValueKey
t%x#;E
recdataoneveter.cc
c:\%original file name%.exe
DeleteUrlCacheEntryA
GetUrlCacheEntryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpSendRequestA
HttpSendRequestW
8.rdat
>HTTP
8HTTP
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----

Dwm.exe_1376_rwx_00110000_00006000:

RegCreateKeyExA
RegEnumKeyExA
RegCloseKey
CryptDestroyKey
CryptImportPublicKeyInfo
NtEnumerateValueKey
t%x#;E
recdataoneveter.cc
c:\%original file name%.exe
DeleteUrlCacheEntryA
GetUrlCacheEntryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpSendRequestA
HttpSendRequestW
8.rdat
>HTTP
8HTTP
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----

Explorer.EXE_1440_rwx_01C50000_00006000:

RegCreateKeyExA
RegEnumKeyExA
RegCloseKey
CryptDestroyKey
CryptImportPublicKeyInfo
NtEnumerateValueKey
t%x#;E
recdataoneveter.cc
c:\%original file name%.exe
DeleteUrlCacheEntryA
GetUrlCacheEntryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpSendRequestA
HttpSendRequestW
8.rdat
>HTTP
8HTTP
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----

Explorer.EXE_1440_rwx_02D90000_00006000:

RegCreateKeyExA
RegEnumKeyExA
RegCloseKey
CryptDestroyKey
CryptImportPublicKeyInfo
NtEnumerateValueKey
t%x#;E
recdataoneveter.cc
c:\%original file name%.exe
DeleteUrlCacheEntryA
GetUrlCacheEntryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpSendRequestA
HttpSendRequestW
8.rdat
>HTTP
8HTTP
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----

conhost.exe_1648_rwx_00070000_00006000:

RegCreateKeyExA
RegEnumKeyExA
RegCloseKey
CryptDestroyKey
CryptImportPublicKeyInfo
NtEnumerateValueKey
t%x#;E
recdataoneveter.cc
c:\%original file name%.exe
DeleteUrlCacheEntryA
GetUrlCacheEntryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpSendRequestA
HttpSendRequestW
8.rdat
>HTTP
8HTTP
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----

TPAutoConnect.exe_2160_rwx_00310000_00006000:

RegCreateKeyExA
RegEnumKeyExA
RegCloseKey
CryptDestroyKey
CryptImportPublicKeyInfo
NtEnumerateValueKey
t%x#;E
recdataoneveter.cc
c:\%original file name%.exe
DeleteUrlCacheEntryA
GetUrlCacheEntryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpSendRequestA
HttpSendRequestW
8.rdat
>HTTP
8HTTP
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----

conhost.exe_2168_rwx_000B0000_00006000:

RegCreateKeyExA
RegEnumKeyExA
RegCloseKey
CryptDestroyKey
CryptImportPublicKeyInfo
NtEnumerateValueKey
t%x#;E
recdataoneveter.cc
c:\%original file name%.exe
DeleteUrlCacheEntryA
GetUrlCacheEntryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpSendRequestA
HttpSendRequestW
8.rdat
>HTTP
8HTTP
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1796

  3. Delete the original Trojan file.
  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now