Trojan.Generic.18896186_bda130dd7f

by malwarelabrobot on June 13th, 2017 in Malware Descriptions.

Trojan.Generic.18896186 (BitDefender), Trojan.Generic.18896186 (B) (Emsisoft), Artemis!BDA130DD7F74 (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan.Generic.18896186 (FSecure), Downloader.Generic14.BFND (AVG), Win32:Evo-gen [Susp] (Avast), Trojan.Generic.18896186 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: bda130dd7f74b406e19a19ec05eb9a4c
SHA1: cd9e2a6ce3af403066cb7986d92d742e3c93c4d8
SHA256: 3af05454fec110fbb8c7865f08b7dcfc2d328857b1753b78cc6ece87b7494935
SSDeep: 12288:fhKcESypjJ5IXE43z7LAZzNhhqxS pOHpM:5KcESIIX1cZDhnhJM
Size: 449501 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: uBar
Created at: 2016-09-20 18:40:27
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3708

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ONLINE2
Product Name: ?????
Product Version: 4.2.1.0
Legal Copyright: ONLINE2 ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.2.1.0
File Description: oftdc1
Comments: ONLINE2
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 634880 292352 5.54448 8632447432d99ac5eb69644492e48748
.rdata 638976 159744 78848 5.54282 416a82cfd82c5e1ffc477a2ae6181ab1
.data 798720 397312 30208 5.53675 446ffad322f5f5e6b12189933e987c69
.rsrc 1196032 53248 13824 4.81389 4fbb844e78d79cab79d9310bb0cbd527
.aspack 1249280 32768 32768 3.32183 6b8298f0be9cde78222924599a96e079
.adata 1282048 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://z.gds.cnzz.com/stat.htm?id=1254275435
hxxp://z11.cnzz.com/stat.htm?id=1254275435 1.122.192.16
teredo.ipv6.microsoft.com 157.56.120.207
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /stat.htm?id=1254275435 HTTP/1.1
Connection: Keep-Alive
Content-Type:  application/x-www-form-urlencoded
Accept:  */*
Accept-Language:  zh-cn
Referer:  hXXp://z11.cnzz.com/stat.htm?id=1254275435
User-Agent:  Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: z11.cnzz.com


HTTP/1.1 200 OK
Server: Tengine
Date: Mon, 12 Jun 2017 17:00:37 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Fri, 21 Oct 2016 11:30:28 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3708:

.text
`.rdata
@.data
.rsrc
.aspack
.adata
t$(SSh
~%UVW
u$SShe
Hw2.Hw
ole32.dll
urlmon
user32.dll
shell32.dll
RegOpenKeyA
RegEnumKeyA
URLDownloadToFileA
MsgWaitForMultipleObjects
D:\dream
360tray.exe
D:\dream\win1.log
D:\dream\winzb.log
D:\dream\winzye.log
QQPCTray.exe
kxetray.exe
D:\dream\winfy.log
D:\dream\winzyws.log
hXXp://z13.cnzz.com/stat.htm?id=1260082347
C:\Users\Public\Desktop\2345
%Documents and Settings%\All Users\
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Windows
C:\Users\Public\Desktop\
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
D:\dream\2k1
hXXp://t.cn/RtoBpEb
D:\dream\2k2
hXXp://t.cn/RtoB05B
D:\dream\k1
D:\dream\k2
D:\dream\2345pic_lm_509074_v6.3.7488_silent.exe
hXXp://z4.cnzz.com/stat.htm?id=1254275459
D:\dream\zmbd
hXXp://t.cn/RtoB8qc
D:\dream\Baidu_Setup_2.5.200.2102_ftn_1050101128.exe
hXXp://z4.cnzz.com/stat.htm?id=1256550385
D:\dream\zye
hXXp://t.cn/RtoBOQP
D:\dream\LMIns.exe
hXXp://z11.cnzz.com/stat.htm?id=1256550363
D:\dream\dd2b1
hXXp://t.cn/RtoBxTr
D:\dream\dd2b2
hXXp://t.cn/RtoBxsp
D:\dream\dd2b3
hXXp://t.cn/RtoBJKP
D:\dream\dd2b4
hXXp://t.cn/RtoBJeb
D:\dream\dd2b5
hXXp://t.cn/RtoBixf
D:\dream\dd2b6
hXXp://t.cn/RtoBidC
D:\dream\2b1
D:\dream\2b2
D:\dream\2b3
D:\dream\2b4
D:\dream\2b5
D:\dream\2b6
D:\dream\2345explorer_k1252705.exe
D:\dream\2345explorer_k1252705.exe -s1
2345explorer_k1252705.exe
hXXp://z13.cnzz.com/stat.htm?id=1256619493
D:\dream\fy
hXXp://t.cn/RtnjO3k
D:\dream\CFAB801_KAE8CD_HF3681_ECECAB.exe
D:\dream\CFAB801_KAE8CD_HF3681_ECECAB.exe -s
hXXp://z11.cnzz.com/stat.htm?id=1260083193
D:\dream\js1
hXXp://t.cn/RtoBoTj
D:\dream\js2
hXXp://t.cn/RtoBKGx
D:\dream\js3
hXXp://t.cn/RtoB9LU
D:\dream\jss1
D:\dream\jss2
D:\dream\jss3
D:\dream\duba_u44016306_sv1_3_425.exe
hXXp://z13.cnzz.com/stat.htm?id=1256627376
D:\dream\zyws
hXXp://t.cn/RtQQgwN
D:\dream\BlueBox_lgvalkkx_002141_Setup.exe
D:\dream\BlueBox_lgvalkkx_002141_Setup.exe /S
reg add "HKEY_CURRENT_USER\Software\HomeSafe" /v "StartFlagNoTip" /t REG_DWORD /d 1 /f
D:\dream\zyws.bat
<BrowserItem Process="iexplore.exe" Title="hao123
" URL="hXXp://VVV.hao123.com/?tn=95942880_hao_pg" IsLock="TRUE" />
<BrowserItem Process="chrome.exe" Title="hao123
" URL="hXXp://VVV.hao123.com/?tn=96468612_hao_pg" IsLock="TRUE" />
<BrowserItem Process="safari.exe" Title="hao123
<BrowserItem Process="TheWorld.exe.exe" Title="hao123
<BrowserItem Process="sogouexplorer.exe" Title="hao123
<BrowserItem Process="qqbrowser.exe" Title="hao123
<BrowserItem Process="baidubrowser.exe" Title="hao123
<BrowserItem Process="2345explorer.exe" Title="360
" URL="hXXp://hao.360.cn/?src=lm&ls=n6f9da49b8f" IsLock="TRUE" />
<BrowserItem Process="maxthon.exe" Title="hao123
<BrowserItem Process="ucbrowser.exe" Title="hao123
<BrowserItem Process="firefox.exe" Title="hao123
<BrowserItem Process="hao123Juzi.exe" Title="hao123
<BrowserItem Process="Juzi.exe" Title="hao123
<BrowserItem Process="hao123browser.exe" Title="hao123
<BrowserItem Process="liebao.exe" Title="hao123
<BrowserItem Process="360se.exe" Title="360
<BrowserItem Process="360chrome.exe" Title="360
C:\ProgramData\HomeSafe\start_config.xml
%Documents and Settings%\All Users\Application Data\HomeSafe\start_config.xml
hXXp://z4.cnzz.com/stat.htm?id=1260153122
hXXp://z11.cnzz.com/stat.htm?id=1254275435
::0:0@>@>:0:0:
xjj%uI
:0@>@>:0:0:
4qP.rk%
B&.Ct
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
MSVFW32.dll
AVIFIL32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
GetProcessHeap
WinExec
GetWindowsDirectoryA
GetCPInfo
KERNEL32.dll
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
USER32.dll
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GDI32.dll
WINSPOOL.DRV
comdlg32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
WININET.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
kernel32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
msvfw32.dll
avifil32.dll
winmm.dll
ws2_32.dll
rasapi32.dll
gdi32.dll
winspool.drv
advapi32.dll
oleaut32.dll
comctl32.dll
wininet.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
@/2222$.
^/22/2222
(*.*)
4.2.1.0

%original file name%.exe_3708_rwx_00531000_00002000:

kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
msvfw32.dll
avifil32.dll
winmm.dll
ws2_32.dll
rasapi32.dll
gdi32.dll
winspool.drv
comdlg32.dll
advapi32.dll
shell32.dll
ole32.dll
oleaut32.dll
comctl32.dll
wininet.dll
RegCloseKey
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
4.2.1.0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now