Trojan.Generic.20060411_8c7149b753

by malwarelabrobot on January 5th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.20060411 (B) (Emsisoft), Trojan.Generic.20060411 (AdAware)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8c7149b7530269fbb535ca64da117aa6
SHA1: 207504f848cbe2417ae0ea2861aa77e464d61add
SHA256: 054be15a9a88e508b1c1f6e6a6d5efe40e89e2e1d8e90ed2e9a770fd81c6a365
SSDeep: 3072:3fT417fq5TPO qPBGiYSY/kX/FV6lh96qP/RQ9IAkwUXQheofMMyM6MOBAw95adb:vT417fCqPQifYMAv96qP/RQiAkwgQheC
Size: 193536 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2016-12-19 23:30:18
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1652

The Trojan injects its code into the following process(es):

%original file name%.exe:3656

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:3656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"client" = "c:\%original file name%.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: File
Product Name: File
Product Version: 1.0.0.0
Legal Copyright: File
Legal Trademarks: File
Original Filename: File.exe
Internal Name: File.exe
File Version: 1.0.0.0
File Description: File
Comments: File
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 191300 191488 4.43228 6393fc6a43b56251f8462f8d3ffde074
.reloc 204800 12 512 0.056519 ba0a61df8d833715db3d10b6202cfa9f
.rsrc 212992 852 1024 1.82251 23df5d9b1127c879498395f91f4c2d3e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hohoangpmy.ddns.net


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3656:

.text
`.reloc
v2.0.50727
System.Runtime.CompilerServices
.ctor
System.Diagnostics
System.Threading
Microsoft.VisualBasic.Devices
System.Windows.Forms
get_ExecutablePath
Microsoft.VisualBasic
Microsoft.VisualBasic.CompilerServices
System.CodeDom.Compiler
Operators
Microsoft.Win32
RegistryKey
OpenSubKey
System.Reflection
System.IO
System.Net.Sockets
TcpClient
System.Globalization
System.Net
System.Text
System.Management
System.Collections.Generic
System.IO.Compression
Nuclear Explosion.exe
avicap32.dll
kernel32.dll
ntdll.dll
Ports
.cctor
_CorExeMain
mscoree.dll
hohoangpmy.ddns.net,
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0

%original file name%.exe_3656_rwx_00400000_00008000:

.text
`.reloc
v2.0.50727
System.Runtime.CompilerServices
.ctor
System.Diagnostics
System.Threading
Microsoft.VisualBasic.Devices
System.Windows.Forms
get_ExecutablePath
Microsoft.VisualBasic
Microsoft.VisualBasic.CompilerServices
System.CodeDom.Compiler
Operators
Microsoft.Win32
RegistryKey
OpenSubKey
System.Reflection
System.IO
System.Net.Sockets
TcpClient
System.Globalization
System.Net
System.Text
System.Management
System.Collections.Generic
System.IO.Compression
Nuclear Explosion.exe
avicap32.dll
kernel32.dll
ntdll.dll
Ports
.cctor
_CorExeMain
mscoree.dll
hohoangpmy.ddns.net,
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1652

  2. Delete the original Trojan file.
  3. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "client" = "c:\%original file name%.exe"

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now