Trojan.Generic.9332028_9e09709e5a
Trojan.Generic.9332028 (B) (Emsisoft), Trojan.Generic.9332028 (AdAware), PUP.Win32.DiabloCrack.FD, PUPDiabloCrack.YR (Lavasoft MAS)
Behaviour: Trojan, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 9e09709e5adaad4d6754e04858e8e75b
SHA1: 52b7b52f5d1df3c2454150158d0663bef821baf7
SHA256: b376d9e7714d67ae7d8ce459242f7e712dd7b2a890c1221cc888f709e534f7fd
SSDeep: 768:HADfRev5KigUniAvGPpNReuzV6paNkBcOcLcGLsKn6Q:HADJevXlnilDRTp6paNq/1wbn6Q
Size: 24688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: FSGv133Eng_v1, FSGv133Eng_v2, FSGv133, UPolyXv05_v6
Company: Gak
Created at: 1987-09-11 05:35:02
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:600
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\BASSMOD.dll (22 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 7bac2c6f66524cfc55ae91ddf3ece2dd | c:\Windows\System32\BASSMOD.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| 4096 | 98304 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e | |
| 102400 | 24576 | 24176 | 5.33909 | 258152a0ed5d0a335c0f17c9b66a1c78 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
KERNEL32.dll
Ph%U@
t j4h%U@
SVh%U@
!j4h%U@
Vh%U@
user32.dll
kernel32.dll
WinExec
shell32.dll
ShellExecuteA
gdi32.dll
comctl32.dll
advapi32.dll
RegCreateKeyExA
RegOpenKeyA
RegCloseKey
comdlg32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_DYN_DATA
BASSMOD.dll
c:\regpatch.reg
regedit.exe -s
Failed to export file!
File export OK!
...done!
Exe Files [*.exe]
*.exe
All Files [*.*]
\BASSMOD.dll
[EXPORT FILE]
AudioTX POTS.exe
hXXp://VVV.audiotx.com
this is a experimental patch. since i don't have anyone to test or the resources to test this.. it will state like experimental..you may contact me if something is missing or if worked for you.. i will respond only if i got the time.... just let me know..
Contact: crk2k2@hotmail.com
.text
`.rdata
@.data
.reloc
u.TWWh
winmm.dll
ufmod_player.dll
?!?%?)?-?1?5?9?
22222222
2222222
2222222222
222222222
KEY_CLAS
yqs%u
ux.qW
user32.dql
[URL]
filename.exe
hXXp://diablo2oo2.cjb.net
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:600
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\BASSMOD.dll (22 bytes)
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
