Trojan.GenericKD.4587730_c5cd7edfaa

by malwarelabrobot on March 26th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.4587730 (B) (Emsisoft), Trojan.GenericKD.4587730 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c5cd7edfaa76e5f481e1dcecbd0df4ee
SHA1: 39576565fdfa0c4834260b9b30798b67e80613e1
SHA256: c07febe15696e6289d1db8071f8a952811c511f52ef2875280e79b0aad63379e
SSDeep: 24576:qM/JGorGr8N0Z9eVqaOiWFECll8T5nkXYhZ20w6c8UWzRIMaA2hWfRpMTeHUxGnI:wSrVT5wEzxc8UqR92geGcU7uhv
Size: 2508288 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-13 11:24:59
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2956
mTR6hbOp3O.exe:2696

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mTR6hbOp3O.exe (115422 bytes)

The process mTR6hbOp3O.exe:2696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (38 bytes)

Registry activity

The process %original file name%.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\CasterDate]
"date" = "25/03/2017"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\c5cd7edfaa76e5f481e1dcecbd0df4ee_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\c5cd7edfaa76e5f481e1dcecbd0df4ee_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\c5cd7edfaa76e5f481e1dcecbd0df4ee_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c5cd7edfaa76e5f481e1dcecbd0df4ee_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c5cd7edfaa76e5f481e1dcecbd0df4ee_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\c5cd7edfaa76e5f481e1dcecbd0df4ee_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\c5cd7edfaa76e5f481e1dcecbd0df4ee_RASAPI32]
"FileTracingMask" = "4294901760"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process mTR6hbOp3O.exe:2696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\mTR6hbOp3O_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mTR6hbOp3O_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mTR6hbOp3O_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\mTR6hbOp3O_RASAPI32]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mTR6hbOp3O_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mTR6hbOp3O_RASAPI32]
"FileDirectory" = "%windir%\tracing"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"KNU8YI62O5" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mTR6hbOp3O.exe"

Dropped PE files

MD5 File path
0ba28eb22e8e77f433aa9dcf48092580 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\mTR6hbOp3O.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: F9A
Product Name: F9AM69ES
Product Version: 0.1.1.3
Legal Copyright: Copyright (c) 9955
Legal Trademarks:
Original Filename: Palace22.exe
Internal Name: Palace22.exe
File Version: 0.1.1.3
File Description: F
Comments: F9AM69ESO
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 2496840 2497024 4.16748 2afda67ed7c302738ae18fb6a1e925a0
.rsrc 2506752 9848 10240 3.611 b898600d2e96bb1e93de9bde5ad4e389
.reloc 2523136 12 512 0.070639 358cec7292662a02b50f706cdd027ad0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://asiasoftwaretools.com/get/3/wizzcaster_v2.exe 94.23.252.37
hxxp://wizzcaster.com/api/v5/config 94.23.44.92
hxxp://wizzcaster.com/api/v5/link 94.23.44.92
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mTR6hbOp3O.exe (115422 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (38 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "KNU8YI62O5" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mTR6hbOp3O.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now