Trojan.NSIS.StartPage_da8649ef5e

by malwarelabrobot on April 8th, 2017 in Malware Descriptions.

not-a-virus:Downloader.Win32.Solimba.b (Kaspersky), DownloadMR (fs) (VIPRE), Trojan.Solimba.37 (DrWeb), Application.AdLoad (A) (Emsisoft), Artemis!DA8649EF5E69 (McAfee), Trojan.Gen.2 (Symantec), Trojan.MSIL.Injector (Ikarus), Bechiro SL (AVG), Win32:Morstar-T [PUP] (Avast), TROJ_GEN.R00XC0FCR17 (TrendMicro), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan, PUP


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: da8649ef5e6952314cb7a68296def60a
SHA1: 2b53e6ffab202962020450da515ef810631e00a0
SHA256: 29724ac0b781a3d97a202dbb2fbb41b97999472c8a8573da058259457e8e9ed6
SSDeep: 6144:jsaocyLCuL RUiyOiJ2/o45tHAYbAmdQ5AIqUloXos7HzN:jtobpEBDAURdDIqHY6h
Size: 278088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-05 20:21:23
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1704
ns15C4.tmp:2748

The Trojan injects its code into the following process(es):

250cb8e0-d9b8-11e2-a752-00259033c1da.exe:2296
installer5.exe:3420

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1507.tmp (8196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\ns15C4.tmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\installer5.exe (8184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\nsExec.dll (20 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1506.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp (0 bytes)

The process installer5.exe:3420 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1A43.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F39B5CFACECFDE48DB25BCA2231FAC6_B98B22DC6E1BE0F7FBDA9800AA963E01 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9 (696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3048.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1A44.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\250cb8e0-d9b8-11e2-a752-00259033c1da.exe (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_B98B22DC6E1BE0F7FBDA9800AA963E01 (696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3047.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1A45.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B (1008 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1A46.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B (537 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9 (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1A43.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3048.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1A44.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3047.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1A45.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1A46.tmp (0 bytes)

The process ns15C4.tmp:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\installer5.exe (221 bytes)

Registry activity

The process installer5.exe:3420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 85 FE F1 1B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"91C6D6EE3E8AC86384E548C299295C756C817B81"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"

Dropped PE files

MD5 File path
22371a8f60488d167c752cf965f25237 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\250cb8e0-d9b8-11e2-a752-00259033c1da.exe
029162f299af12e48fc5ffde104766e2 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\installer5.exe
beb860b900dab197156c5354da55bf3b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\ns15C4.tmp
9f4abe9c1c095cdb505df5db52644d44 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\nsExec.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Google Earth
Product Version:
Legal Copyright: AppInstaller 2013 (132050450)
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.0.16.0
File Description: Google Earth AppInstaller
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 34884 35328 4.14077 49b0a05e59cfe2eb146863465a7f35bb
.data 40960 140 512 0.818128 df0ef3a0da7e22c790a62c5869d70520
.rdata 45056 9108 9216 4.08895 91271e59f4470886a512444b74613d7b
.bss 57344 109520 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 167936 4868 5120 3.63012 5f39890d9696ebf98517ebe318287e41
.ndata 176128 36864 1024 0 0f343b0931126a20f133d67c2b018a3b
.rsrc 212992 17832 17920 3.1842 35f9a3faa501627f06a4e8613d816748

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 60
4f5453af7cc0163f7bca9c2a86b1bffb
5f84551d0d1ab893996b23b4d6bcd0ef
b23b455d941f545e41320b419ff96a1a
57c2e5dc6de5025ab1d1e49975e0a910
1af0a07bd5a4e4fdd923a5bf91c70ea1
ee70686e3f5d65805dd4c1db714b31df
547f113ab674fe32e3ac74f0a29fd616
58e317ef223b80f8803958ea7b088e31
e9865935945f53f1039ad9d7d0a08485
d83e1d7564874295ecb87345fc8cd0f8
38c998c440525293e60d622de0810ac8
d423df8774ae42036aef7fe6861c6549
b6bb22befb0b61173076b6298cfd6d82
c638e12d06d98fdcf5294ac78667244c
036848c7117db1ceab7e1e196e5dbe54
511e15539f2898f4a4ee0ab750733c34
76633a576a328c955a0b1ce3c5a6913c
14695dd5d65d81bb1fe36faf07bc0e52
42abeb59c9167446663d41c34ce77ff4
6c4c4f04e69be0f1a360d77f789de166
6339832a49a8b9a0c7505835bd236bcd
e05243167e322619256bcd518a696db6
4af5c38f4f2dffc5e1b1330bf189d3c7
480da6dfdcac6c04807a3028c2ad659a
ace9b2ce11cf631f3d4bee1387152514

URLs

URL IP
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://e6845.dscb1.akamaiedge.net/ThawtePCA.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEHONysaXwG4bidEGBzdzAQ0=
hxxp://downloadmr.com/installer/250cb8e0-d9b8-11e2-a752-00259033c1da/9041507/config
hxxp://crl.thawte.com/ThawtePCA.crl 23.46.117.163
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= 23.46.123.27
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 62.140.236.170
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEHONysaXwG4bidEGBzdzAQ0= 23.46.123.27
hxxp://api.downloadmr.com/installer/250cb8e0-d9b8-11e2-a752-00259033c1da/9041507/config 50.28.32.162
dns.msftncsi.com 131.107.255.255
cs-g2-crl.thawte.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET USER_AGENTS Suspicious User-Agent (DownloadMR)

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEHONysaXwG4bidEGBzdzAQ0= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1437
content-transfer-encoding: binary
Cache-Control: max-age=554522, public, no-transform, must-revalidate
Last-Modified: Thu, 6 Apr 2017 23:02:02 GMT
Expires: Thu, 13 Apr 2017 23:02:02 GMT
Date: Fri, 07 Apr 2017 13:00:00 GMT
Connection: keep-alive
0..........0..... .....0......0..{0.........#.......Y...1...0..2017040
6230202Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q.
.s.....n.....7s......20170406230202Z....20170413230202Z0...*.H........
.....je.8.O\}.X.=)`.3K.#.....1..X$...0..$.|..d.|..f..9.j....3.&mW_..1i
.&'.z.q#...........BzM.S....k......SP.V....R...my....O.e.LvDc>..S..
..f.9.x...3t6.7:o.L.v(..K.d.....#.-..5.d,."..S9JT.....f*&m..(a..s.N..'
.%5q. 5...(72.S.1@..`...M..U.(.?_...E..A.P?..|W...(..>....0...0...0
...........i.i2.q...z.....0...*.H........0J1.0...U....US1.0...U....Tha
wte, Inc.1$0"..U....Thawte Code Signing CA - G20...161213000000Z..2112
31235959Z0:1806..U.../Thawte Code Signing CA - G2 SHA1 OCSP Responder0
.."0...*.H.............0...........@.L.Dpb..1.U.e5.!T..x#{..M.H.z.w.H4
..z.Q......=}N.6<...rl..I3......6W.....M.....r...-B.:v..9.p.4.....&
lt;.......n....x...... ....A.(...)...'.]...B.D.....r.w>.["Z?.Wz@...
.D..A&T?]. ..u......B4.......s..A......B.M..q..Z.........>|.;T..-&m
o.b............_...i........0..0...U.......0.0...U.%..0... .......0...
U...........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-600...U
.........#.......Y...1...00...U.#..0.....e?z.4..G.L.......q0...*.H....
.........0.._S.<.{}..@I.......7.s...-................Z0ol.%..]J21.m
...2(..!. ./.@...u..Z..<...p..r6...|...ee{.W..B....T.l3~....t..M..t
........66....1z..y..V.G.....z.........(....I..b....v...ny.....w..M...
.....q.....E..).....^..S.U^....GLE..h...6..F.....{Z.Y.V.H......
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86402
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT
If-None-Match: "8017f9a85f10d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/vnd.ms-cab-compressed
Last-Modified: Tue, 28 Feb 2017 17:51:01 GMT
Accept-Ranges: bytes
ETag: "80b03039eb91d21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 52122
Date: Fri, 07 Apr 2017 12:59:39 GMT
Connection: keep-alive
X-CCC: UA
X-CID: 2
MSCF............,...................I.................\JTN .authroot.s
tl.W.H..7..CK...<........i.g.B.A.E#D..Z.d..d..AH))..B%......,QH.Y.$
JE...Lu3...{....g.8....>.s 1..... ....Y0tT'..m...*....0..H.RS..@`..
^Z.iZ...Vf..'.o'n. ..._...........ow..b.)#..*8eE.De..~....a..uMo.8@.Q.
.]2\..v.R..#|D...P&..;.:...QS!B.._....G*.F......?..!sf........cY......
i..KgVv1..Z..E.yO9.D`....M...gi.F...LZ.<../...1un...,>..<..L.
M.F...r.. ?(...BA..d.V~.........l$=....`_... w.T.....!..H..X..{3..T..6
.rq...B._......._.....C..}.......;.8V..a...;44t..hTF.m....'....[.J..F.
.!.|o.6P...X.N..w$.G..l...........)..n..|4.<(......w6.G..P)...$....
x.A...9X.......`..v|..Dt.D(.q....gY.)............Jxp......_.5d..y..M..
..x...m.E.....?.&..NI.....h.?......{.\rN7......d..P..~.T...O#.ud. ....
.w.....&0..uP.hk..]..29..6..h..x.c.h.h4.....=..V..Z....5..N.:.7..N.yZ.
.].....f...V.R.o.u3..SF.O..$..T....qj .d.[....E. y..p.E...c.d..5.>.
.FL....ZU.e......O.........=...#7z....]..YX...G....4.....-..\.K.,.....
uh....IO..sz.....a....y2g..E.Y.:#.7...4a.....A. 2....hDL.......Y>;.
gW......E.E.}R'.{......=..C...p.y8....c.......du9.y..v..<..../1....
~...DV.I..s"..d..ZQ..i.....fq..I3...{7#.m.Y)...Ey..8...@...v...o . .{.
.|....x.N.."G"..v... r.......................=...?1r..)`&.f....!...$.8
..-.~5.....5a^.n.n.H?~j./t.E......N..D.#|.4n.f...@..y-.CM....c .......
..Q..#..T.v.....f.....[.p`....P3._...d..n.X.....8D.B$..`E\ .5....I.H..
@../1:...c..O......~...............d....>.%.....nU...Az.(..g....-.c
.V.w.......W$...)...cB.y....Kd.....-.X;e`0....T.U~.r.....\:..8....
<<< skipped >>>


GET /ThawtePCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.thawte.com


HTTP/1.1 200 OK
Server: Apache
ETag: "9a0c909d0279c1bbdf66260ef952850c:1490320987"
Last-Modified: Fri, 24 Mar 2017 02:01:25 GMT
Date: Fri, 07 Apr 2017 12:59:54 GMT
Content-Length: 537
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....thawte, Inc.1(0&..U..
..Certification Services Division1806..U.../(c) 2006 thawte, Inc. - Fo
r authorized use only1.0...U....thawte Primary Root CA..170321000000Z.
.170630235959Z0#0!.."Gc.6.\k.....;....160630172515Z0...*.H............
..g....o.9.....Z.b....Wh#_.&.................V...(.....MJ,..CnG.T2.S.q
K ..%.=.Lt...i....H.A...?..[).9K 4..=.{8/...V'..si..s.x.._...z..XK../.
.u.....{.MT.L. .\..]R.o{.H)....}...".9s2X....=.-...)........,..?../.)n
,.".8..W..;U.....6.L...rP..`6....53.......'....HTTP/1.1 200 OK..Server
: Apache..ETag: "9a0c909d0279c1bbdf66260ef952850c:1490320987"..Last-Mo
dified: Fri, 24 Mar 2017 02:01:25 GMT..Date: Fri, 07 Apr 2017 12:59:54
 GMT..Content-Length: 537..Connection: keep-alive..Content-Type: appli
cation/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....thaw
te, Inc.1(0&..U....Certification Services Division1806..U.../(c) 2006 
thawte, Inc. - For authorized use only1.0...U....thawte Primary Root C
A..170321000000Z..170630235959Z0#0!.."Gc.6.\k.....;....160630172515Z0.
..*.H..............g....o.9.....Z.b....Wh#_.&.................V...(...
..MJ,..CnG.T2.S.qK ..%.=.Lt...i....H.A...?..[).9K 4..=.{8/...V'..si..s
.x.._...z..XK../..u.....{.MT.L. .\..]R.o{.H)....}...".9s2X....=.-...).
.......,..?../.)n,.".8..W..;U.....6.L...rP..`6....53.......'......
<<< skipped >>>


GET /installer/250cb8e0-d9b8-11e2-a752-00259033c1da/9041507/config HTTP/1.1
User-Agent: DownloadMR/3.0.16 (MSIE 9.0; Windows NT 6.1.7601 SP1; .NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0; T132050450S1021cea8321c5d80cd193bfa5920ef; m=VMware Virtual Platform; northstar)
Accept-Language: en-US
Host: api.downloadmr.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Fri, 07 Apr 2017 13:00:23 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Location: hXXp://ww12.downloadmr.com
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
HTTP/1.1 302 Found..Date: Fri, 07 Apr 2017 13:00:23 GMT..Server: Apach
e/2.4.6 (CentOS) PHP/5.4.16..X-Powered-By: PHP/5.4.16..Location: http:
//ww12.downloadmr.com..Content-Length: 0..Keep-Alive: timeout=5, max=1
00..Connection: Keep-Alive..Content-Type: text/html; charset=UTF-8..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1504
content-transfer-encoding: binary
Cache-Control: max-age=579562, public, no-transform, must-revalidate
Last-Modified: Fri, 7 Apr 2017 05:57:09 GMT
Expires: Fri, 14 Apr 2017 05:57:09 GMT
Date: Fri, 07 Apr 2017 12:59:58 GMT
Connection: keep-alive
0..........0..... .....0......0...0.........@e!.t.....4...,.#..2017040
7055709Z0s0q0I0... ........0..k....&..p..^.X.....{[E....z.1..j..F.WHP.
.G.Mxs..../.p./.^....20170407055709Z....20170414055709Z0...*.H........
.....$.Kt...._...Q...E.\.l..cV.).. ..uX......=.p...E.".$=..b..>...d
.eD..U..........<r..2.#.D%.,.CG..J...],.s_."S.R.A.U])s........k1.7.
2..s...r...P..J..1.....v.g.....sm.|G<l.t..t.-b...o9t...0../..$.W.$.
.r~..6........y..b0P....D...=..hl..G`...9....%....X...!c.k./....0...0.
..0..........j!.....&.....t.T0...*.H........0..1.0...U....US1.0...U...
.thawte, Inc.1(0&..U....Certification Services Division1806..U.../(c) 
2006 thawte, Inc. - For authorized use only1.0...U....thawte Primary R
oot CA0...161122000000Z..171214235959Z0_1.0...U....US1.0...U....thawte
, Inc.1907..U...0thawte Primary Root OCSP Responder Certificate 50.."0
...*.H.............0..........s..O..W>.....2......n..z...U.......i.
.Ie...].O..._.{q.`;..........C.S.....W.1.....|.Y}....2..s.H..q....*z:|
2..]...F.j.....jq...#.."[.9..4-k...r....Y.?......f.K.......73...v.]...
....y....N_......0.b..:.a...'G..".(.x...;8d#>j.}......j..Bu....3.@.
.h...Z..........j0h0...U.%..0... .......0... .....0......0...U.......0
.0...U...........0"..U....0...0.1.0...U....TGV-OFF-510...*.H..........
...1.......9...4...;.xC%:W.J.....c...o..J.E.]%{j......^).~..qX.....iK.
.1vv....R._....&.O.%.(.|........S;5. ..A.&....)....D*uwKz1..V.....n...
.>...a..|......W..1:....Rl..s/.......\n.e...%E.. ...G.PIP.$.8.p..".
..$?e......\...u.;...-......D".|h...>6rO. ......Hd~...
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1704:

.text
0`.data
.rdata
0@.bss
.idata
.ndata
.rsrc
unpacking data: %d%%
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
*?|<>/":
%s=%s
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
ers\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\nsExec.dll
exe 250cb8e0-d9b8-11e2-a752-00259033c1da.exe /t1021cea8321c5d80cd193bfa5920ef /dT132050450S1021cea8321c5d80cd193bfa5920ef /e9041507 /u250cb8e0-d9b8-11e2-a752-00259033c1da
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\nsExec.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp
1T5al%x
%[S%U
iB%X|
.AcZ>
m.QYYFh
0`.rdata
.edata
0@.idata
.reloc
nsExec.dll
CreatePipe
PeekNamedPipe
ADVAPI32.dll
KERNEL32.dll
USER32.dll
installer5.exe
System.Diagnostics
System.Globalization
System.IO.Compression
System.IO
System.Reflection
System.Reflection.Emit
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Cryptography
System.Text
System.Threading
.cctor
.ctor
set_Key
GetExecutingAssembly
#hXXp://crl.thawte.com/ThawtePCA.crl0
hXXp://ocsp.thawte.com0
$622281ed-4093-47bd-b203-ffc09e73e021
1.0.0.0
mscoree.dll
%Documents and Settings%\drdoom\My Documents\Visual Studio 2010\Projects\installer5\installer5\bin\Release\CryptoObfuscator_Output\installer5.pdb
v2.0.50727
$2F7128C1-C70C-4111-8C76-FC9CDB6AC18F
3.0.16
_CorExeMain
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
*hXXp://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Certification Services Division1806
.AHpC
.XqV ;(*7K
nsc1508.tmp
lu2.iu)
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyExA
GetWindowsDirectoryA
SHFileOperationA
ShellExecuteA
ExitWindowsEx
COMCTL32.DLL
GDI32.dll
ole32.dll
SHELL32.DLL
VERSION.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\installer5.exe 250cb8e0-d9b8-11e2-a752-00259033c1da.exe /t1021cea8321c5d80cd193bfa5920ef /dT132050450S1021cea8321c5d80cd193bfa5920ef /e9041507 /u250cb8e0-d9b8-11e2-a752-00259033c1da
8112.16421
/u250cb8e0-d9b8-11e2-a752-00259033c1da
c:\%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsc1506.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46-7</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
ResourceAssembly.dll
"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98DA2#
PublicKeyToken=
publickeytoken=
3.0.16.0

ns15C4.tmp_2748:

.text
0`.rdata
0@.bss
.edata
0@.idata
.reloc
nsExec.dll
CreatePipe
PeekNamedPipe
ADVAPI32.dll
KERNEL32.dll
USER32.dll

conhost.exe_3408:

.text
`.data
.rsrc
@.reloc
GDI32.dll
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
KERNEL32.dll
IMM32.dll
ole32.dll
OLEAUT32.dll
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
Invalid message 0x%x
InitExtendedEditKeys: Unsupported version number(%d)
Console init failed with status 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitSideBySide failed create an activation context. Error: %d
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW failed %d.
Invalid EventType: 0x%x
Dup handle failed for %d of %d (Status = 0x%x)
Couldn't grow input buffer, Status == 0x%x
InitializeScrollBuffer failed, Status = 0x%x
CreateWindow failed with gle = 0x%x
Opening Font file failed with error 0x%x
\ega.cpi
NtReplyWaitReceivePort failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
NtCreatePort failed with Status 0x%x
GetCharWidth32 failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
RtlStringCchCopy failed with Status 0x%x
Cannot allocate 0n%d bytes
|%SWj
O.fBf;
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
Invalid Parameter: 0x%x, 0x%x, 0x%x
ConsoleKeyInfo buffer is full
Invalid screen buffer size (0x%x, 0x%x)
SetROMFontCodePage: failed to memory allocation %d bytes
FONT.NT
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x,%x)
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed %x
RtlStringCchCopyW failed with Status 0x%x
CreateFontCache failed with Status 0x%x
FTPh
\>.Sj
GetKeyboardLayout
MapVirtualKeyW
VkKeyScanW
GetKeyboardState
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
_amsg_exit
_acmdln
ShipAssert
NtReplyWaitReceivePort
NtCreatePort
NtEnumerateValueKey
NtQueryValueKey
NtOpenKey
NtAcceptConnectPort
NtReplyPort
SetProcessShutdownParameters
GetCPInfo
conhost.pdb
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
version="5.1.0.0"
name="Microsoft.Windows.ConsoleHost"
<requestedExecutionLevel
name="Microsoft.Windows.ConsoleHost.SystemDefault"
publicKeyToken="6595b64144ccf1df"
name="Microsoft.Windows.SystemCompatible"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
< =$>:>@>
2%2X2
%SystemRoot%
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen
WindowSize
ColorTableu
ExtendedEditkeyCustom
ExtendedEditKey
Software\Microsoft\Windows\CurrentVersion
\ !:=/.<>;|&
%d/%d
cmd.exe
desktop.ini
\console.dll
%d/%d
6.1.7601.17641 (win7sp1_gdr.110623-1503)
CONHOST.EXE
Windows
Operating System
6.1.7601.17641


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1704
    ns15C4.tmp:2748

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1507.tmp (8196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\ns15C4.tmp (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\installer5.exe (8184 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\nsExec.dll (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1A43.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F39B5CFACECFDE48DB25BCA2231FAC6_B98B22DC6E1BE0F7FBDA9800AA963E01 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9 (696 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3048.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1A44.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc1508.tmp\250cb8e0-d9b8-11e2-a752-00259033c1da.exe (512 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_B98B22DC6E1BE0F7FBDA9800AA963E01 (696 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3047.tmp (52 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1A45.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B (1008 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1A46.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B (537 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9 (1 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now