Win32.Bolik.Gen_17b6efc780
Win32.Bolik.Gen (B) (Emsisoft), Win32.Bolik.Gen (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 17b6efc780fb4c7513be2c55ae20f50f
SHA1: c4a80d79b5751688e90a0f3096fdc10722a63aef
SHA256: 971c174e818da11f60795e981088c4cd8484d895f4057ad2a0ad496bd5f3b11c
SSDeep: 24576:8lqFl95UHNPJMrjG5 WdK1npBkkCtbK0/SIpG8sYawKIEoRaD4tr:8y9iNRM25 WQJ7kkYm0vx7eInFB
Size: 1117048 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-09-12 17:26:02
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
Efnio.exe:1712
The Trojan injects its code into the following process(es):
wininit.exe:360
%original file name%.exe:1804
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process Efnio.exe:1712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\Ahgymevyisa\USERENV.dll (126 bytes)
The process %original file name%.exe:1804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\kl-setup-2017-03-26-04-00-13.log (1302 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 0facc053baff107027cbd1f48885fd4a | c:\Windows\System32\Ahgymevyisa\Efnio.exe |
| 2b379fcf9e1a20f2e9c8a6347eb159d6 | c:\Windows\System32\Ahgymevyisa\USERENV.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: ??????????? ???????????
Product Name: Kaspersky Installer
Product Version: 1.0.7.25
Legal Copyright: (c) ??? "??????????? ???????????", 2012
Legal Trademarks: ?????????????????? ???????? ????? ? ????? ???????????? ???????? ?????????????? ?? ????????????????
Original Filename: Setup
Internal Name:
File Version: 1.0.7.25
File Description: Kaspersky Installer [1.0.7.25]
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 249657 | 249856 | 4.56053 | 53f5d7b508a8908170a3dc37871429e7 |
| .rdata | 253952 | 62392 | 62464 | 3.24223 | ad9483fde5115ef715d81d446add029b |
| .data | 319488 | 16444 | 8192 | 2.74359 | 984c2099ddbdd615a52e47ff0d860344 |
| .rsrc | 339968 | 766424 | 766464 | 5.35534 | ae2dee6c58ec927dadb5d00bc5bec49e |
| .reloc | 1110016 | 12766 | 12800 | 4.38833 | 19906692eb652d6eae2bb20166a09e26 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| hxxp://91.215.154.155/ |  |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Efnio.exe:1712
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\Ahgymevyisa\USERENV.dll (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\kl-setup-2017-03-26-04-00-13.log (1302 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
