MD5: c53bc6ee653331fee77ee97d5d74549e
SHA1: d1e77ec66ac529a1bafdce9c9e64424d31179fe1
SHA256: 54e7813034598bc1497a329aaf268dba4d9fc9cbed297cc396d67da664a20caf
SSDeep: 3072:zmZBWwd86YpyFnpdp/xVRXEgoY8fv/fNbJzZ7EBMXXuE:zTnpyNpH/xVyfY8fv/fX97EY7
Size: 203225 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2017-09-15 16:33:46
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The DeepScan creates the following process(es):

%original file name%.exe:3676

The DeepScan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\Windows\hyhjyc.exe (1281 bytes)

Registry activity

The process %original file name%.exe:3676 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\Borland Abcdefgh Jkl]
"Description" = "Borland Cdefghijk Mnopqrs Uvwxyabc Efg"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Borland ????
Product Name: ???
Product Version: 7.0
Legal Copyright: ???? ? 1996-2002 Borland ????
Legal Trademarks:
Original Filename: DELPHI32.EXE
Internal Name: DELPHI32
File Version: 7.0.4.453
File Description: Delphi-32 ????
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
520hack.f3322.net	115.215.219.80
ip.yototoo.com	203.219.151.110
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The DeepScan connects to the servers at the folowing location(s):

.rdata

@.data

.rsrc

KERNEL32.dll

_acmdln

MSVCRT.dll

.data

@.reloc

%d.%d.%d.%d

wininet.dll

Referer: VVV.qq.com

GET %s HTTP/1.1

Host: %s:%d

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)

Referer: hXXp://%s

\Program Files\Internet Explorer\iexplore.exe

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

Host: %s

%s %s%s

hXXp://

#0%s!

%s/%s

GET / HTTP/1.1

%s\%s

Microsoft\Network\Connections\pbk\rasphone.pbk

\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk

advapi32.dll

RasDialParams!%s#0

%s\shell\open\command

%s\*.*

%s%s%s

%s%s*.*

SYSTEM\CurrentControlSet\Services\%s

Program Files\Internet Explorer\IEXPLORE.EXE

\MODIf.html

:] %s

:]%d-%d-%d %d:%d:%d

%s\%x.log

%s\%x.sg

%s.exe

\BWebCam.dll

\BAudioListen.dll

%-24s %-15s 0x%x(%d)

%-24s %-15s %s

\cmd.exe

%s%s%s%s

hXXp://user.qzone.qq.com/

Msxml2.XMLHTTP

%s %d

\\.\agmkis2

\??\%s\%s

%c%c%c%c%c%c.exe

FHttp/1.1 403 Forbidden

HTTP/1.0 200 OK

\termsrv_t.dll

127.0.0.1

PortNumber

SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s

00000%s

SAM\SAM\Domains\Account\Users\Names\%s

drwtsn32.exe

csrss.exe

\termsrv.dll

%SystemRoot%\system32\termsrv_t.dll

%s:%d

RDP-Tcp

Ýay %dHour %dMin

Windows %s SP%d

explorer.exe

Mozilla/4.0 (compatible)

nsocket-di:%d

1.2.5

GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

inflate 1.2.5 Copyright 1995-2010 Mark Adler

|$<.tK

GetWindowsDirectoryA

GetProcessHeap

CreatePipe

DisconnectNamedPipe

PeekNamedPipe

WinExec

GetAsyncKeyState

GetKeyState

EnumWindows

keybd_event

MapVirtualKeyA

ExitWindowsEx

USER32.dll

GDI32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegOpenKeyA

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegQueryInfoKeyA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

WS2_32.dll

MSVCP60.dll

URLDownloadToFileA

urlmon.dll

InternetOpenUrlA

WININET.dll

NETAPI32.dll

PSAPI.DLL

WTSAPI32.dll

Zesr68f4.dll

1$1)10161<1

3tftp

08040000

7.0.4.453

DELPHI32.EXE

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3676
   

2. Delete the original DeepScan file.
   
3. Delete or disinfect the following files created/modified by the DeepScan:
   

   C:\Windows\hyhjyc.exe (1281 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.