Gen.Heur.Hibbit.1_b45a58f1c6
HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Heur.Hibbit.1 (B) (Emsisoft), Gen:Heur.Hibbit.1 (AdAware), BackdoorCycbot.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: b45a58f1c6f3530bf11df86660fdb054
SHA1: d9756fe43a01b76a97399f1c16a51601e6d14964
SHA256: 5ddff41b2b3364554b276034a1de4bfd68ee49a6fd297bafcdb142a3744777cd
SSDeep: 49152:ENRdnBNdzGG5gq3OGuBe61uZHjnpAFV7R8bX:CGG5NeI8uVDpAj7Ro
Size: 1904128 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-11-24 15:16:50
Analyzed on: Windows7 SP1 32-bit
Summary:
Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3404
AA04.tmp:2260
dwme.exe:2484
dwme.exe:3972
dwme.exe:1040
The Trojan injects its code into the following process(es):
AV Security 2012v121.exe:3700
dwme.exe:3496
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dwme.exe (547 bytes)
C:\Windows\System32\config\SOFTWARE (44169 bytes)
C:\Windows (288 bytes)
C:\$Directory (1152 bytes)
C:\Windows\System32\AV Security 2012v121.exe (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\dwme.exe (547 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (38286 bytes)
C:\Windows\System32 (248 bytes)
The process AV Security 2012v121.exe:3700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\ldr.ini (1668 bytes)
C:\Users\"%CurrentUserName%"\Desktop\AV Security 2012.lnk (1 bytes)
C:\Windows\System32\drivers\etc\hosts (3711 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\973F.tmp (203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\RpmH5sQJ7E8R9Yw\AV Security 2012.ico (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk (1 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process dwme.exe:3496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ (4 bytes)
C:\Windows\System32\config\SOFTWARE (9715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\10F5F\F7ED.0F5 (2657 bytes)
%Program Files%\LP\C711\AA04.tmp (12690 bytes)
C:\Windows\System32\config (1536 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (8678 bytes)
%Program Files%\LP\C711\056.exe (260562 bytes)
C:\Windows\System32 (248 bytes)
Registry activity
The process %original file name%.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZdKfL9hTjCkBzNx" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\dwme.exe"
"robF4pmG5Q6E8R98234A" = "C:\Windows\system32\AV Security 2012v121.exe"
The process AA04.tmp:2260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\WinRAR]
"HWID" = "7B 32 45 34 36 36 37 37 34 2D 31 41 41 43 2D 34"
The process dwme.exe:3496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"HideSCAHealth" = "1"
Automatic startup of the following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"056.exe" = "%Program Files%\LP\C711\056.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 96575bb2d4951a98f36be00af173fd8e | c:\Program Files\LP\C711\056.exe |
| ba4818120b8c3c87a4437450f5968ea5 | c:\Program Files\LP\C711\AA04.tmp |
| 96575bb2d4951a98f36be00af173fd8e | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\dwme.exe |
| 96575bb2d4951a98f36be00af173fd8e | c:\Users\"%CurrentUserName%"\AppData\Roaming\dwme.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 967 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | validation.sls.microsoft.com |
| 46.4.179.109 | google.com |
| 46.4.179.109 | yahoo.com |
| 46.4.179.109 | bing.com |
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 4127519 | 936960 | 5.27284 | 1c60aaf3fae90f76bac63e0c199918ed |
| .rdata | 4132864 | 1868 | 2048 | 3.79619 | a5396593ea04e73668eecafc1bf398f3 |
| .data | 4136960 | 963472 | 963584 | 5.54506 | 3848b27332c69bf554530be50f38fb7d |
| .rsrc | 5103616 | 4096 | 512 | 0.216559 | a0683157b157633e4c3c3c6132b72f4c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3404
AA04.tmp:2260
dwme.exe:2484
dwme.exe:3972
dwme.exe:1040 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dwme.exe (547 bytes)
C:\Windows\System32\config\SOFTWARE (44169 bytes)
C:\$Directory (1152 bytes)
C:\Windows\System32\AV Security 2012v121.exe (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\dwme.exe (547 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (38286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\ldr.ini (1668 bytes)
C:\Users\"%CurrentUserName%"\Desktop\AV Security 2012.lnk (1 bytes)
C:\Windows\System32\drivers\etc\hosts (3711 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\973F.tmp (203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\RpmH5sQJ7E8R9Yw\AV Security 2012.ico (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\10F5F\F7ED.0F5 (2657 bytes)
%Program Files%\LP\C711\AA04.tmp (12690 bytes)
%Program Files%\LP\C711\056.exe (260562 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZdKfL9hTjCkBzNx" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\dwme.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"robF4pmG5Q6E8R98234A" = "C:\Windows\system32\AV Security 2012v121.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"056.exe" = "%Program Files%\LP\C711\056.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
