Gen.Heur.Ransom.Cerber.2_a236bead99

by malwarelabrobot on April 3rd, 2018 in Malware Descriptions.

Gen:Variant.Ursu.22913 (BitDefender), Trojan:Win32/Krilog.A (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Ursu.22913 (B) (Emsisoft), GenericRXAJ-NA!A236BEAD99BC (McAfee), Ransom.TeslaCrypt!g6 (Symantec), Trojan.Win32.Crypt (Ikarus), Win32:Cryptor (AVG), Win32:Cryptor (Avast), WORM_HPKASIDET.SMK (TrendMicro), Gen:Heur.Ransom.Cerber.2 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Ransom, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: a236bead99bc6c407cad36e6cca80358
SHA1: bb28a8d23b0a75c8c9f1642b07259cff33b05c69
SHA256: 91de7ff475ad31062f337f5bd3a560a537426d609256f3ec721dbc5a826070b2
SSDeep: 6144:2oWYTsqphueLYqbP3o9D4j7YZuU1zaiCnwZu7hB:Ei0eLYmQl4f6n T8CL
Size: 303354 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-09-10 14:09:10
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WinMail.exe:3332
%original file name%.exe:2940

The Trojan injects its code into the following process(es):

taskhost.exe:872
Dwm.exe:1376
Explorer.EXE:1440
conhost.exe:1656
TPAutoConnect.exe:2160
conhost.exe:2168

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WinMail.exe:3332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (36336 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0BAC70B5-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7D7B.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (18800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0BAC70B5-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3332_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7D7A.tmp (53 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.pat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3332_2.ui (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.MSMessageStore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7D7B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3332_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7D7A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old (0 bytes)

The process %original file name%.exe:2940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Yzogyr\taann.exe (610 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp8da428c6.bat (179 bytes)

Registry activity

The process WinMail.exe:3332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Size" = "330"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"Compact Check Count" = "2"
"Settings Upgraded" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail]
"LastBackup" = "E2 07 04 00 01 00 02 00 0B 00 20 00 32 00 B7 03"
"Running" = "1"
"V7StoreMigDone" = "01 00 00 00"
"StoreMigratedV5" = "1"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Welcome Message" = "0"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerDlgPos" = "2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Value" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Secure Safe Attachments" = "1"
"Default_CodePage" = "28591"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"

[HKCU\Software\Microsoft\IAM\Accounts]
"ConnectionSettingsMigrated" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerTack" = "0"

[HKCU\Software\Microsoft\IAM]
"Default News Account" = "account{CE54EE8F-8454-4E11-A69C-0E6F9BED6C0A}.oeaccount"

[HKCU\Software\Microsoft\Windows Mail]
"lastrun" = "A8 86 0A 59 76 CA D3 01"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Safe Attachments" = "1"

[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"

[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Identities]
"Changing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Identities]
"IncomingID"
"OutgoingID"

[HKCU\Software\Microsoft\WAB]
"NamedProps"

The process %original file name%.exe:2940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Zewi]
"Ozwu" = "E4 EF 6F 58 D5 2E 76 94 E9 17 40 94 49 E8 78 43"

Dropped PE files

MD5	File path
afe55f03b2ab66eff1fc149624475869	c:\Users\"%CurrentUserName%"\AppData\Roaming\Yzogyr\taann.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WINMM.dll:

PlaySoundW

The Trojan installs the following user-mode hooks in WININET.dll:

HttpEndRequestW
HttpSendRequestExA
HttpSendRequestA
InternetSetFilePointer
HttpSendRequestW
HttpOpenRequestW
HttpOpenRequestA
HttpEndRequestA
HttpSendRequestExW
InternetReadFileExA
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
ReleaseCapture
SetCapture
GetMessagePos
DefDlgProcW
CallWindowProcA
DefMDIChildProcA
DefFrameProcA
GetUpdateRgn
DefFrameProcW
DefMDIChildProcW
DefDlgProcA
GetClipboardData
GetMessageW
TranslateMessage
PeekMessageW
EndPaint
BeginPaint
GetDC
ReleaseDC
DefWindowProcW
GetWindowDC
GetDCEx
CallWindowProcW
PeekMessageA
GetMessageA
RegisterClassExW
RegisterClassW
RegisterClassA
DefWindowProcA
GetUpdateRect
GetCursorPos
GetCapture
RegisterClassExA
OpenInputDesktop
SwitchDesktop

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW

The Trojan installs the following user-mode hooks in WS2_32.dll:

gethostbyname
send
WSASend
getaddrinfo
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

ExitProcess
GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
ZwCreateUserProcess

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	73572	73728	4.65842	0383bd65083b61ec77a15245d452f26e
.rdata	77824	215656	216064	4.46643	7a7fed3f77f27cac33532a4a081ef7c9
.data	294912	160084	5632	2.20877	c8d8400debcf0341a8ba0fd0b2924848
.rsrc	458752	5056	5120	2.50953	605a2de1d59aaa203893ed4ccac25cc2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://panamadirect.org/myc/file.php	199.2.137.201
hxxp://a1363.dscg.akamai.net/pki/crl/products/CodeSignPCA.crl
crl.microsoft.com	91.223.19.235

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Citadel Checkin
ET TROJAN Zbot POST Request to C2
ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
ET TROJAN Generic -POST To file.php w/Extended ASCII Characters

Traffic

GET /pki/crl/products/CodeSignPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Length: 558

Content-Type: application/pkix-crl

Content-MD5: PMABL5b49EFkwY194FAj2Q==

Last-Modified: Wed, 23 Aug 2017 20:44:38 GMT

ETag: 0x8D4EA67C5E6D892

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

x-ms-request-id: c961954c-501e-000b-5916-bc5f04000000

x-ms-version: 2009-09-19

x-ms-lease-status: unlocked

x-ms-blob-type: BlockBlob

Date: Mon, 02 Apr 2018 11:32:56 GMT

Connection: keep-alive

0..*0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Copyright (c) 20
00 Microsoft Corp.1#0!..U....Microsoft Code Signing PCA..111110211944Z
..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0... .....7.......
..0...*.H...............&..%PIu@.....\0KF....0..^.h9=.1jT,5.L....Ed ..
6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud);.?....J_...Fu...
.<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..Tr..Ch.[.z:....#.
..T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . ....G..#....T..G;.....
.HTTP/1.1 200 OK..Content-Length: 558..Content-Type: application/pkix-
crl..Content-MD5: PMABL5b49EFkwY194FAj2Q==..Last-Modified: Wed, 23 Aug
 2017 20:44:38 GMT..ETag: 0x8D4EA67C5E6D892..Server: Windows-Azure-Blo
b/1.0 Microsoft-HTTPAPI/2.0..x-ms-request-id: c961954c-501e-000b-5916-
bc5f04000000..x-ms-version: 2009-09-19..x-ms-lease-status: unlocked..x
-ms-blob-type: BlockBlob..Date: Mon, 02 Apr 2018 11:32:56 GMT..Connect
ion: keep-alive..0..*0......0...*.H........0..1.0...U....US1.0...U....
Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U...
"Copyright (c) 2000 Microsoft Corp.1#0!..U....Microsoft Code Signing P
CA..111110211944Z..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0
... .....7.........0...*.H...............&..%PIu@.....\0KF....0..^.h9=
.1jT,5.L....Ed ..6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud)
;.?....J_...Fu....<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..
Tr..Ch.[.z:....#...T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . .

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

taskhost.exe_872_rwx_00580000_0003B000:

.text

`.data

.reloc

facebook.com

HTTP/1.1

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

HTTP/1.0

hXXp://

hXXps://

HTTP/1.

%s%s%s

update.exe

config.bin

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

RqcRtvrgqhJm|jKhjbnjdDjpho{a{q\

!;<3?##

0<&6%0<#

%!8"!%*,

<7:=95;94<'?

 * (&//?

(5?,(?/9/4

0-'40'7!7'

-'64)076)

92$8':,?

t.dyx}ij2P||tepqr.5/X

Hmli}v.Eoeh`l

 :(>93-7?%!

PR_OpenTCPSocket

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

SetKeyboardState

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MsgWaitForMultipleObjects

MapVirtualKeyW

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyExW

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

SysShadow

nspr4.dll

kernel32.dll

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

chrome.dll

Chrome

Firefox

sXXXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{ECB43061-99B8-4EF5-A3F9-617674E82034}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa\ogac.beo

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa

ogac.beo

Global\{7ACF8244-2B9D-D88E-A3F9-617674E82034}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Esbu\hiuns.qae

C:\Users\"%CurrentUserName%"\AppData\Roaming\Esbu

hiuns.qae

Dwm.exe_1376_rwx_00110000_0003B000:

.text

`.data

.reloc

facebook.com

HTTP/1.1

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

HTTP/1.0

hXXp://

hXXps://

HTTP/1.

%s%s%s

update.exe

config.bin

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

RqcRtvrgqhJm|jKhjbnjdDjpho{a{q\

!;<3?##

0<&6%0<#

%!8"!%*,

<7:=95;94<'?

 * (&//?

(5?,(?/9/4

0-'40'7!7'

-'64)076)

92$8':,?

t.dyx}ij2P||tepqr.5/X

Hmli}v.Eoeh`l

 :(>93-7?%!

PR_OpenTCPSocket

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

SetKeyboardState

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MsgWaitForMultipleObjects

MapVirtualKeyW

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyExW

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

SysShadow

nspr4.dll

kernel32.dll

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

chrome.dll

Chrome

Firefox

sXXXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{ECB43061-99B8-4EF5-A3F9-617674E82034}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa\ogac.beo

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa

ogac.beo

Global\{7ACF8244-2B9D-D88E-A3F9-617674E82034}

:\Users\"%CurrentUserName%"\AppData\Roaming\Esbu\hiuns.qae

C:\Users\"%CurrentUserName%"\AppData\Roaming\Esbu

hiuns.qae

Explorer.EXE_1440_rwx_03A90000_0003B000:

.text

`.data

.reloc

facebook.com

HTTP/1.1

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

HTTP/1.0

hXXp://

hXXps://

HTTP/1.

%s%s%s

update.exe

config.bin

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

RqcRtvrgqhJm|jKhjbnjdDjpho{a{q\

!;<3?##

0<&6%0<#

%!8"!%*,

<7:=95;94<'?

 * (&//?

(5?,(?/9/4

0-'40'7!7'

-'64)076)

92$8':,?

t.dyx}ij2P||tepqr.5/X

Hmli}v.Eoeh`l

 :(>93-7?%!

PR_OpenTCPSocket

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

SetKeyboardState

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MsgWaitForMultipleObjects

MapVirtualKeyW

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyExW

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

SysShadow

nspr4.dll

kernel32.dll

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

chrome.dll

Chrome

Firefox

sXXXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{ECB43061-99B8-4EF5-A3F9-617674E82034}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa\ogac.beo

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa

ogac.beo

Global\{7ACF8244-2B9D-D88E-A3F9-617674E82034}

conhost.exe_1656_rwx_00140000_0003B000:

.text

`.data

.reloc

facebook.com

HTTP/1.1

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

HTTP/1.0

hXXp://

hXXps://

HTTP/1.

%s%s%s

update.exe

config.bin

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

RqcRtvrgqhJm|jKhjbnjdDjpho{a{q\

!;<3?##

0<&6%0<#

%!8"!%*,

<7:=95;94<'?

 * (&//?

(5?,(?/9/4

0-'40'7!7'

-'64)076)

92$8':,?

t.dyx}ij2P||tepqr.5/X

Hmli}v.Eoeh`l

 :(>93-7?%!

PR_OpenTCPSocket

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

SetKeyboardState

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MsgWaitForMultipleObjects

MapVirtualKeyW

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyExW

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

SysShadow

nspr4.dll

kernel32.dll

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

chrome.dll

Chrome

Firefox

sXXXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{ECB43061-99B8-4EF5-A3F9-617674E82034}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa\ogac.beo

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa

ogac.beo

Global\{7ACF8244-2B9D-D88E-A3F9-617674E82034}

TPAutoConnect.exe_2160_rwx_00390000_0003B000:

.text

`.data

.reloc

facebook.com

HTTP/1.1

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

HTTP/1.0

hXXp://

hXXps://

HTTP/1.

%s%s%s

update.exe

config.bin

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

RqcRtvrgqhJm|jKhjbnjdDjpho{a{q\

!;<3?##

0<&6%0<#

%!8"!%*,

<7:=95;94<'?

 * (&//?

(5?,(?/9/4

0-'40'7!7'

-'64)076)

92$8':,?

t.dyx}ij2P||tepqr.5/X

Hmli}v.Eoeh`l

 :(>93-7?%!

PR_OpenTCPSocket

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

SetKeyboardState

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MsgWaitForMultipleObjects

MapVirtualKeyW

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyExW

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

SysShadow

nspr4.dll

kernel32.dll

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

chrome.dll

Chrome

Firefox

sXXXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{ECB43061-99B8-4EF5-A3F9-617674E82034}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa\ogac.beo

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa

ogac.beo

Global\{7ACF8244-2B9D-D88E-A3F9-617674E82034}

conhost.exe_2168_rwx_002D0000_0003B000:

.text

`.data

.reloc

facebook.com

HTTP/1.1

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

HTTP/1.0

hXXp://

hXXps://

HTTP/1.

%s%s%s

update.exe

config.bin

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

RqcRtvrgqhJm|jKhjbnjdDjpho{a{q\

!;<3?##

0<&6%0<#

%!8"!%*,

<7:=95;94<'?

 * (&//?

(5?,(?/9/4

0-'40'7!7'

-'64)076)

92$8':,?

t.dyx}ij2P||tepqr.5/X

Hmli}v.Eoeh`l

 :(>93-7?%!

PR_OpenTCPSocket

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

SetKeyboardState

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MsgWaitForMultipleObjects

MapVirtualKeyW

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyExW

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

SysShadow

nspr4.dll

kernel32.dll

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

chrome.dll

Chrome

Firefox

sXXXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

{ECB43061-99B8-4EF5-A3F9-617674E82034}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa\ogac.beo

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tywa

ogac.beo

Global\{7ACF8244-2B9D-D88E-A3F9-617674E82034}

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

WinMail.exe:3332
%original file name%.exe:2940
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (36336 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0BAC70B5-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7D7B.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (18800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0BAC70B5-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3332_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7D7A.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Yzogyr\taann.exe (610 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp8da428c6.bat (179 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Heur.Ransom.Cerber.2_a236bead99

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet