Gen.Trojan.Heur.9y1vqu9UYmi_c16e5825d3

by malwarelabrobot on October 25th, 2016 in Malware Descriptions.

Trojan.Win32.Agent.icgh (Kaspersky), Worm.Win32.Mira.a (v) (VIPRE), Trojan.MulDrop5.32888 (DrWeb), Gen:Trojan.Heur.9y1@vqu9UYmi (B) (Emsisoft), W32/Worm-FUC!C16E5825D332 (McAfee), W32.SillyFDC (Symantec), Trojan-Spy.Zbot (Ikarus), Gen:Trojan.Heur.9y1@vqu9UYmi (FSecure), SHeur4.BVDT (AVG), Win32:Malware-gen (Avast), WORM_MIRAS.SMN (TrendMicro), Gen:Trojan.Heur.9y1@vqu9UYmi (AdAware), Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR (Lavasoft MAS)
Behaviour: Trojan-Spy, Trojan, Worm, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c16e5825d33274a2483bb2392c9b6d80
SHA1: a22647368db6bbe1551f626d3ba5b599703283ec
SHA256: 72f81d877fe3e0dd7d4948f21787c787ae4ba7d2362683d711979e9c75608368
SSDeep: 24576:/1/aGLDCM4D8ayGMZo8/nZ2ALaqS0INcCk53L:wD8ayGMZoCwAzDN3L
Size: 1010921 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: no data
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Spy. Spy program intended for stealing user's confidential data.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1952
rkclkx.exe:1644

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Saaaalamm\Mira.h (960208 bytes)
C:\ProgramData\rkclkx.exe (1019779 bytes)

The process rkclkx.exe:1644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\original .exe (1963131 bytes)
C:\config.sys .exe (1963131 bytes)
C:\%original file name%.exe .exe (1963131 bytes)
C:\bootmgr .exe (1963131 bytes)
C:\Boot .exe (1963131 bytes)
C:\Windows .exe (1963131 bytes)
C:\ProgramData .exe (1963131 bytes)
C:\$Recycle.Bin .exe (1963131 bytes)
C:\BOOTSECT.BAK .exe (1963131 bytes)
%Documents and Settings% .exe (1963131 bytes)
C:\totalcmd .exe (1963131 bytes)
C:\Users .exe (1963131 bytes)
C:\XELDZ .exe (1963131 bytes)
C:\autoexec.bat .exe (1963131 bytes)
C:\System Volume Information .exe (1963131 bytes)
C:\marker .exe (1963131 bytes)
%Program Files% .exe (1963131 bytes)
C:\pagefile.sys .exe (1963131 bytes)

The Trojan deletes the following file(s):

C:\Mirax (0 bytes)
C:\Miray (0 bytes)
C:\Mirau (0 bytes)
C:\Miraw (0 bytes)
C:\Mirap (0 bytes)
C:\Miraq (0 bytes)
C:\Mirar (0 bytes)
C:\Miral (0 bytes)
C:\Miram (0 bytes)
C:\Mirao (0 bytes)
C:\Mirah (0 bytes)
C:\Miraj (0 bytes)
C:\Mirak (0 bytes)
C:\Mirad (0 bytes)
C:\Mirae (0 bytes)
C:\Mirag (0 bytes)
C:\Miraa (0 bytes)
C:\Mirab (0 bytes)

Registry activity

The process rkclkx.exe:1644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "C:\ProgramData\rkclkx.exe"

Dropped PE files

MD5 File path
cffb761c9e78631de2df7bd838c31bcf c:\$Recycle.Bin .exe
ea81556788867d9ff125ec93271b4721 c:\BOOTSECT.BAK .exe
3078026ed7a47dd0b94d80d928fb246d c:\Boot .exe
1175236c64fafd7f4ab54f12faf2654d c:\Documents and Settings .exe
f356e2bf2c0c0b6ab2a4a9dd49344686 c:\Perl .exe
73c75e13f8b048b99ef6c4be7b47bdc0 c:\Program Files .exe
9306a52101e4b919f6718544da6cba89 c:\ProgramData .exe
2549139ceeb2c40c2ea0aeb04527d833 c:\ProgramData\Saaaalamm\Mira.h
949d3a6a4be289c08984644effe3defe c:\ProgramData\rkclkx.exe
27d587bdd8cf0169ab8e7bf3d0b51482 c:\System Volume Information .exe
c0af58d33ba832878dd5beb7e8812fcc c:\Users .exe
2549139ceeb2c40c2ea0aeb04527d833 c:\Users\All Users\Saaaalamm\Mira.h
949d3a6a4be289c08984644effe3defe c:\Users\All Users\rkclkx.exe
27bbd9467c5f014703b3d93dcc6bb3ba c:\Windows .exe
488a1f5e672e0e222b82fb81e7e306e3 c:\XELDZ .exe
aacaef6c6f9fa0eec24c00eea34be950 c:\autoexec.bat .exe
0f9c86572332b72ea63751a554f1b403 c:\bootmgr .exe
fde7a1fa67c79baa7d81f28340326c3d c:\%original file name%.exe .exe
dff2b2a1a97b26013685f1379a5e2e82 c:\config.sys .exe
cdcf809acf2e209bfbe4794ec5dd00c2 c:\marker .exe
d600962cedd52edeab504cb48e6d7396 c:\original .exe
e11e683f7324b2d3e2742fa893e5af79 c:\pagefile.sys .exe
5d35d94e447355fbb096530c97a38279 c:\totalcmd .exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Mira Malware
Product Version: 1.0.0.155
Legal Copyright: Microsoft Corporation
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.155
File Description: Mira Malware
Comments:
Language: Korean (Korea)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 245368 245760 4.21465 8b164ac8ef3742f37830dc1842275667
.data 249856 608 1024 0.488703 6fda88cf7188a8245a53dfde927250fd
.rdata 253952 9384 9728 3.47165 dbe852009dbd077a9976cb0ecfb9aadf
.bss 266240 18576 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 286720 2212 2560 2.97703 5e5242c565219f3bd33a6568632559dc
.rsrc 290816 758300 750825 4.87522 a3e3804204201365579dd163a840ab2a

Dropped from:

6dfde729ec9ac5a21b95da1b5216befa

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

WMIADAP.EXE_1296:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll
wbemcomn.dll
OLEAUT32.dll
ole32.dll
loadperf.dll
`.bik
PSSSSSSh
WMIADAP.exe
?CloseSubKey@CRegistry@@AAEXXZ
?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z
?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z
?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z
?GetCurrentSubKeyCount@CRegistry@@QAEKXZ
?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z
?GetLongestSubKeySize@CRegistry@@QAEKXZ
?GethKey@CRegistry@@QAEPAUHKEY__@@XZ
?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z
?NextSubKey@CRegistry@@QAEKXZ
?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z
?OpenSubKey@CRegistry@@AAEKXZ
?RewindSubKeys@CRegistry@@QAEXXZ
?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKQAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z
?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z
?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z
?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z
?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z
?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z
?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z
QSSh0
Invalid parameter passed to C runtime function.
ntdll.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegEnumKeyW
RegDeleteKeyW
RegQueryInfoKeyW
_amsg_exit
_acmdln
?Report@CEventLog@@QAEHGKVCInsertionString@@000000000@Z
WMIADAP.pdb
<assemblyIdentity version="1.0.0.0"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
5m6z6
%s_x
%s_x_
Global\WMI_SysEvent_Semaphore_%d
WinMSGWMIADAP
\\.\root\cimv2
WMIADAP Msg window
\\.\root\wmi
PSAPI.DLL
x=%s
Describes all the counters supported via WMI Hi-Performance providers
_new.ini
xx %s%s.ini
xx %s
\\.\ROOT\cimv2:__ClassProviderRegistration.provider="\\\\.\\root\\cimv2:__Win32Provider.Name=\"WmiPerfClass\""
WmiApRes.dll
%s\%s
6.1.7600.16385 (win7_rtm.090713-1255)
wmicookr.dll
Windows
Operating System
6.1.7600.16385

rkclkx.exe_1644:

.text
`.data
.rdata
@.bss
.idata
C:\ProgramData\rkclkx.exe
Software\Microsoft\Windows\CurrentVersion\Run
Windows
Operating System
%H:%M:%S
%m/%d/%y
-0123456789
%s:%u: failed assertion `%s'
RegCloseKey
RegOpenKeyA
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL

taskhost.exe_2500:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
ole32.dll
OLEAUT32.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
USER32.dll
RPCRT4.dll
d:\w7rtm\admin\wmi\jobs\ubpmlibs\comtaskhost\comtaskapi.cpp
The likely culprit task is stuck on the same stack with %S.
d:\w7rtm\admin\wmi\jobs\ubpmlibs\closewinapp\closewinapp.cpp
Invalid parameter passed to C runtime function.
taskhost.pdb
_wcmdln
_amsg_exit
InitOnceExecuteOnce
SetProcessShutdownParameters
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
ntdll.dll
GetProcessHeap
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
bStartComTask() --> h=0x%x ret=%d
StopComTask(0x%x) --> ret=%d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
ComTaskMgrWnd(0x%x)::ShutdownTasksWorker()
ComTaskMgrWnd(0x%x)::Shutdown(%ws)
gCleanupSet()::Remove(0x%x)
ComTaskHost(0x%x)::WaitForTaskStartCompletion() --> 0x%x
ComTaskHost(0x%x)::WaitForTaskStartCompletion()
ComTaskHost(0x%x)::%ws() --> ReleaseLifetimeRef(this)
ComTaskHost(0x%x)::StopTaskWorker() --> 0x%x
ComTaskHost(0x%x)::StopTaskWorker()
ComTaskHost(0x%x)::Shutdown()
ComTaskHost(0x%x)::HandleReportingState(0x%x) --> 0x%x
ComTaskHost(0x%x): UbpmReportTaskStatus(0x%x) --> 0x%x
ComTaskHost(0x%x)::StartTaskWorker() --> 0x%x
ITaskHandler::Start(0x%x,"%ws") --> 0x%x
ComTaskHost(0x%x)::StartTaskWorker() --> ITaskHandler(0x%x)::Start(0x%x,"%ws")
ComTaskHost(0x%x)::StartTaskWorker()
ComTaskHost(0x%x)::Stop --> 0x%x
ComTaskHost(0x%x)::Stop - CreateThread failed with 0x%x
StartTaskThread(0x%x) bailed out because of shutdown
ComTaskHost(0x%x)::~ComTaskHost()
ComTaskHost(0x%x)::Start --> 0x%x
ComTaskHost(0x%x)::TaskCompleted() skipped because of shutdown
ComTaskHost(0x%x)::TaskCompleted(0x%x)
ComTaskHost(0x%x)::AddRef -> m_cRef = %d
ComTaskHost(0x%x)::Release -> m_cRef = %d
WinAppTerminator: found wnd 0x%x for pid %d.
WinAppTerminator: forced WM_CLOSE sent to top wnd 0x%x.
WinAppTerminator: EnumThreadWindows failed err=%d.
Host Process for Windows Tasks
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskhost.exe
Windows
Operating System
6.1.7601.17514


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1952
    rkclkx.exe:1644

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\ProgramData\Saaaalamm\Mira.h (960208 bytes)
    C:\ProgramData\rkclkx.exe (1019779 bytes)
    C:\original .exe (1963131 bytes)
    C:\config.sys .exe (1963131 bytes)
    C:\%original file name%.exe .exe (1963131 bytes)
    C:\bootmgr .exe (1963131 bytes)
    C:\Boot .exe (1963131 bytes)
    C:\Windows .exe (1963131 bytes)
    C:\ProgramData .exe (1963131 bytes)
    C:\$Recycle.Bin .exe (1963131 bytes)
    C:\BOOTSECT.BAK .exe (1963131 bytes)
    %Documents and Settings% .exe (1963131 bytes)
    C:\totalcmd .exe (1963131 bytes)
    C:\Users .exe (1963131 bytes)
    C:\XELDZ .exe (1963131 bytes)
    C:\autoexec.bat .exe (1963131 bytes)
    C:\System Volume Information .exe (1963131 bytes)
    C:\marker .exe (1963131 bytes)
    %Program Files% .exe (1963131 bytes)
    C:\pagefile.sys .exe (1963131 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft® Windows® Operating System" = "C:\ProgramData\rkclkx.exe"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now