MD5: d56a942560e6c0eb859e86afb98d2864
SHA1: 585aace656d5f2caa4fed89a68bd1ddb061d2095
SHA256: de7455e2c897c19b5545535e35562ed7e8870b9daa390026c4225ecc778350d4
SSDeep: 24576:PKco/ZO3tvgIFqDa/CXAbYvp CaBCLsoEfrDWdYPMlxr2PKV/hBBASzNshwtJFx:SZYMDcnBCLsBOljZ
Size: 1612800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Company
Created at: 2016-06-17 04:31:25
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1832
%original file name%.exe:1500

The Trojan injects its code into the following process(es):

svchost.exe:1384
iexplore.exe:1852

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\a9H4F8EgLHO.exe (10177 bytes)

The process %original file name%.exe:1500 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

Registry activity

The process %original file name%.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 BB 83 F7 68 B3 3D A8 34 27 F5 EC 61 BC 79 0D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"aIeXPMlKKEvLt" = "%Documents and Settings%\%current user%\Local Settings\Temp\a9H4F8EgLHO.exe"

The process %original file name%.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 E1 55 DB B0 8C 60 0F 23 E2 B9 99 B4 A7 34 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\XtremeRAT]
"Mutex" = "--((Mutex))--"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: aUQikFCr3oKSD
Product Name: aAJ9UGhTTVAGThUqn
Product Version: 14.19.23.95
Legal Copyright: Copyright (c) 2015
Legal Trademarks: aZYcLIBjHHQQgq7c2a6J
Original Filename: server2.exe
Internal Name: server2.exe
File Version: 14.19.23.95
File Description: abowr7Jhqr5
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_1384_rwx_10000000_0004A000:

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

192.168.0.1

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ShellExecuteW

ntdll.dll

1 1$1(1,10141

KWindows

TServerKeylogger

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

haxor44.ddns.net

UPnP.UP

Server.exe

{5460C4DF-B266-909E-CB58-E32B79832EB2}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PTF.ftpserver.com

ftpuser

iexplore.exe_1852:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_1852_rwx_10000000_0004A000:

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

192.168.0.1

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ShellExecuteW

ntdll.dll

1 1$1(1,10141

KWindows

TServerKeylogger

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

haxor44.ddns.net

UPnP.UP

Server.exe

{5460C4DF-B266-909E-CB58-E32B79832EB2}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PTF.ftpserver.com

ftpuser

c:\%original file name%.exe

%Program Files%\Internet Explorer\iexplore.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1832
   %original file name%.exe:1500
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\a9H4F8EgLHO.exe (10177 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "aIeXPMlKKEvLt" = "%Documents and Settings%\%current user%\Local Settings\Temp\a9H4F8EgLHO.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.