Gen.Variant.Graftor.51253_f8fe155150

by malwarelabrobot on June 19th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.51253 (B) (Emsisoft), Gen:Variant.Graftor.51253 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, Trojan.Win32.IEDummy.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f8fe1551502ba56e012c647757231658
SHA1: d666d90c63eeca4d6700101ff5c30909ff10afba
SHA256: 4b4c4bf2c4923d25982c70365da9769bdaef73c18ea1567befef0e8637c06f2d
SSDeep: 12288:1sdxY5yaceZ84LxoHLJnr3BAQYdilEUU72MHpptv:1UY56eCwaLJrRp1W2O
Size: 549888 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

hoohu.exe:1876
hoohu.exe:684
%original file name%.exe:388
%original file name%.exe:524

The Trojan injects its code into the following process(es):

iexplore.exe:1244
Explorer.EXE:1684

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Texuyv\hoohu.exe (1830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpde8a2f75.bat (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

Registry activity

The process hoohu.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 C7 8F 7F D8 40 04 2B BB A4 25 C5 7E 11 B1 8F"

The process hoohu.exe:684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\syscheck]
"Logoff" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 93 90 D6 0E D4 BC AB D7 20 1D 42 43 23 30 BB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"|1983C5DA-EE80-1C13-3115-DDFDC696107A}" = "%Documents and Settings%\%current user%\Application Data\Texuyv\hoohu.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 9E 9E 2F 76 D3 3B B0 82 F6 5B 64 2E 1F 34 D8"

The process %original file name%.exe:524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 62 70 B6 E0 8B A8 15 AA 9A CD B1 1F EB 23 BC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
77ecc51163ceec037693d38ae8456013 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Texuyv\hoohu.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSAConnect
WSASend
send
connect
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 510004 510464 4.3694 d1d28ba493b05a260c46b5b91ad0cee2
DATA 516096 4476 4608 2.84117 4fffd9397215dea9cebefad02c678dab
BSS 524288 3045 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 528384 8276 8704 3.38896 c3c4ead4f51e4acc337d09af82531b95
.tls 540672 16 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 544768 24 512 0.143426 bd32171a85900c7289a94112a9035789
.reloc 548864 23128 23552 0 6ff3e30f82b9d7840369598fb3ddde5e
.rsrc 573440 512 512 0 bf619eac0cdf3f68d496ea9344137e8b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_1244:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

iexplore.exe_1244_rwx_00140000_00029000:

.text
`.data
.reloc
hXXp://VVV.google.com/analytics/
user_pref("network.proxy.type", 4);
HTTP/1.1
hXXp://
hXXps://
HTTP/1.
%s?key=%s
shell32.dll
\internet explorer\iexplore.exe
iexplore.exe -k "%s?id=%s&key=%s"
*\explorer.exe*
iexplore.exe -k "about:blank"
>;($9*6`$8&
(!-0*1,&? 6
$94 '6%>
,1<(/>-6
$:$#>$?19/
$93 $3#5#
h.pUBR
=.SZV'
id=%s&hash=%s
PR_OpenTCPSocket
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
urlmon.dll
cabinet.dll
SSSh8N
GetProcessHeap
KERNEL32.dll
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
EnumWindows
SetKeyboardState
MapVirtualKeyW
GetKeyboardState
ExitWindowsEx
MsgWaitForMultipleObjects
USER32.dll
RegQueryInfoKeyW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
PSAPI.DLL
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpSendRequestA
InternetCrackUrlA
HttpOpenRequestA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
:$:,:4:<:
9&9/949^9
cGlobal\XXX
socks=127.0.0.1:%d
\Mozilla\Firefox\
profiles.ini
\prefs.js
nspr4.dll
SysShadow
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
:\Documents and Settings\"%CurrentUserName%"\Application Data\Riyw\ibosa.xia
%Documents and Settings%\%current user%\Application Data\Riyw
ibosa.xia
Global\{F449ECC4-C79E-F1D9-3115-DDFDC696107A}
%Documents and Settings%\%current user%\Application Data
{62325EE1-75BB-67A2-3115-DDFDC696107A}

Explorer.EXE_1684_rwx_00ED0000_00029000:

.text
`.data
.reloc
hXXp://VVV.google.com/analytics/
user_pref("network.proxy.type", 4);
HTTP/1.1
hXXp://
hXXps://
HTTP/1.
%s?key=%s
shell32.dll
\internet explorer\iexplore.exe
iexplore.exe -k "%s?id=%s&key=%s"
*\explorer.exe*
iexplore.exe -k "about:blank"
>;($9*6`$8&
(!-0*1,&? 6
$94 '6%>
,1<(/>-6
$:$#>$?19/
$93 $3#5#
h.pUBR
=.SZV'
id=%s&hash=%s
PR_OpenTCPSocket
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
urlmon.dll
cabinet.dll
SSSh8N
GetProcessHeap
KERNEL32.dll
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
EnumWindows
SetKeyboardState
MapVirtualKeyW
GetKeyboardState
ExitWindowsEx
MsgWaitForMultipleObjects
USER32.dll
RegQueryInfoKeyW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
PSAPI.DLL
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpSendRequestA
InternetCrackUrlA
HttpOpenRequestA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
:$:,:4:<:
9&9/949^9
cGlobal\XXX
socks=127.0.0.1:%d
\Mozilla\Firefox\
profiles.ini
\prefs.js
nspr4.dll
SysShadow
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
%Documents and Settings%\%current user%\Application Data\Riyw\ibosa.xia
%Documents and Settings%\%current user%\Application Data\Riyw
ibosa.xia
Global\{F449ECC4-C79E-F1D9-3115-DDFDC696107A}
%Documents and Settings%\%current user%\Application Data
{62325EE1-75BB-67A2-3115-DDFDC696107A}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    hoohu.exe:1876
    hoohu.exe:684
    %original file name%.exe:388
    %original file name%.exe:524

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\Texuyv\hoohu.exe (1830 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpde8a2f75.bat (177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "|1983C5DA-EE80-1C13-3115-DDFDC696107A}" = "%Documents and Settings%\%current user%\Application Data\Texuyv\hoohu.exe"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now