Gen.Variant.Strictor.132567_cf4872cc54

by malwarelabrobot on June 19th, 2018 in Malware Descriptions.

Gen:Variant.Strictor.132567 (BitDefender), VirTool:Win32/Obfuscator (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Virus.Win32.Virut.Generic (v) (VIPRE), Trojan.DownLoader26.51438 (DrWeb), Gen:Variant.Strictor.132567 (B) (Emsisoft), Generic-FAAF!CF4872CC549F (McAfee), Packed.Vmpbad!gen4 (Symantec), Trojan.Win32.VMProtect (Ikarus), Gen:Variant.Strictor.132567 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R002C0CFE18 (TrendMicro), GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Virus, Packed, VirTool, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: cf4872cc549ffa4ddecd11c02eb6b38d
SHA1: 4848640afe037594d2e0eee5dc2e19f413bfc8a8
SHA256: 3b60621eb2af71cb89be2aaadd2cd5ea7b97b9ffbe1492ff9223860b9d50c67b
SSDeep: 49152:FV1w7TWYiFz4/V PHrh6vaFPMlKsc7gut/LAQPLMvFoTQxZlOoPpY29DxDfl109R:xSq5RSaalKxCHlWZ3RuwmuY
Size: 2912256 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2018-06-14 22:39:01
Analyzed on: Windows7 SP1 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2312

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\MSINET.OCX (267 bytes)
C:\Windows\System32\COMCTL32.OCX (608 bytes)
C:\Windows\System32\COMDLG32.OCX (307 bytes)
C:\Windows\System32\drivers\etc\hosts (9 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\drivers\etc\hosts (0 bytes)

Registry activity

The process %original file name%.exe:2312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\MSComDlg.CommonDialog.1\CLSID]
"(Default)" = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Help Property Page Object"

[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"

[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Open Property Page Object"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2]
"(Default)" = "Microsoft Common Dialog Control 6.0 (SP6)"

[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Print Property Page Object"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version]
"(Default)" = "1.2"

[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"

[HKCR\MSComDlg.CommonDialog\CurVer]
"(Default)" = "MSComDlg.CommonDialog.1"

[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKCR\MSComDlg.CommonDialog]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1]
"(Default)" = "132499"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID]
"(Default)" = "MSComDlg.CommonDialog.1"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"

[HKCR\MSComDlg.CommonDialog\CLSID]
"(Default)" = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Font Property Page Object"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}]
"(Default)" = "ICommonDialog"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}]
"(Default)" = "ICommonDialogEvents"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"Version" = "1.2"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\MSComDlg.CommonDialog.1]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX, 1"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID]
"(Default)" = "MSComDlg.CommonDialog"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Color Property Page Object"

[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSINET.OCX, 1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\FLAGS]
"(Default)" = "2"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib]
"Version" = "1.2"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR]
"(Default)" = ""

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}]
[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]

The Trojan deletes the following value(s) in system registry:

[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

Dropped PE files

MD5 File path
eb5f811c1f78005b3c147599a0cccf51 c:\Windows\System32\COMCTL32.OCX
ab412429f1e5fb9708a8cdea07479099 c:\Windows\System32\COMDLG32.OCX
90a39346e9b67f132ef133725c487ff6 c:\Windows\System32\MSINET.OCX

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 9100 bytes in size. The following strings are added to the hosts file listed below:

182.253.238.102 localhost
182.253.238.102 www.puasaciter.com
182.253.238.102 puasaciter.com
182.253.238.102 citpekalongan.net
182.253.238.102 www.citpekalongan.net
182.253.238.102 www.pekalongan-kommuniti.net
182.253.238.102 wawcheatvip.blogspot.co.id
182.253.238.102 wawcheatvip.blogspot.com
182.253.238.102 waw-jakarta-cheater.blogspot.co.id
182.253.238.102 waw-jakarta-cheater.blogspot.com
182.253.238.102 pekalongan-kommuniti-cheat.blogspot.com
182.253.238.102 pekalongan-kommuniti-cheat.blogspot.co.id
182.253.238.102 www.pekalongankomuniti.com
182.253.238.102 pekalongan-kommunitiy.blogspot.com
182.253.238.102 pointblankidhack.xyz
182.253.238.102 pekalongan-kommuniti.net
182.253.238.102 rhm-files.blogspot.co.id
182.253.238.102 www.rhm-files.blogspot.co.id
182.253.238.102 rhm-files.blogspot.com
182.253.238.102 sites.google.com
182.253.238.102 www.rhm-files.blogspot.com
182.253.238.102 rhm-files.blogspot.sg
182.253.238.102 www.rhm-files.blogspot.sg
182.253.238.102 mrcheat.us
182.253.238.102 www.mrcheat.us
182.253.238.102 www.mrcheat.net
182.253.238.102 applogsg.matrix.netease.com
182.253.238.102 mgbsdksgtest.matrix.netease.com
182.253.238.102 unisdk.update.netease.com
182.253.238.102 netease.com
182.253.238.102 mrcheat.net
182.253.238.102 rhm-files.blogspot.co.uk
182.253.238.102 www.rhm-files.blogspot.co.uk
182.253.238.102 rhm-files.blogspot.de
182.253.238.102 www.rezpektor-key.net
182.253.238.102 rezpektor-key.net
182.253.238.102 vista-tigabelas.blogspot.com
182.253.238.102 vista-tigabelas.blogspot.co.id
182.253.238.102 vista-tigabelas.blogspot.de
182.253.238.102 update.netease.com
182.253.238.102 g61.update.netease.com
182.253.238.102 d-cit.blogspot.com
182.253.238.102 d-cit.blogspot.co.id
182.253.238.102 mod-cit.blogspot.co.id
182.253.238.102 mod-cit.blogspot.com
182.253.238.102 mod-cit.blogspot.de
182.253.238.102 www.gelo-cheats.com
182.253.238.102 gelo-cheats.com
182.253.238.102 bancyberz.com
182.253.238.102 www.vvip-x-anonymous.com
182.253.238.102 vvip-x-anonymous.com
182.253.238.102 mrcheat.us
182.253.238.102 www.mrcheat.us
182.253.238.102 mrcheat.us/blog
182.253.238.102 www.mrcheat.us/blog
182.253.238.102 www.mrcheat.us/blog/
182.253.238.102 bagicheatonline.blogspot.co.id
182.253.238.102 bagicheatonline.blogspot.com
182.253.238.102 bagicheatonline.blogspot.de
182.253.238.102 triomarbot.com
182.253.238.102 www.bagicheatonline.blogspot.co.id
182.253.238.102 www.sundaizer.com
182.253.238.102 sundaizer.com
182.253.238.102 www.bancyberz.com
182.253.238.102 gudang-ngecit.com
182.253.238.102 www.gudang-ngecit.com
182.253.238.102 mediadisk.net
182.253.238.102 cupit-cheat.com
182.253.238.102 www.cupit-cheat.com
182.253.238.102 www.mediadisk.net
182.253.238.102 propekalongan-kommunity.blogspot.co.id
182.253.238.102 www.propekalongan-kommunity.blogspot.co.id
182.253.238.102 propekalongan-kommunity.blogspot.com
182.253.238.102 www.propekalongan-kommunity.blogspot.com
182.253.238.102 propekalongan-kommunity.blogspot.sg
182.253.238.102 mitracit.blogspot.co.id
182.253.238.102 mitracit.blogspot.com
182.253.238.102 www.propekalongan-kommunity.blogspot.sg
182.253.238.102 kotakciter.blogspot.co.id
182.253.238.102 www.kotakciter.blogspot.co.id
182.253.238.102 kotakciter.blogspot.com
182.253.238.102 www.kotakciter.blogspot.com
182.253.238.102 kotakciter.blogspot.sg
182.253.238.102 www.kotakciter.blogspot.sg
182.253.238.102 kotakciter.blogspot.co.uk
182.253.238.102 www.kotakciter.blogspot.co.uk
182.253.238.102 www.citpurworejo.com
182.253.238.102 citpurworejo.com
182.253.238.102 www.vazdancer.net
182.253.238.102 vazdancer.net
182.253.238.102 mediadisk.net
182.253.238.102 www.mediadisk.net
182.253.238.102 mediadisk.net
182.253.238.102 www.mediadisk.net
182.253.238.102 mediadisk1.net
182.253.238.102 www.mediadisk.net
182.253.238.102 mediadisk1.net
182.253.238.102 www.mediadisk.net
182.253.238.102 mediadisk2.net
182.253.238.102 www.mediadisk2.net
182.253.238.102 mediadisk3.net
182.253.238.102 140.207.168.45/g/d
182.253.238.102 api.goapk.com
182.253.238.102 api.goapk.com/ucsdk.php
182.253.238.102 appdump.x.netease.com/upload
182.253.238.102 fc.my.163.com:8080/
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/before_create_order
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/check_channel
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/check_white_phone
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/create_order
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/dot_upload
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/init
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/reg_ver_confirm
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/ver_confirm
182.253.238.102 g0.gdl.netease.com
182.253.238.102 g73.drpf.x.easebar.com
182.253.238.102 h5.m.taobao.com/trade/paySuccess.html?bizOrderId=$OrderId$&
182.253.238.102 hydra.alibaba.com
182.253.238.102 m.alipay.com/?action=h5quit
182.253.238.102 mbdl.update.netease.com/%s.mbdl
182.253.238.102 mbdl.update.netease.com/httpdns.mbdl
182.253.238.102 mcgw.alipay.com/sdklog.do
182.253.238.102 mobile.unionpay.com/getclient?platform=android&type=securepayplugin
182.253.238.102 mobilegw-1-64.test.alipay.net/mgw.htm
182.253.238.102 mobilegw.aaa.alipay.net/mgw.htm
182.253.238.102 mobilegw.alipay.com/mgw.htm
182.253.238.102 mobilegw.stable.alipay.net/mgw.htm
182.253.238.102 tqlm.16163.com/zt/tqlm/gamefeedback-test/index.html
182.253.238.102 update.unisdk.163.com/feature/query.json
182.253.238.102 update.unisdk.163.com/g0/
182.253.238.102 update.unisdk.163.com/html/latest_default.json
182.253.238.102 update.unisdk.easebar.com/feature/
182.253.238.102 update.unisdk.easebar.com/html/latest_v4.json
182.253.238.102 update.unisdk.easebar.com/html/latest_v9.json
182.253.238.102 update.unisdk.easebar.com/realname/
182.253.238.102 update.unisdk.easebar.com/realname/all.json
182.253.238.102 update.unisdk.easebar.com/realname/all.json.md5
182.253.238.102 applog.matrix.netease.com
182.253.238.102 applog.matrix.netease.com
182.253.238.102 applog.matrix.netease.com
182.253.238.102 applogsg.matrix.easebar.com
182.253.238.102 applogsg.matrix.easebar.com
182.253.238.102 applogsg.matrix.easebar.com
182.253.238.102 data-detect.nie.easebar.com
182.253.238.102 data-detect.nie.netease.com
182.253.238.102 dby.ipaynow.cn/api/payment
182.253.238.102 g0-unipatch.nie.easebar.com
182.253.238.102 g0-unipatch.nie.netease.com
182.253.238.102 mgbsdk.matrix.netease.com
182.253.238.102 mobilegw.alipay.com
182.253.238.102 pay.ipaynow.cn
182.253.238.102 pay.ipaynow.cn/api_release/
182.253.238.102 pay.ipaynow.cn/sdk/syncException
182.253.238.102 sigma-echoes.proxima.nie.netease.com/query/
182.253.238.102 udt-sigma.proxima.nie.easebar.com/query
182.253.238.102 udt-sigma.proxima.nie.netease.com/query
182.253.238.102 unisdk.update.easebar.com/unipatch/
182.253.238.102 www.mediadisk3.net
182.253.238.102 mediadisk4.net
182.253.238.102 www.mediadisk4.net
182.253.238.102 mediadisk5.net
182.253.238.102 www.mediadisk5.net
182.253.238.102 mediadisk6.net
182.253.238.102 www.mediadisk6.net
182.253.238.102 mediadisk7.net
182.253.238.102 www.mediadisk7.net
182.253.238.102 mediadisk8.net
182.253.238.102 www.mediadisk8.net
182.253.238.102 mediadisk9.net
182.253.238.102 www.mediadisk9.net
182.253.238.102 mediadisk6.net
182.253.238.102 www.mediadisk6.net
182.253.238.102 duniaku.net
182.253.238.102 www.duniaku.net
182.253.238.102 mrsnapznet.us
182.253.238.102 www.mrsnapznet.us
182.253.238.102 blackxat.com
182.253.238.102 www.blackxat.com
182.253.238.102 black-xat.com
182.253.238.102 www.xlack-xat.com
182.253.238.102 203.117.172.56
182.253.238.102 203.117.172.43
182.253.238.102 203.117.172.4
182.253.238.102 203.117.172.57
182.253.238.102 bandicam.com
182.253.238.102 www.bandicam.com
182.253.238.102 ssl.bandisoft.com
182.253.238.102 fairplay.pb.garena.co.id
182.253.238.102 wellbia.com
182.253.238.102 www.wellbia.com
182.253.238.102 zm1.november-lax.com
182.253.238.102 www.adnetworkperformance.com
182.253.238.102 n162adserv.com
182.253.238.102 447pihoz.tech
182.253.238.102 rdsa2012.com
182.253.238.102 www.blkget.com
182.253.238.102 ampclicks.com
182.253.238.102 match.mixplugin.com
182.253.238.102 track.funshopfun.com
182.253.238.102 cdn.adplxmd.com
182.253.238.102 cdn.todigroup.com
182.253.238.102 www.blkget8.com
182.253.238.102 Offerjuice.me
182.253.238.102 www.Offerjuice.me
182.253.238.102 www.ab4hr.com
182.253.238.102 track.frwdx.com
182.253.238.102 adsrvmedia.adk2x.com
182.253.238.102 zo6.realsuperblite.com
182.253.238.102 srv.revdepo.com
182.253.238.102 www.trackingclick.net
182.253.238.102 xml.adfclick1.com
182.253.238.102 prjcq.com
182.253.238.102 servicegetbook.net
182.253.238.102 damaral.com
182.253.238.102 Cliponyu.com
182.253.238.102 49.media.tumblr.com
182.253.238.102 40.media.tumblr.com
182.253.238.102 41.media.tumblr.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Mehgai3Oapem1Ahi
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: Triptofan telekil Ros V1.1.exe
Internal Name: Triptofan telekil Ros V1.1
File Version: 1.00
File Description:
Comments:
Language: English (United Kingdom)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 180048 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 184320 11024 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 196608 7677152 28672 3.95539 1055dc4a5624c597bbdcab2f846afee8
.vmp0 7876608 216676 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp1 8093696 2877259 2879488 5.50489 1dc2e6959f70286fd940276c18bfafe3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://blogspot.l.googleusercontent.com/
hxxp://ghs.google.com/
hxxp://www3.l.google.com/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0=
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBY5YDkvcYm6
hxxp://googleapis.l.google.com/ajax/libs/jquery/2.1.3/jquery.min.js
hxxp://pl14336753.pvclouds.com/c1/91/cd/c191cdedf2d49ff724fe8b19d5277cff.js 213.196.2.2
hxxp://googleapis.l.google.com/css?family=Oswald:400,700
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBkI1RFpfx7k
hxxp://pagead46.l.doubleclick.net/pagead/js/adsbygoogle.js
hxxp://ad.a-ads.com/713373?size=468x60 176.9.125.108
hxxp://ie8eamus.com/sfp.js 213.196.5.1
hxxp://www.modulepush.com/e604cb81f3c1551e1b0b66f6ab1e3f05/invoke.js 198.134.112.241
hxxp://e734.a.akamaiedge.net/js/300/addthis_widget.js
hxxp://go.oclasrv.com/apu.php?zoneid=1369047 78.140.191.114
hxxp://deloton.com/apu.php?zoneid=1369047 194.187.98.221
hxxp://ghs.google.com//feeds/posts/summary?alt=json-in-script&orderby=published&max-results=7&callback=recentPosts
hxxp://pl14336753.pvclouds.com/invoke.js 213.196.2.2
hxxp://www.modulepush.com/watch.105175222876?key=297d1249bc74199553e630694b53577e&kw=[]&refer=http://www.citpekalongan.com/&tz=3&dev=r&res=4.0&uuid= 198.134.112.241
hxxp://www.modulepush.com/watch.105175222876?shu=43dff7b2e9dc75d650f206b5ccadbaaf0f9abd3937a0cb6d69143a181a409eb74f605be0c65af8b7519d42d6c826ed869c6a6a42c1acfcd24138d6a30c68b900a38da4526279d6e18f9ad1e4&pst=1529333401&rmtc=t&uuid=&pii=&in=false&refer=http://www.citpekalongan.com/&key=297d1249bc74199553e630694b53577e&tz=3&dev=r&res=4.0&kw=[] 198.134.112.241
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCELheZBeE9GM
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8=
hxxp://gstaticadssl.l.google.com/s/oswald/v16/TK3iWkUHHAIjg752GT8A.woff
hxxp://gstaticadssl.l.google.com/s/oswald/v16/TK3hWkUHHAIjg75-ohoTus9E.woff
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCDVgU4Bnrknm
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCAmuJW8izj/K
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEH7hSm9v7/LTfz+tZU062rQ=
hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj/6qJAfE5/j9OXBRE4=
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0JBRnBp/14Jg/Xj4aa6BlKlQVdQQUAVmr5906C1mmZGPWzyAHV9WR52oCECxqpDaJyq/+D0ZiblxvnRI=
hxxp://scontent.xx.fbcdn.net/connect/xd_arbiter/r/mAiQUwlReIP.js?version=42
hxxp://a875.dscb.akamai.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ/icg9B19asFe73bPYs+reAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0=
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArt3qPbsnm34qUGW3vikxY=
hxxp://ghs.google.com/favicon.ico
hxxp://cdnjs.cloudflare.com/ajax/libs/fingerprintjs2/1.6.1/fingerprint2.min.js 104.19.199.151
hxxp://a1363.dscg.akamai.net/pki/crl/products/tspca.crl
hxxp://ie8eamus.com/fp?uuid=&fingerprint=ab4174aa8f1a47e69078e73ac87c027d&ua=Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)&dev=r&res=4.0&b_frame=false&pk=c191cdedf2d49ff724fe8b19d5277cff 213.196.5.1
hxxp://crl.microsoft.com/pki/crl/products/tspca.crl 77.222.148.96
hxxp://fonts.googleapis.com/css?family=Oswald:400,700 172.217.18.170
hxxp://www.urldelivery.com/watch.105175222876?shu=43dff7b2e9dc75d650f206b5ccadbaaf0f9abd3937a0cb6d69143a181a409eb74f605be0c65af8b7519d42d6c826ed869c6a6a42c1acfcd24138d6a30c68b900a38da4526279d6e18f9ad1e4&pst=1529333401&rmtc=t&uuid=&pii=&in=false&refer=http://www.citpekalongan.com/&key=297d1249bc74199553e630694b53577e&tz=3&dev=r&res=4.0&kw=[] 198.134.112.243
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBkI1RFpfx7k 172.217.18.174
hxxp://www.citpekalongan.com/ 172.217.18.179
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCELheZBeE9GM 172.217.18.174
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCAmuJW8izj/K 172.217.18.174
hxxp://s7.addthis.com/js/300/addthis_widget.js 2.22.92.206
hxxp://fonts.gstatic.com/s/oswald/v16/TK3hWkUHHAIjg75-ohoTus9E.woff 172.217.18.163
hxxp://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj/6qJAfE5/j9OXBRE4= 178.255.83.1
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA= 93.184.220.29
hxxp://citpekalongans.blogspot.com/ 172.217.18.161
hxxp://staticxx.facebook.com/connect/xd_arbiter/r/mAiQUwlReIP.js?version=42
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBY5YDkvcYm6 172.217.18.174
hxxp://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ/icg9B19asFe73bPYs+reAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0= 2.21.89.25
hxxp://fonts.gstatic.com/s/oswald/v16/TK3iWkUHHAIjg752GT8A.woff 172.217.18.163
hxxp://www.bnserving.com/invoke.js 213.196.2.1
hxxp://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js 172.217.23.170
hxxp://www.urldelivery.com/watch.105175222876?key=297d1249bc74199553e630694b53577e&kw=[]&refer=http://www.citpekalongan.com/&tz=3&dev=r&res=4.0&uuid= 198.134.112.243
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= 93.184.220.29
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEH7hSm9v7/LTfz+tZU062rQ= 23.51.123.27
hxxp://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0= 172.217.18.174
hxxp://www.citpekalongan.com//feeds/posts/summary?alt=json-in-script&orderby=published&max-results=7&callback=recentPosts 172.217.18.179
hxxp://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js 216.58.205.226
hxxp://www.citpekalongan.com/favicon.ico 172.217.18.179
hxxp://sr.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0JBRnBp/14Jg/Xj4aa6BlKlQVdQQUAVmr5906C1mmZGPWzyAHV9WR52oCECxqpDaJyq/+D0ZiblxvnRI= 23.51.123.27
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCDVgU4Bnrknm 172.217.18.174
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArt3qPbsnm34qUGW3vikxY= 93.184.220.29
1.bp.blogspot.com 172.217.18.161
2.bp.blogspot.com 172.217.18.161
adservice.google.com 172.217.22.2
scontent.fiev7-2.fna.fbcdn.net 77.222.131.81
www.blogger.com 172.217.18.169
www.paypalobjects.com 80.239.245.5
3.bp.blogspot.com 172.217.18.161
resources.blogblog.com 172.217.18.169
4.bp.blogspot.com 172.217.18.161
adservice.google.com.ua 172.217.21.226


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\System32\MSINET.OCX (267 bytes)
    C:\Windows\System32\COMCTL32.OCX (608 bytes)
    C:\Windows\System32\COMDLG32.OCX (307 bytes)
    C:\Windows\System32\drivers\etc\hosts (9 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now