Installer.Win32.TarmaInstallMate_9d88574eb0
Trojan.Win32.AntiFW.b (Kaspersky), Installerex/WebPick (fs) (VIPRE), Trojan.WebPick.29 (DrWeb), MalSign.Generic.256 (AVG), Win32:InstalleRex-BH [PUP] (Avast), InstallerTarmaInstallMate.YR (Lavasoft MAS)
Behaviour: Trojan, Installer, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 9d88574eb0489e045c8927e3454b12f0
SHA1: 161f9dad11de4595390435d4ef0e01f608c062a3
SHA256: 2c2be4b5521d85f69a626685e415922714f0e3c175c7200ecb24b20bd2e60b1c
SSDeep: 6144:8rjbUzkuvcBYC47l2xhPAj9yshh1/9CSFuXWzMJSeJMLBz8xI:8rIkuveY3uPw4shT9Nnz62xQI
Size: 321648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Right Soft
Created at: 2013-03-12 10:51:45
Analyzed on: WindowsXP SP3 32-bit
Summary:
Installer. An installation package.
Payload
No specific payload has been found.
Process activity
The Installer creates the following process(es):
No processes have been created.
The Installer injects its code into the following process(es):
9d88574eb0489e0:1480
File activity
The process 9d88574eb0489e0:1480 makes changes in the file system.
The Installer creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Readme.txt (2106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Custom.dll (110080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1D365712.dat (491658 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Setup.exe (15968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsuC6C466D7.dll (341088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\_Setup.dll (190976 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Setup.ico (4846 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9d88574eb0489e045c8927e3454b12f0.log (87421 bytes)
The Installer deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1D365712.dat (0 bytes)
Registry activity
The process 9d88574eb0489e0:1480 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 BE 25 29 67 E6 E6 7F 21 4C BA C9 51 42 66 E6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Installer deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| r1.getapplicationmy.info |  |
| r2.getapplicationmy.info | |
| c2.getapplicationmy.info | |
| c1.getapplicationmy.info | |
IDS verdicts
Dropped PE files
| MD5 | File path |
|---|---|
| af7ce801c8471c5cd19b366333c153c4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TsuC6C466D7.dll |
| d257c8662a2c67d5eb8db3bb46eaecbc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Custom.dll |
| e717f6ce3a7429bfa6d7f3cf66737a4b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Setup.exe |
| 8815672378a261ae510745ea448438d9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\_Setup.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Screenshot
VersionInfo
Company Name: Right Soft
Product Name: Right Soft
Product Version: 1.0.0.3
Legal Copyright: Copyright (c) 2014 Right Soft
Legal Trademarks:
Original Filename: TSULoader.exe
Internal Name: TSULoader
File Version: 2014.3.2.1434
File Description: Installer for Right Soft
Comments: WinNT (x86) Unicode Lib Rel
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 7672 | 7680 | 4.5056 | b1ae6dcdc3a7ba319c6d5e0b1a2eadbc |
| .rdata | 12288 | 1794 | 2048 | 3.26018 | cd4f20f041a2da05dfe5974fe61bd4ec |
| .data | 16384 | 1040 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 20480 | 8288 | 8704 | 2.76619 | cb539ba4a412d7419c6d5edc8fc03c5e |
| .reloc | 32768 | 348 | 512 | 2.09579 | 938152484b33bca77bd622973abb524e |
| .tsustub | 36864 | 120967 | 121344 | 5.54287 | ced43a410245fa01194fc0688a5085ee |
| .tsuarch | 159744 | 175104 | 175104 | 5.54392 | 09958aa1870a26981338585e0cfd3ddd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
`.rdata
@.data
.rsrc
@.reloc
B.tsustub
B.tsuarch
Error %u while retrieving entry point from %ls
Error %u while loading TSU.DLL %ls
Error %u while extracting TSU.DLL to %ls
GetTempPath() failed => %u
Executable has no .tsustub section
.tsustub
GetModuleFileName() failed => %u
This installer is for Windows 2000 and later
GetProcessHeap
KERNEL32.dll
USER32.dll
VERSION.dll
D:\Dev\Tin7\InstallDir\vc80-win32u\Loader.pdb
name="Tarma.InstallMate7.Loader"
version="7.2.0.0"
name="Microsoft.Windows.Common-Controls"
publicKeyToken="6595b64144ccf1df"
version="6.0.0.0"
wV%%u5
4}b.pf
.pyh!u
Tc%UL
pv.vw
Y.doO+
Ym/%U[$
1c%s)4
P j.wQ
w.HOB`O
SudP
^.NOjw
+d.iT
W%.sC`
=9.YD)
?F.lwx
U%0uNYJ
.AZIt
nLj%D
j(.rY
Ld/%sl
h%C\-
RCRT
.RWlt
?.Hx_
.kv=-\
\StringFileInfo\%04x%04x\Arguments
/d:"%s"
Tsu%08lX.dll
1.0.0.3
WebSite
2014.3.2.1434
TSULoader.exe
{1298F6E9-9E4C-4B3B-9549-0E50C623D394}
{8B2F7744-2A0A-49B8-AB53-622850CC55B2}
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Installer file.
- Delete or disinfect the following files created/modified by the Installer:
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Readme.txt (2106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Custom.dll (110080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1D365712.dat (491658 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Setup.exe (15968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsuC6C466D7.dll (341088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\_Setup.dll (190976 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Setup.ico (4846 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9d88574eb0489e045c8927e3454b12f0.log (87421 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
