Trojan.GenericKD.2179413_180751cebb
Trojan.GenericKD.2179413 (B) (Emsisoft), Trojan.GenericKD.2179413 (AdAware), PUP.Win32.DiabloCrack.FD, PUPDiabloCrack.YR (Lavasoft MAS)
Behaviour: Trojan, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 180751cebbcefeafa80976033e077367
SHA1: f08e27c40e28cca5ce6bed6d59045e8e551a9905
SHA256: 6a062798c39dd29322e215c593b2dc6b07db9ee152ec2e705dc105a4e5594065
SSDeep: 1536:gM27 eKoirs/D/b 3eK85oFeprQAP3nym:gD7 efiob/b /8BRym
Size: 58368 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2005-08-31 19:57:03
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:2748
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\BASSMOD.dll (31 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 048c336274723710201a3ab5ce7af260 | c:\Windows\System32\BASSMOD.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 53248 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 57344 | 57344 | 55296 | 5.48057 | 46e893c97db6c0941f38b78b33f82e04 |
| .rsrc | 114688 | 4096 | 2048 | 2.40203 | e91941fd2bf222233763aa04aa0865e4 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
8ae3074f85f000f45d19c7f40e3acd7c
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.rsrc
j.hDB@
BASSMOD.dll
c:\regpatch.reg
regedit.exe -s
Failed to export file!
File export OK!
...done!
Exe Files [*.exe]
*.exe
All Files [*.*]
\BASSMOD.dll
user32.dll
[EXPORT FILE]
Q}%x]
OqQ.cG%
WinRAR.exe
Rar.exe
rarreg.key
mailbox.swipnet.se
to join ChipLand.?
.text
`.rdata
@.data
.reloc
winmm.dll
kernel32.dll
xm_player.dll
WinExec
ShellExecuteA
.rdata
;";(;0;6;<;
dUPURUU"UUU%U
%UUUUUPdUUUUR
o%UUUW
=%UUUU
f%uUR
UW9rz%UUUU
rO%UU
x[q!%UURp
%%UUUPdUUUU|%ZUW
UU%UwUUUUPdUUUU
KERNEL32.DLL
comdlg32.dll
gdi32.dll
shell32.dll
filename.exe
hXXp://diablo2oo2.cjb.net
[URL]
%original file name%.exe_2748_rwx_00401000_0001A000:
j.hDB@
BASSMOD.dll
c:\regpatch.reg
regedit.exe -s
Failed to export file!
File export OK!
...done!
Exe Files [*.exe]
*.exe
All Files [*.*]
\BASSMOD.dll
user32.dll
[EXPORT FILE]
Q}%x]
OqQ.cG%
WinRAR.exe
Rar.exe
rarreg.key
mailbox.swipnet.se
to join ChipLand.?
.text
`.rdata
@.data
.reloc
winmm.dll
kernel32.dll
xm_player.dll
WinExec
ShellExecuteA
.rdata
.rsrc
filename.exe
hXXp://diablo2oo2.cjb.net
[URL]
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\BASSMOD.dll (31 bytes)
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
