MD5: 76cce89b6c9114193d7883a93fd04850
SHA1: 8c5e187b171defb82e341be437a4ab26906add27
SHA256: 4b3316adcc7055bd08d6dcf9ae427696b1917edb38d3dc687d78ea811847e807
SSDeep: 24576:1IGgx6Wr0gkmy5lqWqhP9b ejiJQsfx0O5T:zg1rBJBleJpx0a
Size: 991232 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: C. Ghisler & Co.
Created at: 2014-07-20 20:15:17
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1976

The Trojan injects its code into the following process(es):

%original file name%.exe:192

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:192 makes changes in the file system.
The Trojan deletes the following file(s):

C:\tmp.exe (0 bytes)

Registry activity

The process %original file name%.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 4E D7 74 B2 A4 4E CC 10 22 36 2C CD 46 19 34"

The process %original file name%.exe:192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 5F 62 B1 82 8D 86 26 CC 7F 66 64 7A 1E E4 19"

[HKCU\Software\Microsoft\Notepad]
"SizeCompletedValid" = "DLHhaLtgQ5AaQ3Y/CygiKp6iYIPZDfSgomyWyU O/tZiJvoy5KC0mK9K56t rLgCVw=="

[HKCU\Software\Sysinternals\Process Monitor]
"UrlEnabledUse" = "80"

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"EnableStationQueries" = "1"
"ComputerName" = "XP7"

[HKCU\Software\Microsoft\Notepad]
"InfoPlayedCurrent" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"DBSavedUse" = "A2 49 4D F3 D9 1E 9F 88 01 01 08 6A 00 03 91 02"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Sysinternals\Process Monitor]
"FlagsModifiedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Notepad]
"StyleModifiedPrev" = "80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"PlatformCompressedValid" = "00 00 00 00 00 00 00 00"
"PersistentLocalizedName" = "D9 80 F9 7F 7A B9 CE 13 E6 9F CE 44 9D D2 2D 06"

[HKCU\Software\Sysinternals\Process Monitor]
"DefaultCompressedRecord" = "D9 80 F9 7F 73 6A AC DC 97 F9 8B 44 B9 1B 50 AC"

[HKCU\Software\Microsoft\Notepad]
"ActiveModifiedTheme" = "D9 80 F9 7F 87 F2 CD A9 36 93 BD 80 BD 6C 78 8A"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"RecordEnabledCheck" = "80"

[HKCU\Software\Sysinternals\Process Monitor]
"RecordModifiedMax" = "DLHhaLtgQ5AaQ3Y/CygiKp6iYIPZDfSgomyWyU O/tZiJvoy5KC0mK9K56t rLgCVw=="

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"UserName" = "%CurrentUserName%"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"LineLoadedQuick" = "DLHhaLtgQ5AaQ3Y/CygiKp6iYIPZDfSgomyWyU O/tZiJvoy5KC0mK9K56t rLgCVw=="

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkVerifyer" = "c:\%original file name%.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
bcaca996afda4879fc26028925013824

URLs

URL	IP
hxxp://213.111.231.42/main.htm

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Win32/Kelihos.F Checkin

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1976
   

2. Delete the original Trojan file.
   
3. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "NetworkVerifyer" = "c:\%original file name%.exe"

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.