Trojan.MSIL.Qhost.bbs_5990155d77

by malwarelabrobot on October 7th, 2017 in Malware Descriptions.

Trojan.MSIL.Qhost.bbs (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5990155d779f57a537e4f867ff308e91
SHA1: 5c8ef1d2543be79840f92976515199f500ef5769
SHA256: 7b6a07a207f8fa838d460d817e8b32a6ccc016b66a14ab645d02e9a026b3c9c7
SSDeep: 24576:bQiI8iZqcsdiVXrxhhY8b9A5IM4xsbaQZqfoqh:b9I84sc1xIHIM9Zeh
Size: 859086 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

booster.exe:1580
SirrekFiBiirAlaChebbi.exe:264
5990155d779f57a537e4f867ff308e91.tmp:684
%original file name%.exe:1908

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process booster.exe:1580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (864 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (864 bytes)

The process SirrekFiBiirAlaChebbi.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (1273 bytes)

The process 5990155d779f57a537e4f867ff308e91.tmp:684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\booster.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\booster.exe (95756 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\itdownload.dll (1489 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\idp.dll (1502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\SirrekFiBiirAlaChebbi.exe (38 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\SirrekFiBiirAlaChebbi.exe.config (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\booster.exe.config (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\booster.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\itdownload.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\idp.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\SirrekFiBiirAlaChebbi.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\SirrekFiBiirAlaChebbi.exe.config (0 bytes)

The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8QJ63.tmp\5990155d779f57a537e4f867ff308e91.tmp (1897 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8QJ63.tmp\5990155d779f57a537e4f867ff308e91.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8QJ63.tmp (0 bytes)

Registry activity

The process SirrekFiBiirAlaChebbi.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\tsckmna]
"State" = "succed"

[HKCR\tschmna]
"State" = "succed"

The process 5990155d779f57a537e4f867ff308e91.tmp:684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\5990155d779f57a537e4f867ff308e91_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\5990155d779f57a537e4f867ff308e91_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\5990155d779f57a537e4f867ff308e91_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash" = "45 B4 B6 6D CE B5 22 1A 73 E1 C4 2F 99 40 65 02"

[HKLM\SOFTWARE\Microsoft\Tracing\5990155d779f57a537e4f867ff308e91_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\5990155d779f57a537e4f867ff308e91_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Owner" = "AC 02 00 00 91 26 7C 21 37 3E D3 01"

[HKLM\SOFTWARE\Microsoft\Tracing\5990155d779f57a537e4f867ff308e91_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\5990155d779f57a537e4f867ff308e91_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\5990155d779f57a537e4f867ff308e91_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\5990155d779f57a537e4f867ff308e91_RASAPI32]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0000]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence"
"Owner"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1273 bytes in size. The following strings are added to the hosts file listed below:

cpm.paneladmin.pro
publisher.hmdiadmingate.xyz
127.0.0.1 distribution.hmdiadmingate.xyz
127.0.0.1 hmdicrewtracksystem.xyz
127.0.0.1 linkmate.space
127.0.0.1 space1.adminpressure.space
127.0.0.1 trackpressure.website
127.0.0.1 doctorlink.space
127.0.0.1 plugpackdownload.net
127.0.0.1 texttotalk.org
127.0.0.1 gambling577.xyz
127.0.0.1 htagdownload.space
127.0.0.1 mybcnmonetize.com
127.0.0.1 360devtraking.website
127.0.0.1 dscdn.pw
127.0.0.1 beautifllink.xyz


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: badder
Product Name: DArkomFisd
Product Version: 7.5
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: DArkomFisd Setup
Comments: This installation was built with Inno Setup.
Language: German (Germany)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 40240 40448 4.59678 611a4d7a24dd9b18a256468a5d7453f5
DATA 45056 592 1024 1.90942 2f7f9f859c8b4b133abf78cebd99cc90
BSS 49152 3728 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 53248 2384 2560 3.07115 bb5485bf968b970e5ea81292af2acdba
.tls 57344 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 61440 24 512 0.14174 9ba824905bf9c7922b6fc87a38b74366
.reloc 65536 2244 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 69632 247164 247296 4.43351 fcfbba72b23a34f16bfdf721f00392e5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://asedownloadgate.com/exe/avboost-installer.exe 46.105.121.115


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

HEAD /exe/avboost-installer.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: asedownloadgate.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 06 Oct 2017 00:07:38 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="avboost-installer.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
....


GET /exe/avboost-installer.exe HTTP/1.1


Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: asedownloadgate.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 06 Oct 2017 00:07:38 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="avboost-installer.exe"
Keep-Alive: timeout=10, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
b4c00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...p..Y.........."...0..6...........U... ...`....@.. .................
...................@.................................|U..O....`..\....
.......................DT.............................................
.. ............... ..H............text....5... ...6.................. 
..`.rsrc...\....`.......8..............@..@.reloc...............J.....
.........@..B.................U......H........"..............|3... ...
.......................................^..}.....(.......(.....*.0.....
........(.............*...................0..(........(......(......r.
..p(....(.......(.....*.0..8.........(......o....r...po......o....t...
..........%...o....&*.0..<........(......r-..po......s......o....(.
.....o......o ....... ...*.0............(.....s!....s".....(#....o$...
o%.....o&....s'........o(.......o).......o*......o ...........io,.....
..o-....(#.....o...... ...*....0.. .........,..{....... ....,...{....o
/.......(0....*...s1...}......(2.....rO..po3....*&..(.....*&.(4.....*.
...0..9........~.........,".r[..p.....(5...o6...s7...........~..... ..
*....0...........~..... ..*".......*.0...........~..... ..*".(8....*Vs
....(9...t.........*..BSJB............v2.0.50727......l.......#~......
....#Strings............#US.........#GUID...........#Blob...........W.
.........3........4...................9...............................
..........)...................................x...l.x...M.x.....x.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    booster.exe:1580
    SirrekFiBiirAlaChebbi.exe:264
    5990155d779f57a537e4f867ff308e91.tmp:684
    %original file name%.exe:1908

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (864 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (864 bytes)
    C:\Windows\System32\drivers\etc\hosts (1273 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\booster.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\itdownload.dll (1489 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\_isetup\_shfoldr.dll (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\idp.dll (1502 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\SirrekFiBiirAlaChebbi.exe (38 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-M939F.tmp\SirrekFiBiirAlaChebbi.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8QJ63.tmp\5990155d779f57a537e4f867ff308e91.tmp (1897 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now