MD5: a8920cc3c6a4a133eca687271e6eed3e
SHA1: 0fb2e78e297cf5d0ac09098c8841429db1aa6847
SHA256: 51a46af47ccc584ff1007095a10d4c2bac53eb454ffca1d2c163521d3b3b8557
SSDeep: 1536:3qGaT/1sMrcvwms7Glz0DKVLc HoUANJDqGy4gMw PP3:3qRaMrUwmuvDWLc HDAP3y4T3
Size: 138368 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-12-27 07:38:55
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2028

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2028 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\OutlookAutoConfig_eng.exe (1194058 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5919.tmp\NSISdl.dll (30 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg588C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5919.tmp (0 bytes)

Registry activity

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://download.mailplug.com/outlook_auto_config/OutlookAutoConfig_eng.exe	14.49.36.173

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /outlook_auto_config/OutlookAutoConfig_eng.exe HTTP/1.0

Host: download.mailplug.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Server: nginx/1.4.6 (Ubuntu)

Date: Tue, 03 Apr 2018 03:45:06 GMT

Content-Type: application/octet-stream

Content-Length: 22750434

Last-Modified: Thu, 30 Mar 2017 05:38:14 GMT

Connection: close

ETag: "58dc99c6-15b24e2"

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......y...=...=...
=.....`.?...#.e.?...#.c.<...#.r.?.......8...=...f...#.u.$...#.b.<
;...#.g.<...Rich=...................PE..L......I.................".
...&.....a,.......@....@..........................P'.....43...........
...........................lB..P....p....&............................
..............................A..@............@..x....................
........text....!.......".................. ..`.rdata.......@.......&.
.............@..@.data........P.......0..............@....rsrc.....&..
p....&..<..............@..@........................................
......................................................................
......................................................................
......................................................................
......................................................................
.........................................................D$.........t@
j.j..L$.Qh....Pj.h.......@@...$h....R.D$.P..TA@..L$....Q...@@....D$...
T$.R...@@...$....Q..... .R.D..P..XA@....j.j..L$.Q..lA@.P..pA@.........
.........3..D$...$..$P.L$.Q.L$ .T$.R.D$.Ph.P@.Q...V@......u.......$.D$
..L$.R.T$.PQR..pA@.P...W@.......................h$P@..&........uSV....
.h0P@....W@........t.j.j.h.P@...TW@.Ph4P@.V..LW@.....LA@.....PA@...QP.
 ......^.............D$.h....h@a@.P...@@...u.h@P@....@@.P.V......3...@
a@..P...@..u. ....v.j.hXP@.h@a@...DA@.......Da@.t..@a@..`d@. .....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

Vj%SSS

uDSSh

hu2.iu

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

%s%s.dll

adm\AppData\Local\Temp\nsq5919.tmp\NSISdl.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5919.tmp\NSISdl.dll

.reloc

WS2_32.dll

NSISdl.dll

invalid URL

Host: %s

GET %s HTTP/1.0

User-Agent: NSISDL/1.2 (Mozilla)

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Unable to open %s

%skB (%d%%) of %skB at %u.
ukB/s

(%u hours remaining)

(%u minutes remaining)

(%u seconds remaining)

Downloading %s

%s$w:

Extract: C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5919.tmp\NSISdl.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5919.tmp

nsq5919.tmp

kAutoConfig_eng.exe

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5919.tmp

c:\%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsg588C.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

1442278

503973192

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.50</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2028

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\OutlookAutoConfig_eng.exe (1194058 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5919.tmp\NSISdl.dll (30 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.