Trojan.Win32.FlyStudio_3b43c778a7

by malwarelabrobot on October 6th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3b43c778a7d5a242d117d393b47a8a40
SHA1: 58500c427e94c8378b9d2d66442aa59445e678f8
SHA256: f6c76b490ae43a57443404153330777d7f8b3b65b6010b321d99fbbd24a5babe
SSDeep: 12288:e4Usvu5scCftdpkeVsxg4QDAUuv3 UxnFYxqGwA:ec 3CpcLQDiv7puMG
Size: 655360 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-24 09:58:52
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2180

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Proxy.dll (326 bytes)

Registry activity

The process %original file name%.exe:2180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\3b43c778a7d5a242d117d393b47a8a40_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3b43c778a7d5a242d117d393b47a8a40_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\3b43c778a7d5a242d117d393b47a8a40_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\3b43c778a7d5a242d117d393b47a8a40_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\3b43c778a7d5a242d117d393b47a8a40_RASMANCS]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
65eca73f39f1c9d671519035e0585314 c:\Proxy.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??
Product Name: ??????
Product Version: 1.0.0.0
Legal Copyright: ?? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ??????
Comments: ??????
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1728512 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1732608 552960 549376 5.49008 32dfa8f2b8aac721712fc562151ea5c6
.rsrc 2285568 106496 104960 2.45348 15a2a62601afa3c24cf95c8ee253829c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://120.77.216.122/banben.txt
hxxp://rj.xie6.cn/gengxin.asp?id=845&bs=MAYI&_r=30117 162.159.211.13


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /banben.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 120.77.216.122
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Wed, 04 Oct 2017 23:59:19 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
Content-Length: 208
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /ba
nben.txt was not found on this server.</p>.</body></htm
l>.HTTP/1.1 404 Not Found..Date: Wed, 04 Oct 2017 23:59:19 GMT..Ser
ver: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45..Content-Length: 
208..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PU
BLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<titl
e>404 Not Found</title>.</head><body>.<h1>N
ot Found</h1>.<p>The requested URL /banben.txt was not fou
nd on this server.</p>.</body></html>...

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2180:

`.rsrc
t$(SSh
H%D|[
~%UVW
u$SShe
tBSh.PO
iu2.iu
ole32.dll
Proxy.dll
user32.dll
gdiplus.dll
{B6F7542F-B8FE-46a8-9605-98856A687097}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
569068027
0 1 2 3 4 5 6 7 8 9
hXXp://120.77.216.122/yixiyge/els.txt
hXXp://120.77.216.122/yixiyge/xxl.txt
hXXp://120.77.216.122/yixiyge/cq.txt
hXXp://120.77.216.122/yixiyge/jnd.txt
hXXp://120.77.216.122/yixiyge/tw.txt
00 11 22 33 44 55 66 77 88 99
hXXp://120.77.216.122/banben.txt
569068027
\Proxy.dll
.text
`.rdata
@.data
.rsrc
@.reloc
f9z.vk
__MSVCRT_HEAP_SELECT
CreateIoCompletionPort
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjects
USER32.dll
GDI32.dll
ADVAPI32.dll
WS2_32.dll
SHLWAPI.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
OLEAUT32.dll
WINMM.dll
GetCPInfo
proxy_AA555.dll
8@HNetCfg.FwMgr
hXXps://
hXXp://
https
http:
Client: VVV.xie6.cn
https:
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
/gengxin.asp?id=
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
@/dlldy.asp?cz=hqfwq&bs=MAYI
/dlldy.asp?cz=hqzjip
4@0.0.0.0
<@WinINet.dll
kernel32.dll
ws2_32.dll
Kernel32.dll
urlmon
URLDownloadToFileA
program internal error number is %d.
%s%x.tmp
:"%s"
:"%s".
zcÁ
7!8 808:8
0#0 040=0
5$5(5,5054585<5@5
$0004080
VBScript.RegExp
012356789
012456789
012346789
123456789
023456789
013456789
012345689
012345678
012345679
%F;hD
%d&&'
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
hXXp://VVV.eyuyan.com
service@dywt.com.cn
 86(0411)39895834
 86(0411)39895831
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
DelAllKeyValues
DelKeyValue
GetAllKeys
GetKeyValue
AddKeyValue
DSGetErrMsg
BiTreeGetCurNodeKey
ListGetCurNodeKey
ListUpdateNodeFromKey
ListRemoveNodeFromKey
edatastructure_fnMapDelAllKeyValues
edatastructure_fnMapDelKeyValue
edatastructure_fnMapGetAllKeys
edatastructure_fnMapGetKeyValue
edatastructure_fnMapAddKeyValue
edatastructure_fnBiTreeGetCurNodeKey
edatastructure_fnListGetCurNodeKey
edatastructure_fnListUpdateNodeFromKey
edatastructure_fnListRemoveNodeFromKey
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
<p>The requested URL /banben.txt was not found on this server.</p>
c:\%original file name%.exe
WinExec
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ScaleViewportExtEx
SetViewportExtEx
GetViewportOrgEx
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
ShellExecuteA
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExA
CreateDialogIndirectParamA
GetKeyState
InternetCanonicalizeUrlA
InternetCrackUrlA
gMKey
UrlA3
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PAD
KERNEL32.DLL
COMCTL32.dll
comdlg32.dll
MSIMG32.dll
RASAPI32.dll
SHELL32.dll
WINSPOOL.DRV
**2244((
((2299;;''
''77667766!!
$$--5555))
%%  ..**
!!44==??==55%%
  55@@@@22!!
%3355--
  77999977  
&&2288;;66,,
'',,--//%%
''--////))
))0066;;44**
!!)),,  ""
##  //00))
%%((**))
!!$$&&%%
1.6.2.1
(*.*)
1.0.0.0

%original file name%.exe_2180_rwx_00401000_0022B000:

t$(SSh
H%D|[
~%UVW
u$SShe
tBSh.PO
iu2.iu
ole32.dll
Proxy.dll
user32.dll
gdiplus.dll
{B6F7542F-B8FE-46a8-9605-98856A687097}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
569068027
0 1 2 3 4 5 6 7 8 9
hXXp://120.77.216.122/yixiyge/els.txt
hXXp://120.77.216.122/yixiyge/xxl.txt
hXXp://120.77.216.122/yixiyge/cq.txt
hXXp://120.77.216.122/yixiyge/jnd.txt
hXXp://120.77.216.122/yixiyge/tw.txt
00 11 22 33 44 55 66 77 88 99
hXXp://120.77.216.122/banben.txt
569068027
\Proxy.dll
.text
`.rdata
@.data
.rsrc
@.reloc
f9z.vk
__MSVCRT_HEAP_SELECT
CreateIoCompletionPort
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjects
USER32.dll
GDI32.dll
ADVAPI32.dll
WS2_32.dll
SHLWAPI.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
OLEAUT32.dll
WINMM.dll
GetCPInfo
proxy_AA555.dll
8@HNetCfg.FwMgr
hXXps://
hXXp://
https
http:
Client: VVV.xie6.cn
https:
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
/gengxin.asp?id=
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
@/dlldy.asp?cz=hqfwq&bs=MAYI
/dlldy.asp?cz=hqzjip
4@0.0.0.0
<@WinINet.dll
kernel32.dll
ws2_32.dll
Kernel32.dll
urlmon
URLDownloadToFileA
program internal error number is %d.
%s%x.tmp
:"%s"
:"%s".
zcÁ
7!8 808:8
0#0 040=0
5$5(5,5054585<5@5
$0004080
VBScript.RegExp
012356789
012456789
012346789
123456789
023456789
013456789
012345689
012345678
012345679
%F;hD
%d&&'
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
hXXp://VVV.eyuyan.com
service@dywt.com.cn
 86(0411)39895834
 86(0411)39895831
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
DelAllKeyValues
DelKeyValue
GetAllKeys
GetKeyValue
AddKeyValue
DSGetErrMsg
BiTreeGetCurNodeKey
ListGetCurNodeKey
ListUpdateNodeFromKey
ListRemoveNodeFromKey
edatastructure_fnMapDelAllKeyValues
edatastructure_fnMapDelKeyValue
edatastructure_fnMapGetAllKeys
edatastructure_fnMapGetKeyValue
edatastructure_fnMapAddKeyValue
edatastructure_fnBiTreeGetCurNodeKey
edatastructure_fnListGetCurNodeKey
edatastructure_fnListUpdateNodeFromKey
edatastructure_fnListRemoveNodeFromKey
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
<p>The requested URL /banben.txt was not found on this server.</p>
c:\%original file name%.exe
WinExec
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ScaleViewportExtEx
SetViewportExtEx
GetViewportOrgEx
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
ShellExecuteA
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExA
CreateDialogIndirectParamA
GetKeyState
InternetCanonicalizeUrlA
InternetCrackUrlA
**2244((
((2299;;''
''77667766!!
$$--5555))
%%  ..**
!!44==??==55%%
  55@@@@22!!
%3355--
  77999977  
&&2288;;66,,
'',,--//%%
''--////))
))0066;;44**
!!)),,  ""
##  //00))
%%((**))
!!$$&&%%
1.6.2.1


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Proxy.dll (326 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now