VirTool.MSIL.Injector_4005ebe694

by malwarelabrobot on April 9th, 2018 in Malware Descriptions.

Trojan.GenericKD.3004495 (BitDefender), VirTool:MSIL/Injector (Microsoft), Trojan.Win32.Scarsi.apkn (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.PWS.Stealer.19347 (DrWeb), Trojan.GenericKD.3004495 (B) (Emsisoft), Packed-VL!4005EBE6949D (McAfee), Trojan.Gen (Symantec), Trojan.MSIL.Crypt (Ikarus), Trojan.GenericKD.3004495 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R00AC0PAS18 (TrendMicro)
Behaviour: Trojan, Packed, VirTool, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4005ebe6949d4716022c068df098f460
SHA1: 1f8177abf1af390ef892f8441aae67a8c1a94607
SHA256: b80ccc047e8cfde7b62d8b3f4f8d369b3ac4cba44e590c881a4e6693373bb83c
SSDeep: 6144:yLkC7uxevK5gLjy/aemv9KM eCM2d7fpa7Xg:rC7uMy5GyhMir7U7
Size: 274432 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2018-01-25 08:22:33
Analyzed on: Windows7 SP1 32-bit


Summary:

VirTool. A program used to apply passive protection methods to viruses, such as obfuscation, encryption, polymorphism. The original virus is usually encrypted/compressed and stored inside the wrapper.

Payload

No specific payload has been found.

Process activity

The VirTool creates the following process(es):

%original file name%.exe:3320

The VirTool injects its code into the following process(es):

%original file name%.exe:3968

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3320 makes changes in the file system.
The VirTool creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\zwn\zwn.exe (1425 bytes)

The process %original file name%.exe:3968 makes changes in the file system.
The VirTool creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (11 bytes)

Registry activity

The process %original file name%.exe:3320 makes changes in the system registry.
The VirTool creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the VirTool adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"zwn" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\zwn\zwn.exe"

The process %original file name%.exe:3968 makes changes in the system registry.
The VirTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\4005ebe6949d4716022c068df098f460_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4005ebe6949d4716022c068df098f460_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4005ebe6949d4716022c068df098f460_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\4005ebe6949d4716022c068df098f460_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\4005ebe6949d4716022c068df098f460_RASMANCS]
"EnableConsoleTracing" = "0"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The VirTool modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 875 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 validation.sls.microsoft.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Microsoft Open XML Converter
Product Version: 1.2.0.6
Legal Copyright: (c) 2006 Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: USD250k_SWIFT_HK_IRAN.exe
Internal Name: USD250k_SWIFT_HK_IRAN.exe
File Version: 1.2.0.6
File Description: moc
Comments: Microsoft Open XML Converter
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 255396 258048 5.41746 3a721ada942770799e45e82555f53bcb
.rsrc 270336 5512 8192 2.44755 9106e4b92b57aa0cf2bcd5dd499dc1fd
.reloc 278528 12 4096 0.009099 2d9c4db18aad171b0748d73232eb95e3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://checkip.dyndns.com/
checkip.dyndns.org 216.146.43.71
smtp.yandex.com 213.180.193.38


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response

Traffic

GET / HTTP/1.1
Host: checkip.dyndns.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0.1
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 106
<html><head><title>Current IP Check</title><
;/head><body>Current IP Address: 194.242.96.226</body>&
lt;/html>....

The VirTool connects to the servers at the folowing location(s):

%original file name%.exe_3968:

.text
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
v2.0.50727
Microsoft.Win32
IUrlHistoryStg2
STATURLFLAG_ISCACHED
STATURL_QUERYFLAG_ISCACHED
URL_ESCAPE_UNSAFE
ADDURL_ADDTOHISTORYANDCACHE
ADDURL_ADDTOCACHE
STATURL_QUERYFLAG_NOTITLE
URL_UNESCAPE
SHGFI_EXETYPE
ADDURL_FLAG
STATURLFLAG_ISTOPLEVEL
STATURL_QUERYFLAG_TOPLEVEL
URL_PLUGGABLE_PROTOCOL
STATURL_QUERYFLAG_NOURL
IEnumSTATURL
lpSTATURL
shlwapi_URL
get_URL
set_URL
CannonializeURL
wstrURL
System.IO
STATURLFLAGS
STATURL_QUERYFLAGS
URL_ESCAPE_PERCENT
URL_DONT_SIMPLIFY
URL_ESCAPE_SPACES_ONLY
System.Collections.Generic
<URL>k__BackingField
<Password>k__BackingField
get_Password
set_Password
DecryptIePassword
System.Collections.IComparer.Compare
UrlCanonicalize
GetURLHashString
get_UrlString
IUrlHistoryStg
DoesURLMatchWithHash
urlHash
System.ComponentModel
advapi32.dll
Kernel32.dll
shell32.dll
shlwapi.dll
IELibrary.dll
AddUrl
DeleteUrl
pocsUrl
pwcsUrl
QueryUrl
pszUrl
_staturl
System.Reflection
STATURLEnumerator
.ctor
System.Diagnostics
GetSavedPasswords
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Runtime.InteropServices.ComTypes
get_EnumUrls
System.Collections
UrlHistoryClass
_urlHistoryList
System.Text
OpenSubKey
hKey
RegistryKey
AddUrlAndNotify
System.Security.Cryptography
ExplorerUrlHistory
GetUrlHistory
urlHistory
System.Security
$83018595-3f8a-4e71-94b2-8e41a61ed763
1.0.0.0
$3C374A42-BAE4-11CF-BF7D-00AA006946EE
$3C374A41-BAE4-11CF-BF7D-00AA006946EE
$AFA0DC11-C313-11D0-831A-00C04FD5AE38
$3C374A40-BAE4-11CF-BF7D-00AA006946EE
C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb
mscoree.dll
L2YJLPP4JXI075DO0V9CRA1TB1EHRRGDW8YKVIXS.exe
Microsoft.VisualBasic
System.Windows.Forms
System.Drawing
System.Xml
System.Management
user32.dll
avicap32.dll
User32.dll
kernel32.dll
IELibrary.resources
PasswordDeriveBytes
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.ApplicationServices
System.CodeDom.Compiler
Microsoft.VisualBasic.Devices
.cctor
get_WebServices
HelpKeywordAttribute
System.ComponentModel.Design
VEQRTFEDRXWEBOKT
System.Threading
Microsoft.VisualBasic.MyServices
CreateSubKey
DeleteSubKeyTree
System.Timers
System.Resources
Operators
GVOMYAQQB_HPWFTP
get_Sendwebcam
set_Sendwebcam
System.Drawing.Imaging
OperatingSystem
WebClient
System.Net
System.Collections.Specialized
System.Text.RegularExpressions
JCLAUZDCAFVTCPLW
FtpWebRequest
WebRequest
MsgBox
MsgBoxResult
MsgBoxStyle
SmtpClient
System.Net.Mail
System.Collections.ObjectModel
set_Port
DeleteSubKey
get_ExecutablePath
HttpWebRequest
WebResponse
GetKeyboardState
MapVirtualKey
GetKeyboardLayout
get_Keyboard
Keyboard
get_AltKeyDown
get_CtrlKeyDown
Keys
get_ShiftKeyDown
OperatingSystemName
bPassword
sPassword
Password
get_PasswordHash
set_Key
PasswordHash
UnhookWindowsHookEx
SetWindowsHookExA
get_Msg
SetWindowsHookEx
KeyDownEventHandler
KeyUpEventHandler
System.Security.AccessControl
System.Security.Principal
HSDLPHURLKAZLWIM
GetSubKeyNames
KeyCollection
get_Keys
ContainsKey
set_UseShellExecute
loadCerts
SQUKEYRRBXBNQFLS
sql_statement
SafeKeyHandle
RegOpenKeyEx
subKey
System.Runtime.ConstrainedExecution
RegCloseKey
e9f1f2a8-a143-466a-b0ab-2454007cedde
702ff696-2d7f-4915-b4d9-a05cebd9e370
cc67e187-1891-4526-a19e-a7ac2fbcc9c5
ffa37a64-a173-4787-9c05-f596e1eda120
4a920c2e-cbbd-430d-9771-2169cf9759fd
b4e7e070-9354-439b-95d4-92b4fe45e80b
66c9aecb-6111-4ae8-b0e4-46663b209c39
fde2f66f-d1ce-41de-a8d5-bffef3556862
9b1202f6-dac1-412c-8e3f-2fa21c93da51
92d4bb2e-9dfb-4947-87b7-e739f9584a8e
79bfa662-8e52-48f5-846d-bbdf04c3afa4
8cd896e3-f9f7-471e-9e8f-fb832d167e86
c5145440-d1fa-445b-9738-60667f2fb261
0197013e-0941-4432-990f-fe61f754f178
1b7b186f-e16d-45c2-beb3-00d0f72e4fac
8.0.0.0
My.Computer
My.Application
My.User
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
Sendwebcam
1.2.0.6
_CorExeMain
smtp
\zwn\zwn.exe
%site_username%
SOFTWARE\Microsoft\Windows NT\CurrentVersion
76487-337-8429955-22614
webpanel
I/tDnJPWEB6yySAivkY/576ixyY2gOP bLVbbaRIV8A=
Password:
xRm1fBracupUySoA9cylwh5CxTOJ/uZrxOW4zRw3APip9qVSQlGYWjKQVAR1tbMP
scr.exe
a0lze3YgEKKbU2djGfsLpN7Tpux49xAQvUyxNlVOF0jH7F2h1BtPnhXsgTkeyku9r7c5DmFGRlFd4ubI4DpzkjKi5HXopF9IIqcd4uHd4z0=
fJCRta1D5SAGtfL4Qpb/iA==
7WhqsxFkmNztJfjbfu1/bwC0RhdeXnofyEUtLvOjOIytifM059GXAItq84keysP9
SQLite format 3
Not a valid SQLite 3 Database File
Auto-vacuum capable database is not supported
dbk35eXeDBEgCDThfmaWng==
password
logins

%original file name%.exe_3968_rwx_00400000_00038000:

.text
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
v2.0.50727
Microsoft.Win32
IUrlHistoryStg2
STATURLFLAG_ISCACHED
STATURL_QUERYFLAG_ISCACHED
URL_ESCAPE_UNSAFE
ADDURL_ADDTOHISTORYANDCACHE
ADDURL_ADDTOCACHE
STATURL_QUERYFLAG_NOTITLE
URL_UNESCAPE
SHGFI_EXETYPE
ADDURL_FLAG
STATURLFLAG_ISTOPLEVEL
STATURL_QUERYFLAG_TOPLEVEL
URL_PLUGGABLE_PROTOCOL
STATURL_QUERYFLAG_NOURL
IEnumSTATURL
lpSTATURL
shlwapi_URL
get_URL
set_URL
CannonializeURL
wstrURL
System.IO
STATURLFLAGS
STATURL_QUERYFLAGS
URL_ESCAPE_PERCENT
URL_DONT_SIMPLIFY
URL_ESCAPE_SPACES_ONLY
System.Collections.Generic
<URL>k__BackingField
<Password>k__BackingField
get_Password
set_Password
DecryptIePassword
System.Collections.IComparer.Compare
UrlCanonicalize
GetURLHashString
get_UrlString
IUrlHistoryStg
DoesURLMatchWithHash
urlHash
System.ComponentModel
advapi32.dll
Kernel32.dll
shell32.dll
shlwapi.dll
IELibrary.dll
AddUrl
DeleteUrl
pocsUrl
pwcsUrl
QueryUrl
pszUrl
_staturl
System.Reflection
STATURLEnumerator
.ctor
System.Diagnostics
GetSavedPasswords
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Runtime.InteropServices.ComTypes
get_EnumUrls
System.Collections
UrlHistoryClass
_urlHistoryList
System.Text
OpenSubKey
hKey
RegistryKey
AddUrlAndNotify
System.Security.Cryptography
ExplorerUrlHistory
GetUrlHistory
urlHistory
System.Security
$83018595-3f8a-4e71-94b2-8e41a61ed763
1.0.0.0
$3C374A42-BAE4-11CF-BF7D-00AA006946EE
$3C374A41-BAE4-11CF-BF7D-00AA006946EE
$AFA0DC11-C313-11D0-831A-00C04FD5AE38
$3C374A40-BAE4-11CF-BF7D-00AA006946EE
C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb
mscoree.dll
L2YJLPP4JXI075DO0V9CRA1TB1EHRRGDW8YKVIXS.exe
Microsoft.VisualBasic
System.Windows.Forms
System.Drawing
System.Xml
System.Management
user32.dll
avicap32.dll
User32.dll
kernel32.dll
IELibrary.resources
PasswordDeriveBytes
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.ApplicationServices
System.CodeDom.Compiler
Microsoft.VisualBasic.Devices
.cctor
get_WebServices
HelpKeywordAttribute
System.ComponentModel.Design
VEQRTFEDRXWEBOKT
System.Threading
Microsoft.VisualBasic.MyServices
CreateSubKey
DeleteSubKeyTree
System.Timers
System.Resources
Operators
GVOMYAQQB_HPWFTP
get_Sendwebcam
set_Sendwebcam
System.Drawing.Imaging
OperatingSystem
WebClient
System.Net
System.Collections.Specialized
System.Text.RegularExpressions
JCLAUZDCAFVTCPLW
FtpWebRequest
WebRequest
MsgBox
MsgBoxResult
MsgBoxStyle
SmtpClient
System.Net.Mail
System.Collections.ObjectModel
set_Port
DeleteSubKey
get_ExecutablePath
HttpWebRequest
WebResponse
GetKeyboardState
MapVirtualKey
GetKeyboardLayout
get_Keyboard
Keyboard
get_AltKeyDown
get_CtrlKeyDown
Keys
get_ShiftKeyDown
OperatingSystemName
bPassword
sPassword
Password
get_PasswordHash
set_Key
PasswordHash
UnhookWindowsHookEx
SetWindowsHookExA
get_Msg
SetWindowsHookEx
KeyDownEventHandler
KeyUpEventHandler
System.Security.AccessControl
System.Security.Principal
HSDLPHURLKAZLWIM
GetSubKeyNames
KeyCollection
get_Keys
ContainsKey
set_UseShellExecute
loadCerts
SQUKEYRRBXBNQFLS
sql_statement
SafeKeyHandle
RegOpenKeyEx
subKey
System.Runtime.ConstrainedExecution
RegCloseKey
e9f1f2a8-a143-466a-b0ab-2454007cedde
702ff696-2d7f-4915-b4d9-a05cebd9e370
cc67e187-1891-4526-a19e-a7ac2fbcc9c5
ffa37a64-a173-4787-9c05-f596e1eda120
4a920c2e-cbbd-430d-9771-2169cf9759fd
b4e7e070-9354-439b-95d4-92b4fe45e80b
66c9aecb-6111-4ae8-b0e4-46663b209c39
fde2f66f-d1ce-41de-a8d5-bffef3556862
9b1202f6-dac1-412c-8e3f-2fa21c93da51
92d4bb2e-9dfb-4947-87b7-e739f9584a8e
79bfa662-8e52-48f5-846d-bbdf04c3afa4
8cd896e3-f9f7-471e-9e8f-fb832d167e86
c5145440-d1fa-445b-9738-60667f2fb261
0197013e-0941-4432-990f-fe61f754f178
1b7b186f-e16d-45c2-beb3-00d0f72e4fac
8.0.0.0
My.Computer
My.Application
My.User
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
Sendwebcam
1.2.0.6
_CorExeMain
smtp
\zwn\zwn.exe
%site_username%
SOFTWARE\Microsoft\Windows NT\CurrentVersion
76487-337-8429955-22614
webpanel
I/tDnJPWEB6yySAivkY/576ixyY2gOP bLVbbaRIV8A=
Password:
xRm1fBracupUySoA9cylwh5CxTOJ/uZrxOW4zRw3APip9qVSQlGYWjKQVAR1tbMP
scr.exe
a0lze3YgEKKbU2djGfsLpN7Tpux49xAQvUyxNlVOF0jH7F2h1BtPnhXsgTkeyku9r7c5DmFGRlFd4ubI4DpzkjKi5HXopF9IIqcd4uHd4z0=
fJCRta1D5SAGtfL4Qpb/iA==
7WhqsxFkmNztJfjbfu1/bwC0RhdeXnofyEUtLvOjOIytifM059GXAItq84keysP9
SQLite format 3
Not a valid SQLite 3 Database File
Auto-vacuum capable database is not supported
dbk35eXeDBEgCDThfmaWng==
password
logins


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3320

  2. Delete the original VirTool file.
  3. Delete or disinfect the following files created/modified by the VirTool:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\zwn\zwn.exe (1425 bytes)
    C:\Windows\System32\drivers\etc\hosts (11 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "zwn" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\zwn\zwn.exe"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now