Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie! Trojan AutoIT (v3 Script)/UPX Packed
- // Trojan backdoor with process injection.
- // Try to connect to Russia Federation IP: 37.0.122.139 via FTP access attempt.
- // British charcode environment detected in compile traces
- // Source: - unknown / Sample found in MMD dropBox request of analysis
- File: ./sample.exe
- Size: 2165176 bytes
- Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
- MD5: 53e6b2c539939cfd0a3dd928da5470c4
- SHA1: 74c033243e0e73016b274e0323ad2f99062d3640
- Date: 0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
- EP: 0x4c2e80 UPX1 1/3 [SUSPICIOUS]
- CRC: Claimed: 0x0, Actual: 0x219f6b [SUSPICIOUS]
- // Compilation..
- CompiledScript: AutoIt v3 Script: 3, 3, 8, 1
- FileVersion: 3, 3, 8, 1
- FileDescription:
- Translation: 0x0809 0x04b0
- Compilation timestamp 2012-01-29 21:32:28
- Link date 10:32 PM 1/29/2012
- // PE resources by language
- ENGLISH UK 17
- ENGLISH US 2
- // Packer..
- UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay
- UPX -> www.upx.sourceforge.net - additional
- Sect. Name: UPX0
- MD5 hash: d41d8cd98f00b204e9800998ecf8427e
- SHA-1 hash: da39a3ee5e6b4b0d3255bfef95601890afd80709
- Sect. Name: UPX1
- MD5 hash: 4c66c69384c417c7b84c11e4868e3bc6
- SHA-1 hash: 06e7ac8e467c7f463ebff777d7306e6c5d6e10
- // File and URL:
- FILE: ICMP.DLL
- FILE: Windows.Com
- FILE: KERNEL32.DLL
- FILE: ADVAPI32.dll
- FILE: COMCTL32.dll
- FILE: COMDLG32.dll
- FILE: GDI32.dll
- FILE: MPR.dll
- FILE: ole32.dll
- FILE: OLEAUT32.dll
- FILE: PSAPI.DLL
- FILE: SHELL32.dll
- FILE: USER32.dll
- FILE: USERENV.dll
- FILE: VERSION.dll
- FILE: WININET.dll
- FILE: WINMM.dll
- FILE: WSOCK32.dll
- URL: None
- // HIGHLY SUSPICIOUS API CALLS*
- Func. Name: FtpOpenFileW
- Func. Name: IsDebuggerPresent
- // VT Verdict..
- [31]VirusTotal: https://www.virustotal.com/en/file/7f765c1797094298050b1d4e112c54bfe7e674747647589c34ec9c64bf50b00f/analysis/
- SHA256:7f765c1797094298050b1d4e112c54bfe7e674747647589c34ec9c64bf50b00f
- SHA1: 74c033243e0e73016b274e0323ad2f99062d3640
- MD5: 53e6b2c539939cfd0a3dd928da5470c4
- File size: 2.1 MB ( 2165176 bytes )
- File name: 53e6b2c539939cfd0a3dd928da5470c4
- File type: Win32 EXE
- Tags: peexe
- Detection ratio: 25 / 47
- Analysis date: 2013-06-09 10:12:07 UTC ( 2 weeks, 5 days ago )
- First submission 2013-06-07 09:36:10 UTC ( 3 weeks ago )
- Last submission 2013-06-09 10:12:07 UTC ( 2 weeks, 5 days ago )
- File names 74C033243E0E73016B274E0323AD2F99062D3640.exe
- 53e6b2c539939cfd0a3dd928da5470c4
- malekal_53e6b2c539939cfd0a3dd928da5470c4
- MicroWorld-eScan : Trojan.Generic.9225695
- nProtect : Trojan.Generic.9225695
- McAfee : Artemis!53E6B2C53993
- Malwarebytes : Trojan.Agent.AI
- TheHacker : Backdoor/Poison.etvb
- Norman : Troj_Generic.LVWBV
- ESET-NOD32 : a variant of Win32/Injector.Autoit.JX
- TrendMicro-HouseCall : TROJ_GEN.RCBB1F9
- Avast : AutoIt:MalOb-AA [Trj]
- Kaspersky : Trojan.Win32.Inject.fmkj
- BitDefender : Trojan.Generic.9225695
- Sophos : Mal/Generic-S
- Comodo : UnclassifiedMalware
- F-Secure : Trojan.Generic.9225695
- DrWeb : BackDoor.Blackshades.17
- VIPRE : Trojan.Win32.Generic.pak!cobra
- AntiVir : TR/Inject.fmkj.4
- McAfee-GW-Edition : Artemis!53E6B2C53993
- Emsisoft : Trojan.Generic.9225695 (B)
- GData : Trojan.Generic.9225695
- Commtouch : W32/GenBl.53E6B2C5!Olympus
- Ikarus : Trojan-PWS.Win32.Skyper
- Fortinet : W32/Inject.FMKJ!tr
- AVG : Generic8_c.AGMN
- Panda : Trj/CI.A
- // Injection Process:
- PID: 0x2b0
- Image Name: lsass.exe
- // registry:
- HKEY_CURRENT_USER\Control Panel\Mouse
- HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
- HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
- HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
- HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
- HKEY_CLASSES_ROOT\Directory
- HKEY_CLASSES_ROOT\Directory\CurVer
- HKEY_CLASSES_ROOT\Directory\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
- HKEY_CLASSES_ROOT\Directory\\Clsid
- HKEY_CLASSES_ROOT\Folder
- HKEY_CLASSES_ROOT\Folder\Clsid
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
- HKEY_CLASSES_ROOT\.
- HKEY_CLASSES_ROOT\SystemFileAssociations\.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
- // secondary mount point drive detected..
- HKU\?S-1-5-21-842925246-1425521274-308236825-500\?Software\?Microsoft\?Windows\?CurrentVersion\?Explorer\?MountPoints2\?{a1094da8-30a0-11dd-817b-806d6172696f}\?
- KU\?S-1-5-21-842925246-1425521274-308236825-500\?Software\?Microsoft\?Windows\?CurrentVersion\?Explorer\?MountPoints2\?{a1094daa-30a0-11dd-817b-806d6172696f}\?
- // files:
- // drives...
- IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
- MountPointManager
- STORAGE#Volume#1&30a96598&0&Signature32B832B7Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
- // noted...
- C:\WINDOWS\system32\msctfime.ime
- // here come the "floods.."
- C:\DOCUME~1
- C:\Documents and Settings\User
- C:\Documents and Settings\User\LOCALS~1
- C:\Documents and Settings\User\Local Settings\Temp
- C:\DOCUME~1\User\LOCALS~1\Temp\53e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\53e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\6062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\6062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\49560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\49560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\7049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\7049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\40516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\40516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\4880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\4880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\95058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\95058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\3329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\3329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\84434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\84434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\3113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\3113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\73420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\73420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\8842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\8842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\87130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\87130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\5749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\5749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\70732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\70732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\2339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\2339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\283702339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\Documents and Settings\User\Local Settings\Temp\283702339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- C:\DOCUME~1\User\LOCALS~1\Temp\47462283702339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
- // mutex
- CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
- ShimCacheMutex
- // Networking
- attempt (FAIL) to connect to host in
- IP: 37.0.122.139, via FTP connection.
- Network;
- ASN |Prefix |ASName |CN | Domain |ISP of an IP Address
- 198310 | 37.0.120.0/21 | PALLADA |Russia Federation | PW-SERVICE.COM | PALLADA WEB SERVICE LLC
- ---
- #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement