• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Sat, 03/25/2017 - 03:00

Gen.Variant.Graftor.311803_be458ac03e

Gen:Variant.Graftor.311803 (B) (Emsisoft), Gen:Variant.Graftor.311803 (AdAware), Trojan.Win32.Bumat.FD, BankerGeneric.YR (Lavasoft MAS) Behaviour: Banker, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: be458ac03e8a052eb6c6dc4e130de44c

SHA1: e74ecca94abd90d476fa7c1049d29332880d66ad

SHA256: 97174f4c5dd3fc70aa6cd2184caf741f62a1d2fc961ba47b1249ee9ebc4a1afe

SSDeep: 98304:o7P0en3FnGnyh32jjwrV OjkQS7VFTGQA:s0enGnyhGaVBZSnW

Size: 3848448 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2016-10-19 16:00:08

Analyzed on: Windows7 SP1 32-bit

Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es): No processes have been created. The Trojan injects its code into the following process(es):

%original file name%.exe:2936

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:2936 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (1448 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1068 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp\log.txt (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (51 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2936 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"EnableConsoleTracing" = "0"

"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (1448 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1068 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp\log.txt (315 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (51 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: www.GameModding.net
Product Name: ModInstall
Product Version: 1.0.0.0
Legal Copyright: www.GameModding.net
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.1.0.0
File Description: ModInstall 3.0
Comments:
Language: English (United States)

Company Name: www.GameModding.net Product Name: ModInstall Product Version: 1.0.0.0 Legal Copyright: www.GameModding.net Legal Trademarks: Original Filename: Internal Name: File Version: 3.1.0.0 File Description: ModInstall 3.0 Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX04096279347200d41d8cd98f00b204e9800998ecf8427e
UPX12797568126566412631045.496430f963dff62ce59a79601d7439af4adf0
.rsrc406323277824747522.13349cb8e70395f39a703d3e200112f50a8fb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 713
d9ef811825b1ee97884ecc253485628d
9706f670385750cc9e55dd675cb8b6ce
ff44f222a0a760bbef58adab93d56ac2
a51af5ff635585379673c594040dd29b
5c5d59dd3f1d56109d9917c805fbdbc5
5c18b4209f1568fa675dd09e5b21be1b
d8160329bf41757fb1dc447b52da182d
f5feb1f087479b09b7192a52328cbd97
8a2ca21f91ed4d7ee1c33f0f1d8fbeee
88c16dacd625d078d60e17d4cc6864d8
f1ac824d74d95d59dfbcdcf950181955
3e51c7a8d0ed04d48e7fd8b66951b596
b64aceb6191eb51a003d4a734c2ed77f
1a7b8804847bbbea66cff40420fa5c13
4d00e484119be896a6924d38ac170da2
f4b36e74bce986ae9cecf7ac18d08382
62d2f84d64acf46a358f4f6d026bb7af
0174ea351a3d87d915332a2323618c44
57d07fa304cfc958f33cf583effd8760
afd1a07be878e472a65b3b7b2d20d6d3
fc15ffba7b8edc332a5e0e684fe52510
2af58ca844ae52c85342ea85d05dd7a1
2b4772ec611456d7b21f861c3232af1e
809143c62ce8e1ac7b6a4d38a54c78d5
5c66d833839123194246dce81ff2d1bd
70f276f4bab4fd118947a9e1c6a2e5a2

Network Activity

URLs

URL IP
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDsPZHpkl+CK
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon172.217.20.174
hxxp://crl.geotrust.com/crls/secureca.crl23.43.133.163
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=23.43.139.27
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY172.217.20.174
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDsPZHpkl+CK172.217.20.174
ssl.google-analytics.com172.217.20.168

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps