• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Sat, 03/25/2017 - 03:00

Installer.Win32.InnoSetup.2_cfbb641242

not-a-virus:HEUR:AdWare.Win32.DealPly.gen (Kaspersky), Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, BankerGeneric.YR (Lavasoft MAS) Behaviour: Banker, Trojan, Installer, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: cfbb641242fd16c0a4ece6125b83ae85

SHA1: ee9b5e66c61503aec6b4401e01c53230c5bf24ec

SHA256: 72d8101ffa579d6f5d46bbda075f920cf2242907e4d9195982226e94f98786f4

SSDeep: 24576:BxikB7ylZTkJbMG/YLsVnFFufh01punC8xW/P4ZfR6qx gn8jlxESlvcAb Hpp:BgkmoJbHYIVnFFAh8f8xI8J6zBBx1eA

Size: 1255944 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: Gatut

Created at: 1992-06-20 01:22:17

Analyzed on: Windows7 SP1 32-bit

Summary: Installer. An installation package.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es): No processes have been created. The Installer injects its code into the following process(es):

%original file name%.exe:264

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:264 makes changes in the file system.


The Installer creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bar7[1].png (1114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\CH_logo_new[1].png (922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\BG_FS[1].jpg (15417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\css[1].css (186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Resume_Button.png (718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Color_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\KO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Color_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ID.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\default_tb.png (19 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\JA.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Cazurazihiz[1].png (1301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Grey_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\CS.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\DA.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg2[1].jpg (6063 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\IE_logo_new[1].png (1302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\AdobeFlash_32[1].png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\NL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\ProgressBar.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\EL.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\main.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp.CIS.part (723 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\BG[1].png (7834 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067C21.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\TR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\logo_b[1].png (3614 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\truste[1].png (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\logo[1].png (2793 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\DE.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\SV.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\FF_logo_new[1].png (845 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\FR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067B85.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\NO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\FI.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Progress.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ZH.locale (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\default_wi.png (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1_V3-BG[1].jpg (4417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Pause_Button.png (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp\run.vbs (147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp\osutils.vbs (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\bootstrap_8792.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Close_Hover.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\RU.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp.CIS (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\BG[1].jpg (30738 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\FS_BG[1].png (5283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\BG.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Nininininon[1].png (90581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\IT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg1[1].jpg (39379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Close.png (207 bytes)

The Installer deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067C21.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067B85.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\bootstrap_8792.html (0 bytes)

Registry activity

The process %original file name%.exe:264 makes changes in the system registry.


The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASMANCS]
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASAPI32]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Installer file.
  3. Delete or disinfect the following files created/modified by the Installer:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bar7[1].png (1114 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\CH_logo_new[1].png (922 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\BG_FS[1].jpg (15417 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\css[1].css (186 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Resume_Button.png (718 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Color_Button_Hover.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\KO.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Color_Button.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ID.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\default_tb.png (19 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Grey_Button_Hover.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\JA.locale (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Cazurazihiz[1].png (1301 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Grey_Button.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\CS.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\DA.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg2[1].jpg (6063 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\IE_logo_new[1].png (1302 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\AdobeFlash_32[1].png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\NL.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\ProgressBar.png (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\checkbox.css (190 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\EL.locale (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ES.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\main.css (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp.CIS.part (723 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\BG[1].png (7834 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\button-bg.png (131 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067C21.log (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\TR.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\logo_b[1].png (3614 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\truste[1].png (200 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\logo[1].png (2793 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\DE.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\PT.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\SV.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\FF_logo_new[1].png (845 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\FR.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Quick_Specs.png (221 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067B85.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\sponsored.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\NO.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\FI.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg2.png (978 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Icon_Generic.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Progress.png (104 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ZH.locale (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\PL.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\default_wi.png (28 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1_V3-BG[1].jpg (4417 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Pause_Button.png (577 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\browse.css (337 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp\run.vbs (147 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\button.css (417 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp\osutils.vbs (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\form.bmp.Mask (244 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\progress-bar.css (506 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\bootstrap_8792.html (156 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\ie6_main.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\EN.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Close_Hover.png (207 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\RU.locale (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\BG[1].jpg (30738 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\FS_BG[1].png (5283 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\csshover3.htc (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\BG.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Nininininon[1].png (90581 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Loader.gif (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\IT.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg1[1].jpg (39379 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Close.png (207 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Gatut
Product Name: Lac
Product Version: 3.7.9
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: Lac Setup
Comments: This installation was built with Inno Setup.
Language: German (Germany)

Company Name: Gatut Product Name: Lac Product Version: 3.7.9 Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Lac Setup Comments: This installation was built with Inno Setup. Language: German (Germany)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE409640240404484.59279cd69ad1ce8f5c40699b55e1a9b23e828
DATA4505659210241.90942beee52f18301950f82460d9ffe5aec7e
BSS49152372800d41d8cd98f00b204e9800998ecf8427e
.idata53248238425603.07115bb5485bf968b970e5ea81292af2acdba
.tls57344800d41d8cd98f00b204e9800998ecf8427e
.rdata61440245120.141749ba824905bf9c7922b6fc87a38b74366
.reloc65536224400d41d8cd98f00b204e9800998ecf8427e
.rsrc6963211264112643.17321aaaed3c366d61391e53d1fafdb25f30f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 72
d5ff36f584b97bdcc49a6d362f380942
740a7d7dfc598cecc27db1d2e5debb6a
6aa59f6087ae640d5f313e326ece9552
8f5a53dee454fc6c92fa628c5e85ecd7
c93329add844a78d22d56c5659e45da0
e3385335b36211739484123c27f2267b
abfc5b122ff97d787f5da49fd5c7b329
ff535bf777204d1a1ba2a08d4a214765
7aebe85eacb1510193662bf5c1ee2bfd
eb306d047c53a3e403715de16ca6fb80
df91873c18e56e4bb64ffe51ee4494f5
aa103dcef46351a9081459f3a0744ec7
e0b9b584bc9f464a54f30bcf52cdbe89
0e43fb20b5c474c70b59ba4582163167
3f32ee503a7f5e3118e6a753a9484ecc
39c8fd353849f1a4c0dfd523b6d4a7db
3b78790b3b608e68be4de745fce1dfe7
168d977d0ad5ca3eede5edc261dcae3c
5253478b876893bed43d41e200e86b3c
52848e1e149ce89b1933f623e55c7c79
880b3720515f833b2caea0362a8e3ea6
c7edde7529e8061e06058a2dc15eb0ce
c1ee754f4c7375ceada6a8d69dbe7785
97043e8abc96316f5620281869f62802
7a8e31c4fae093319af45a1d57fb1792
81a5301ef480a7fea7490394bf924f4d

Network Activity

URLs

URL IP
hxxp://rp.conicono.com/52.30.226.196
hxxp://info.conicono.com/?ttulex=0176.34.130.130
hxxp://os.conicono.com/CoinisRevShare/52.213.148.235
hxxp://s3-1-w.amazonaws.com/icons/lps/images/icons/AdobeFlash_32.png
hxxp://googleadapis.l.google.com/css?family=Open Sans
hxxp://cdneu.conicono.com/ofr/Solululadul/osutils.cis95.211.184.67
hxxp://img.conicono.com/img/Malaromoro/bg2.jpg50.115.122.45
hxxp://cdnus.conicono.com/ofr/Solululadul/osutils.cis199.58.87.155
hxxp://img.conicono.com/img/Malaromoro/bg1.jpg50.115.122.45
hxxp://img.conicono.com/img/Tuburera/logo.png50.115.122.45
hxxp://img.conicono.com/img/Tuburera/truste.png50.115.122.45
hxxp://img.conicono.com/img/Tuburera/bar7.png50.115.122.45
hxxp://img.conicono.com/img/Tuburera/logo_b.png50.115.122.45
hxxp://img.conicono.com/img/Rewudaw/BG.jpg50.115.122.45
hxxp://img.conicono.com/img/Rewudaw/BG_FS.jpg50.115.122.45
hxxp://img.conicono.com/img/IE_logo_new.png50.115.122.45
hxxp://img.conicono.com/img/FF_logo_new.png50.115.122.45
hxxp://img.conicono.com/img/CH_logo_new.png50.115.122.45
hxxp://img.conicono.com/img/Cazurazihiz/Cazurazihiz.png50.115.122.45
hxxp://img.conicono.com/img/Nininininon/Nininininon.png50.115.122.45
hxxp://img.conicono.com/img/Fividof/BG.png50.115.122.45
hxxp://img.conicono.com/img/Fividof/FS_BG.png50.115.122.45
hxxp://img.conicono.com/img/Xoxoxop/1_V3-BG.jpg50.115.122.45
hxxp://fonts.googleapis.com/css?family=Open Sans172.217.20.170
hxxp://instcoina38q6v9z2k.s3.amazonaws.com/icons/lps/images/icons/AdobeFlash_32.png54.231.114.138

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Installer connects to the servers at the folowing location(s):

Strings from Dumps