• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Mon, 03/27/2017 - 03:00

Win32.Bolik.Gen_17b6efc780

Win32.Bolik.Gen (B) (Emsisoft), Win32.Bolik.Gen (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS) Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: 17b6efc780fb4c7513be2c55ae20f50f

SHA1: c4a80d79b5751688e90a0f3096fdc10722a63aef

SHA256: 971c174e818da11f60795e981088c4cd8484d895f4057ad2a0ad496bd5f3b11c

SSDeep: 24576:8lqFl95UHNPJMrjG5 WdK1npBkkCtbK0/SIpG8sYawKIEoRaD4tr:8y9iNRM25 WQJ7kkYm0vx7eInFB

Size: 1117048 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2016-09-12 17:26:02

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Efnio.exe:1712

The Trojan injects its code into the following process(es):

wininit.exe:360
%original file name%.exe:1804

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process Efnio.exe:1712 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Ahgymevyisa\USERENV.dll (126 bytes)

The process %original file name%.exe:1804 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\kl-setup-2017-03-26-04-00-13.log (1302 bytes)

Registry activity

Dropped PE files

MD5 File path
0facc053baff107027cbd1f48885fd4ac:\Windows\System32\Ahgymevyisa\Efnio.exe
2b379fcf9e1a20f2e9c8a6347eb159d6c:\Windows\System32\Ahgymevyisa\USERENV.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Efnio.exe:1712

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\System32\Ahgymevyisa\USERENV.dll (126 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\kl-setup-2017-03-26-04-00-13.log (1302 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ??????????? ???????????
Product Name: Kaspersky Installer
Product Version: 1.0.7.25
Legal Copyright: (c) ??? "??????????? ???????????", 2012
Legal Trademarks: ?????????????????? ???????? ????? ? ????? ???????????? ???????? ?????????????? ?? ????????????????
Original Filename: Setup
Internal Name:
File Version: 1.0.7.25
File Description: Kaspersky Installer [1.0.7.25]
Comments:
Language: English (United States)

Company Name: ??????????? ??????????? Product Name: Kaspersky Installer Product Version: 1.0.7.25 Legal Copyright: (c) ??? "??????????? ???????????", 2012 Legal Trademarks: ?????????????????? ???????? ????? ? ????? ???????????? ???????? ?????????????? ?? ???????????????? Original Filename: Setup Internal Name: File Version: 1.0.7.25 File Description: Kaspersky Installer [1.0.7.25] Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40962496572498564.5605353f5d7b508a8908170a3dc37871429e7
.rdata25395262392624643.24223ad9483fde5115ef715d81d446add029b
.data3194881644481922.74359984c2099ddbdd615a52e47ff0d860344
.rsrc3399687664247664645.35534ae2dee6c58ec927dadb5d00bc5bec49e
.reloc111001612766128004.3883319906692eb652d6eae2bb20166a09e26

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://91.215.154.155/

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps