Dropped.Generic.MSIL.PasswordStealerA.066D8F40_1d4670f5f7

by malwarelabrobot on April 19th, 2017 in Malware Descriptions.

Trojan-Dropper.Win32.Delf.efnz (Kaspersky), Dropped:Generic.MSIL.PasswordStealerA.066D8F40 (B) (Emsisoft), Dropped:Generic.MSIL.PasswordStealerA.066D8F40 (AdAware)
Behaviour: Trojan-Dropper, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1d4670f5f7021ef4a8c94e6da77a8664
SHA1: 9424b6716fa804c7c2afdc0a81d99de496c60aac
SHA256: 2e92426e39d0e31ad4d61f381d55f9c56e4b4d59b2804d0f424945a576722f3a
SSDeep: 98304:W2maRwMHcROZPSTTpFvi7nWwvxhBgERi8ul41hbKoq4xV1LBQdifUiz6og8VWkrl:WbNMXZYiTWwvtNRhh an1LWfiuoxVWkx
Size: 6882304 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

%original file name%.exe:3852
xTSR-build.exe:2600

The Dropped injects its code into the following process(es):

Xtsr.exe:2264

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3852 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR.exe (1024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR-build.exe (356 bytes)

The process xTSR-build.exe:2600 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Windows\System32\Xtsr\Xtsr.exe (2105 bytes)

The process Xtsr.exe:2264 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\logs\04-18-2017 (224 bytes)

Registry activity

The process %original file name%.exe:3852 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Dropped deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process xTSR-build.exe:2600 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\xTSR-build_RASMANCS]
"FileDirectory" = "%windir%\tracing"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Xtsr" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR-build.exe"

The process Xtsr.exe:2264 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Xtsr_RASAPI32]
"MaxFileSize" = "1048576"

Dropped PE files

MD5 File path
332b2504d46960fa9c32bd486598337c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR-build.exe
43fc44105e4540870e36f1ad49b55ca2 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR.exe
332b2504d46960fa9c32bd486598337c c:\Windows\System32\Xtsr\Xtsr.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 5048 5120 4.39524 e5913936857bed3b3b2fbac53e973471
DATA 12288 124 512 0.77468 cef89de607e490725490a3cd679af6bb
BSS 16384 1685 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 20480 770 1024 2.41029 3d2f2fc4e279cba623217ec9de264c4f
.tls 24576 4 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 28672 24 512 0.138011 467f29e48f3451df774e13adae5aafc2
.reloc 32768 456 512 4.00868 9859d413c7408cb699cca05d648c2502
.rsrc 36864 6873352 6873600 5.51336 a31f2be118ec12ed2fb045cc0c202532

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ip-api.com/json/
teredo.ipv6.microsoft.com 157.56.106.189
update.minecraft-alex.ru 46.201.216.194
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Tue, 18 Apr 2017 09:20:09 GMT
Content-Length: 279
{"as":"AS31561 Pitline Ltd","city":"Kharkiv","country":"Ukraine","coun
tryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.2527,"org":"P
itline Ltd","query":"194.242.96.226","region":"63","regionName":"Khark
ivs'ka Oblast'","status":"success","timezone":"Europe/Kiev","zip":""}H
TTP/1.1 200 OK..Access-Control-Allow-Origin: *..Content-Type: applicat
ion/json; charset=utf-8..Date: Tue, 18 Apr 2017 09:20:09 GMT..Content-
Length: 279..{"as":"AS31561 Pitline Ltd","city":"Kharkiv","country":"U
kraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.
2527,"org":"Pitline Ltd","query":"194.242.96.226","region":"63","regio
nName":"Kharkivs'ka Oblast'","status":"success","timezone":"Europe/Kie
v","zip":""}..


GET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Tue, 18 Apr 2017 09:20:04 GMT
Content-Length: 279
{"as":"AS31561 Pitline Ltd","city":"Kharkiv","country":"Ukraine","coun
tryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.2527,"org":"P
itline Ltd","query":"194.242.96.226","region":"63","regionName":"Khark
ivs'ka Oblast'","status":"success","timezone":"Europe/Kiev","zip":""}H
TTP/1.1 200 OK..Access-Control-Allow-Origin: *..Content-Type: applicat
ion/json; charset=utf-8..Date: Tue, 18 Apr 2017 09:20:04 GMT..Content-
Length: 279..{"as":"AS31561 Pitline Ltd","city":"Kharkiv","country":"U
kraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.
2527,"org":"Pitline Ltd","query":"194.242.96.226","region":"63","regio
nName":"Kharkivs'ka Oblast'","status":"success","timezone":"Europe/Kie
v","zip":""}..


The Dropped connects to the servers at the folowing location(s):

Xtsr.exe_2264_rwx_006B0000_0000E000:

.MmiX


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3852
    xTSR-build.exe:2600

  2. Delete the original Dropped file.
  3. Delete or disinfect the following files created/modified by the Dropped:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR.exe (1024 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR-build.exe (356 bytes)
    C:\Windows\System32\Xtsr\Xtsr.exe (2105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\logs\04-18-2017 (224 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Xtsr" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xTSR-build.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now