Hallo Forenmitglieder,
benötige mal dringend Eure Hilfe ! Habe mir gestern einen Trojaner eingefangen. Mail kam von vertrauter e-maill Adresse mit Zip-Anhang. Norton scannen lassen. Alles grün. Datei entpackt und gesehen, dass es eine PDF ist. Ebenfalls alles grün. Beim Aufmachen dann die Katastrophe. Keine PDF, sondern ein Programm am werkeln. Danach Norton Eraser und Norton Komplettscan laufen lassen. Keine Bedrohung gefunden. Spy&Robot hat auch nix gefunden. Trotzdem hat es mir keine Ruhe gelassen und ich habe nach der Datei im Internet gesucht und siehe da ein Trojaner. Die Datei heißt 1404UT_TPL_screen.
Anbei findet Ihr die Infos, die ich im Netz gefunden habe (spärlich, spärlich). Meine Fragen nun an Euch:
1. Was macht das Programm alles ?
2. Wie werde ich es wieder los ? Habe die Datei mit Eraser gelöscht ebenso wie die Datei Goviewer.exe, die es installiert hat. System auf alten Wiederherstellungspunkt zurückgesetzt. Norton und Spy&Robot nochmal drüber laufen lassen. Nix aber der Verdacht bleibt.
Brauche also Hilfe, Hilfe, Hilfe.
und hier die Infos, die ich gefunden habe:
Quelle: https://www.hybrid-analysis.com
Malicious 5
-
General
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-1-1-avtest-0" rel="nofollow">Sample was identified as malicious by at least one Antivirus engine </a></p> </li> </ul> </li>
-
details
<p>2/56 Antivirus vendors marked sample as malicious (3% detection rate)</p> <p>source</p> <p>Based on Anti-Virus Test Result</p> <ul> </ul> </li>
-
Installation/Persistance
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-2-1-api-0" rel="nofollow">Writes data to a remote process </a></p> </li> </ul> </li>
-
details
<p>"a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3" wrote 32 bytes to a foreign process "Goviewer.exe" (PID: 00002312)<br /> "a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3" wrote 52 bytes to a foreign process "Goviewer.exe" (PID: 00002312)<br /> "a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3" wrote 4 bytes to a foreign process "Goviewer.exe" (PID: 00002312)<br /> "Goviewer.exe" wrote 32 bytes to a foreign process "AcroRd32.exe" (PID: 00002400)<br /> "Goviewer.exe" wrote 52 bytes to a foreign process "AcroRd32.exe" (PID: 00002400)<br /> "Goviewer.exe" wrote 4 bytes to a foreign process "AcroRd32.exe" (PID: 00002400)</p> <p>source</p> <p>Based on API Call</p> <ul> </ul> </li>
-
Anti-Detection/Stealthyness
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-3-1-registry-29" rel="nofollow">Queries/modifies the internet cache settings (often used to hide footprints in index.dat or internet cache) </a></p> </li> </ul> </li>
-
details
<p>"Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE", Key: "SCAVENGECACHEFILELIMIT")<br /> "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE", Key: "SCAVENGECACHEFILELIMIT")<br /> "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "DISABLECACHINGOFSSLPAGES")<br /> "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "BYPASSHTTPNOCACHECHECK")<br /> "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "BYPASSHTTPNOCACHECHECK")<br /> "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "BYPASSSSLNOCACHECHECK")<br /> "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "BYPASSSSLNOCACHECHECK")</p> <p>source</p> <p>Based on Registry Access</p> <ul> </ul> </li>
-
System Security
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-4-1-api-20" rel="nofollow">Allocates virtual memory in foreign process </a></p> </li> </ul> </li>
-
details
<p>"Goviewer.exe" allocated 00000088 bytes of memory in "AcroRd32.exe" (Protection: "read/write")</p> <p>source</p> <p>Based on API Call</p> <ul> </ul> </li>
-
details
<p>"Goviewer.exe" (Access type: "SETVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYENABLE", Value: "00000000")<br /> "Goviewer.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYSERVER")<br /> "Goviewer.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYOVERRIDE")<br /> "Goviewer.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")<br /> "Goviewer.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")<br /> "AcroRd32.exe" (Access type: "SETVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYENABLE", Value: "00000000")<br /> "AcroRd32.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYSERVER")<br /> "AcroRd32.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYOVERRIDE")</p> <p>source</p> <p>Based on Registry Access</p> <ul> </ul> </li>
-
-
-
-
Suspicious 20
-
-
-
-
General
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-1-1-api-6" rel="nofollow">Reads configuration files </a></p> </li> </ul> </li>
-
details
<p>"a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3" read file "C:\Windows\win.ini"<br /> "Goviewer.exe" read file "C:\Windows\win.ini"<br /> "Goviewer.exe" read file "C:\Users\desktop.ini"<br /> "Goviewer.exe" read file "C:\Users\PSPUBWS\Desktop\desktop.ini"<br /> "Goviewer.exe" read file "C:\Users\PSPUBWS\Searches\desktop.ini"<br /> "Goviewer.exe" read file "C:\Users\PSPUBWS\Videos\desktop.ini"<br /> "Goviewer.exe" read file "C:\Users\PSPUBWS\Pictures\desktop.ini"</p> <p>source</p> <p>Based on API Call</p> <ul> </ul> </li>
-
Pattern Matching
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-2-1-trid-0" rel="nofollow">Code classification distribution is known to appear in malware </a></p> </li> </ul> </li>
-
details
<p>TrID distribution is very similar to the "CTB-Locker" family (e.g. SHA256: cbba56bd16222191f1468a1d93b63945394371cfb9ffe38f34a9575c5655e57a)</p> <p>source</p> <p>Based on TrID evaluation</p> <ul> </ul> </li>
-
Unusual Characteristics
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-3-1-stream-22" rel="nofollow">Contains native function calls </a></p> </li> </ul> </li>
-
details
<p>NtSetSystemInformation@NTDLL.DLL at 00153640-00002312-777F228D-160542</p> <p>source</p> <p>Based on StaticStream (Disassembly)</p> <ul> </ul> </li>
-
details
<p>"Local\WininetStartupMutex"<br /> "Local\WininetConnectionMutex"<br /> "Local\WininetProxyRegistryMutex"</p> <p>source</p> <p>Based on Created Mutant</p> <ul> </ul> </li>
-
details
<p>GetStartupInfoA<br /> LoadLibraryW<br /> GetModuleHandleA</p> <p>source</p> <p>Based on Static Parser</p> <ul> </ul> </li>
-
details
<p>"AcroRd32.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "DE-DE")<br /> "AcroRd32.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "DE-DE")<br /> "AcroRd32.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")</p> <p>source</p> <p>Based on Registry Access</p> <ul> </ul> </li>
-
Installation/Persistance
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-4-1-api-12" rel="nofollow">Monitors specific registry key for changes </a></p> </li> </ul> </li>
-
details
<p>"AcroRd32.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1, Subtree: 2147483648)<br /> "AcroRd32.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1, Subtree: 2147483648)<br /> "AcroRd32.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\AcroRd32_RASAPI32" (Filter: 14, Subtree: 2147483648)<br /> "AcroRd32.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\AcroRd32_RASMANCS" (Filter: 14, Subtree: 2147483648)<br /> "AcroRd32.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4, Subtree: 2147483648)<br /> "AcroRd32.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\Root" (Filter: 5, Subtree: 1)<br /> "AcroRd32.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5, Subtree: 1)</p> <p>source</p> <p>Based on API Call</p> <ul> </ul> </li>
-
details
<p>"Goviewer.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS", Key: "", Value: "")<br /> "AcroRd32.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS", Key: "", Value: "")</p> <p>source</p> <p>Based on Registry Access</p> <ul> </ul> </li>
-
details
<p>recv@WS2_32.DLL at 00160991-00002400-777F228D-176423<br /> recvfrom@WS2_32.DLL at 00160991-00002400-777F228D-176424<br /> InternetReadFile@WININET.DLL at 00160991-00002400-777F228D-189091</p> <p>source</p> <p>Based on StaticStream (Disassembly)</p> <ul> </ul> </li>
-
details
<p>"Goviewer.exe.153610" has type "PE32 executable (GUI) Intel 80386, for MS Windows"</p> <p>source</p> <p>Based on Dropped File</p> <ul> </ul> </li>
-
Anti-Detection/Stealthyness
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-5-1-stream-14" rel="nofollow">Contains ability to open a service </a></p> </li> </ul> </li>
-
details
<p>OpenServiceA@SECHOST.DLL at 00160991-00002400-777F228D-177041</p> <p>source</p> <p>Based on StaticStream (Disassembly)</p> <ul> </ul> </li>
-
Environment Awareness
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-6-1-stream-3" rel="nofollow">Contains ability to query the machine version </a></p> </li> </ul> </li>
-
details
<p>RasRpcGetVersion@RASMAN.DLL at 00160991-00002400-777F228D-176983</p> <p>source</p> <p>Based on StaticStream (Disassembly)</p> <ul> </ul> </li>
-
details
<p>"AcroRd32.exe" (Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID")</p> <p>source</p> <p>Based on Registry Access</p> <ul> </ul> </li>
-
Spyware/Information Retrieval
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-7-1-handle-0" rel="nofollow">Accesses potentially sensitive information from local browsers </a></p> </li> </ul> </li>
-
details
<p>"Goviewer.exe" had access to "\Device\HarddiskVolume2\Users\PSPUBWS\AppData\Local\Microsoft\Windows\History\History.IE5" (Type: "FileHandle", Context: "NtSetInformationFile")<br /> "AcroRd32.exe" had access to "\Device\HarddiskVolume2\Users\PSPUBWS\AppData\Local\Microsoft\Windows\History\History.IE5" (Type: "FileHandle", Context: "NtSetInformationFile")</p> <p>source</p> <p>Based on Touched Handle</p> <ul> </ul> </li>
-
Ransomware/Banking
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-8-1-registry-9" rel="nofollow">Checks warning level of secure to non-secure traffic redirection </a></p> </li> </ul> </li>
-
details
<p>"Goviewer.exe" (Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "WARNONHTTPSTOHTTPREDIRECT")</p> <p>source</p> <p>Based on Registry Access</p> <ul> </ul> </li>
-
Network Related
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-9-1-string-3" rel="nofollow">Found potential URL in binary/memory </a></p> </li> </ul> </li>
-
details
<p>"http://notepad-plus-plus.org/"</p> <p>source</p> <p>Based on String</p> <ul> </ul> </li>
-
details
<p>listen@WS2_32.DLL at 00160991-00002400-777F228D-176421<br /> RasPortListen@RASMAN.DLL at 00160991-00002400-777F228D-176921</p> <p>source</p> <p>Based on StaticStream (Disassembly)</p> <ul> </ul> </li>
-
System Security
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-10-1-api-37" rel="nofollow">Opens the Kernel Security Device Driver (KsecDD) of Windows </a></p> </li> </ul> </li>
-
details
<p>"AcroRd32.exe" opened "\Device\KsecDD"</p> <p>source</p> <p>Based on API Call</p> <ul> </ul> </li>
-
System Destruction
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-11-1-api-26" rel="nofollow">Marks file for deletion </a></p> </li> </ul> </li>
-
details
<p>"C:\Users\PSPUBWS\AppData\Local\Temp\Goviewer.exe" marked "\Device\HarddiskVolume2\Users\PSPUBWS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QA0UPEJW\checkip_dyndns_org[1].htm" for deletion<br /> "C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe" marked "\Device\HarddiskVolume2\Users\PSPUBWS\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages-journal" for deletion</p> <p>source</p> <p>Based on API Call</p> <ul> </ul> </li>
-
details
<p>"Goviewer.exe" opened "C:\Users\PSPUBWS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QA0UPEJW\checkip_dyndns_org[1].htm" with delete access<br /> "AcroRd32.exe" opened "C:\Users\PSPUBWS\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages-journal" with delete access<br /> "AcroRd32.exe" opened "C:\Users\PSPUBWS\AppData\Local\Adobe\Acrobat\11.0\AdobeFnt14.lst.2400" with delete access</p> <p>source</p> <p>Based on API Call</p> <ul> </ul> </li>
-
-
-
-
Informative 7
-
-
-
-
General
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-1-1-mutant-0" rel="nofollow">Creates mutants </a></p> </li> </ul> </li>
-
details
<p>"IESQMMUTEX_0_208"<br /> "Local\_!MSFTHISTORY!_"<br /> "Local\c:!users!pspubws!appdata!local!microsoft!windows!temporary internet files!content.ie5!"<br /> "Local\c:!users!pspubws!appdata!roaming!microsoft!windows!cookies!"<br /> "Local\c:!users!pspubws!appdata!local!microsoft!windows!history!history.ie5!"<br /> "Local\WininetStartupMutex"<br /> "Local\WininetConnectionMutex"<br /> "Local\WininetProxyRegistryMutex"<br /> "Local\ZonesCounterMutex"<br /> "Local\ZoneAttributeCacheCounterMutex"</p> <p>source</p> <p>Based on Created Mutant</p> <ul> </ul> </li>
-
details
<p>"a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3" loaded module "C:\Windows\system32\RICHED32.dll" at 72200000<br /> "Goviewer.exe" loaded module "C:\Windows\system32\RICHED32.dll" at 72200000</p> <p>source</p> <p>Based on Loaded Module</p> <ul> </ul> </li>
-
details
<p>"Goviewer.exe" loaded module "IPHLPAPI.DLL" at base 74EB0000<br /> "Goviewer.exe" loaded module "URLMON.DLL" at base 75C00000<br /> "Goviewer.exe" loaded module "VERSION.DLL" at base 74ED0000<br /> "Goviewer.exe" loaded module "C:\WINDOWS\SYSTEM32\FWPUCLNT.DLL" at base 724F0000<br /> "Goviewer.exe" loaded module "SHELL32.DLL" at base 76710000<br /> "Goviewer.exe" loaded module "OLE32.DLL" at base 77630000<br /> "Goviewer.exe" loaded module "PROPSYS.DLL" at base 746A0000<br /> "Goviewer.exe" loaded module "COMCTL32.DLL" at base 747E0000</p> <p>source</p> <p>Based on API Call</p> <ul> </ul> </li>
-
details
<p>"GetAdapterIndex@iphlpapi.DLL"<br /> "CoInternetCreateSecurityManager@urlmon.dll"<br /> "CoInternetCreateZoneManager@urlmon.dll"<br /> "CoInternetIsFeatureEnabledForUrl@urlmon.dll"<br /> "GetUserNameExW@SspiCli.dll"<br /> "DnsFree@dnsapi.DLL"<br /> "NamespaceCallout@fwpuclnt.dll"<br /> "NtSetSystemInformation@ntdll.dll"<br /> "SHGetInstanceExplorer@shell32.dll"<br /> "PSCreateMemoryPropertyStore@PROPSYS.dll"</p> <p>source</p> <p>Based on API Call</p> <ul> </ul> </li>
-
details
<p>"Goviewer.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\logB22D.log"<br /> "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB4.tmp"<br /> "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB5.tmp"<br /> "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB6.tmp"<br /> "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB7.tmp"<br /> "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB8.tmp"<br /> "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB9.tmp"</p> <p>source</p> <p>Based on API Call</p> <ul> </ul> </li>
-
Installation/Persistance
<ul> <li> <p><a href="https://www.hybrid-analysis.com/sample/a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3/?environmentId=2#details-2-1-stream-28" rel="nofollow">Contains ability to lookup the windows account name </a></p> </li> </ul> </li>
-
details
<p>GetUserNameExW@SSPICLI.DLL at 00153640-00002312-777F228D-159215</p> <p>source</p> <p>Based on StaticStream (Disassembly)</p> <ul> </ul> </li>
-
details
<p>"Goviewer.exe.153610" has type "PE32 executable (GUI) Intel 80386, for MS Windows"<br /> "logB22D.log.153340" has type "data"<br /> "viagra.pdf.160520" has type "PDF document, version 1.3"<br /> "vikuc[1].png.160410" has type "data"<br /> "checkip_dyndns_org[1].htm.159399" has type "HTML document, ASCII text, with CRLF line terminators"</p> <p>source</p> <p>Based on Dropped File</p> <ul> </ul> </li>
File Details
1404UK_TPL_screen.exe
Filename
1404UK_TPL_screen.exe
Size
29KiB (29696 bytes)
Type
PE32 executable (GUI) Intel 80386, for MS Windows
Architecture
32 Bit
MD5
622837d62e396098cb9925f5b1e4c763
SHA1
c7a2b636f5777a4fe2193425c34f5929dfcc546d
SHA256
a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3
SHA512
dc1380f12b6f2cb30a2b8813608992c7c9214f444497c06f2e4233fa5271289d66cb2003077e6132ff325af0954714f9bbda731f6ddb8e293ab6abd2417ad3d5
SSDEEP
384:wnMS28LqA9sddG4bQjAEKVzYzsro8NXyhf6hjXwgyPQAAAAAAz1T72V:SMSz39+d/3EWQR8N8f6hjAPm1
IMPHASH
68c02398a41c216b9a8e20c599285018
Resources
Language
ITALIAN,ENGLISH
Icon
Visualization (PortEx)
PE Layout
Version Info
LegalCopyright
Copyright 2007-2010 Mecohot Inc.
InternalName
Mecohot Update
FileVersion
1.3.5.5
CompanyName
Mecohot Inc.
ProductName
Mecohot Update
ProductVersion
1.3.5.5
FileDescription
Mecohot Installer
OriginalFilename
MecohotInfo.exe
Translation
0x0410 0x04b1
Classification (TrID)
-
43.5% (.DLL) Win32 Dynamic Link Library (generic)
-
29.8% (.EXE) Win32 Executable (generic)
-
13.2% (.EXE) Generic Win/DOS Executable
-
13.2% (.EXE) DOS Executable Generic
-
0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)