Trojan-PSW.Win32.Zbot_6e4e48dc7c

by malwarelabrobot on July 7th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.1712762 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6e4e48dc7c1e25ec82424f9b4ea47f28
SHA1: 8f65df3775fbf49e65f49a2dc9981216354df159
SHA256: fd16c1d1c1764e4e8fe5b0a792279304ad1176419fbfaad82745c9bb1e913788
SSDeep: 12288:mOaqTqVVcW9glevA7vAYtdZcrVDCuuwi0x:lTDWCeEAkdZcrNCuuwi0
Size: 429056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-10 14:48:41
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

quug.exe:2548
tmp.exe:3720
.exe:1172
%original file name%.exe:2576

The Trojan-PSW injects its code into the following process(es):

Explorer.EXE:1948

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process tmp.exe:3720 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Vetuel\quug.exe (141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp03baa6a1.bat (213 bytes)

The process %original file name%.exe:2576 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp.exe (141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ .exe (35 bytes)
%System%\drivers\etc\hosts (216 bytes)

Registry activity

The process quug.exe:2548 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 B9 59 E9 8C 73 75 05 25 7D AB 26 85 8E A8 41"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process tmp.exe:3720 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 AA 04 1A 82 46 4B 89 B2 8A 8E 55 BD E8 9A 25"

[HKCU\Software\Microsoft\Gequhu]
"Ysti" = "EC 98 78 48 7B A8 A6 2A A0 90 E0 D4 9B 32 B4 1E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process .exe:1172 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 3E 25 14 4D 35 97 F9 72 A2 6F AC 01 F5 95 81"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:2576 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 29 B6 4E FB A7 0D 47 E5 7F AC CB 64 22 85 06"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"tmp.exe" = "tmp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Gequhu]
"Ysti" = "EC 98 78 48 7B A8 A6 2A A0 90 E0 D4 9B 32 B4 1E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5 File path
ea7758700ae80579bc07defb1129497d c:\Documents and Settings\"%CurrentUserName%"\Application Data\Vetuel\quug.exe
e0d21bee6dae44a7c6e1896d7a8c7463 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ .exe

HOSTS file anomalies

The Trojan-PSW modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 216 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com


Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetReadFileExA
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSASend
send
closesocket

The Trojan-PSW installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

Company Name: grtrading
Product Name: grtrading
Product Version: 1.0.0.0
Legal Copyright: 3487443
Legal Trademarks: grtrading
Original Filename: force.exe
Internal Name: force.exe
File Version: 1.0
File Description: receipt
Comments: Þscription%
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.rsrc 8192 5312 5632 2.99546 83c3500efa89bccdd0d13316d27d7cca
.text 16384 422168 422400 5.25796 46f9d7a7d4c2463391e7687413e5dec0
.reloc 442368 12 512 0.084755 0c2499b5f0b897f09d226af40b0979a5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan-PSW connects to the servers at the folowing location(s):

Explorer.EXE_1948_rwx_01100000_00027000:

.text
`.data
.reloc
http://www.google.com/webhp
PR_OpenTCPSocket
ORZ[UZj_%STO
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
: ;2*8.>
3.#70!2)
x#m`a`cmddt-
6 !26!1'1
7"52),,>
;<)?$*%,
71.(5;4=
(203,2$0
/?./,5 <
:>(<<44=3%
8%/<8/?)?/
%/>!
HTTP/1.1
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
http://
https://
HTTP/1.
SSSh,4
GetProcessHeap
KERNEL32.dll
SetKeyboardState
ExitWindowsEx
MsgWaitForMultipleObjects
MapVirtualKeyW
GetKeyboardState
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
USER32.dll
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
PathIsURLW
UrlUnescapeA
SHDeleteKeyW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpSendRequestA
InternetCrackUrlA
HttpOpenRequestA
HttpAddRequestHeadersA
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
WININET.dll
OLEAUT32.dll
NETAPI32.dll
6 6&6/656{6
cGlobal\XXX
nspr4.dll
nss3.dll
SysShadow
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
%Documents and Settings%\%current user%\Application Data\Uncu\isluq.qey
%Documents and Settings%\%current user%\Application Data\Uncu
isluq.qey
Global\{6B8FD7C2-0BD2-D9FA-CE37-AE2463C2A454}
%Documents and Settings%\%current user%\Application Data
{FDF465E7-B9F7-4F81-CE37-AE2463C2A454}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    quug.exe:2548
    tmp.exe:3720
    .exe:1172
    %original file name%.exe:2576

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Application Data\Vetuel\quug.exe (141 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp03baa6a1.bat (213 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp.exe (141 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ .exe (35 bytes)
    %System%\drivers\etc\hosts (216 bytes)

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.