uTorrent.exe

This report is generated from a file or URL submitted to this webservice on January 7th 2018 06:50:03 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v7.21 © Hybrid Analysis

Remote Access

Reads terminal service related keys (often RDP related)

Spyware

Accesses potentially sensitive information from local browsers
POSTs files to a webserver

Persistence

Interacts with the primary disk partition (DR0)
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process

Fingerprint

Found a dropped file containing the Windows username (possible fingerprint attempt)
Queries firmware table information (may be used to fingerprint/evade)
Reads the active computer name
Reads the cryptographic machine GUID

Evasive

Executes WMI queries known to be used for VM detection
Possibly checks for the presence of an Antivirus engine

Spreading

Opens the MountPointManager (often used to detect additional infection locations)

Network Behavior

Contacts 26 domains and 23 hosts. View all details

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

• Malicious Indicators 17

• Anti-Detection/Stealthyness
  • Queries firmware table information (may be used to fingerprint/evade)

    details

    "avast_free_antivirus_setup_online.exe" at 00040387-00003252-00000105-95367568
    "avast_free_antivirus_setup_online.exe" at 00040387-00003252-00000105-95367661
    "Instup.exe" at 00043587-00004012-00000105-99646572
    "Instup.exe" at 00043587-00004012-00000105-99646661
    "instup.exe" at 00047308-00004044-00000105-108487048
    "instup.exe" at 00047308-00004044-00000105-108487144

    source

    API Call

    relevance

    10/10

• Environment Awareness
  • The input sample contains a known anti-VM trick

    details

    Found VM detection artifact "CPUID trick" in "866a8fb02c387b7160d43fb72cc5cfbc5acbb0df825be2f359727bafedc56d3a.exe.bin" (Offset: 125188)

    source

    Extracted File

    relevance

    5/10

• External Systems
  • Detected Emerging Threats Alert

    details

    Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation"
    Detected alert "ET P2P BTWebClient UA uTorrent in use" (SID: 2012247, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation"
    Detected alert "ET P2P Bittorrent P2P Client User-Agent (uTorrent)" (SID: 2011706, Rev: 6, Severity: 1) categorized as "Potential Corporate Privacy Violation"

    source

    Suricata Alerts

    relevance

    10/10

  • Sample was identified as malicious by at least one Antivirus engine

    details

    2/67 Antivirus vendors marked sample as malicious (2% detection rate)

    source

    External System

    relevance

    8/10

• General
  • The analysis extracted a file that was identified as malicious

    details

    1/73 Antivirus vendors marked dropped file "DevLib.dll" as malicious (classified as "WebCompanion.A potentially unwanted" with 1% detection rate)
    1/66 Antivirus vendors marked dropped file "uat_4012.dll" as malicious (classified as "Trojan.WisdomEyes.16070401.9500" with 1% detection rate)
    1/73 Antivirus vendors marked dropped file "WizardPages.dll" as malicious (classified as "WebCompanion.A potentially unwanted" with 1% detection rate)
    1/68 Antivirus vendors marked dropped file "21l0dsf1.yzl.exe" as malicious (classified as "WebCompanion.C potentially unwanted" with 1% detection rate)
    1/63 Antivirus vendors marked dropped file "WebCompanionInstaller.exe" as malicious (classified as "WebCompanion.C potentially unwanted" with 1% detection rate)
    1/66 Antivirus vendors marked dropped file "uat_4044.dll" as malicious (classified as "Trojan.WisdomEyes.16070401.9500" with 1% detection rate)

    source

    Extracted File

    relevance

    10/10

  • The analysis spawned a process that was identified as malicious

    details

    1/68 Antivirus vendors marked spawned process "21l0dsf1.yzl.exe" (PID: 2376) as malicious (classified as "WebCompanion.C potentially unwanted" with 1% detection rate)
    1/63 Antivirus vendors marked spawned process "WebCompanionInstaller.exe" (PID: 3196) as malicious (classified as "WebCompanion.C potentially unwanted" with 1% detection rate)

    source

    Monitored Target

    relevance

    10/10

• Installation/Persistance
  • Drops executable files to the Windows system directory

    details

    File type "PE32 executable (GUI) Intel 80386 for MS Windows" was dropped at "%WINDIR%\Temp\asw.d59bc30c4f64c8b0\avast_free_antivirus_setup_online.exe"

    source

    Extracted File

    relevance

    7/10

  • Writes data to a remote process

    details

    "<Input Sample>" wrote 1500 bytes to a remote process "%TEMP%\7zS80AEF99A\installer.exe" (Handle: 108)
    "<Input Sample>" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS80AEF99A\installer.exe" (Handle: 108)
    "<Input Sample>" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS80AEF99A\installer.exe" (Handle: 108)
    "<Input Sample>" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS80AEF99A\installer.exe" (Handle: 108)
    "installer.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS80AEF99A\GenericSetup.exe" (Handle: 184)
    "installer.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS80AEF99A\GenericSetup.exe" (Handle: 184)
    "installer.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS80AEF99A\GenericSetup.exe" (Handle: 184)
    "installer.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS80AEF99A\GenericSetup.exe" (Handle: 184)
    "cmd.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS80AEF99A\Carrier.exe" (Handle: 84)
    "cmd.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS80AEF99A\Carrier.exe" (Handle: 84)
    "cmd.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS80AEF99A\Carrier.exe" (Handle: 84)
    "cmd.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\21l0dsf1.yzl.exe" (Handle: 84)
    "cmd.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\21l0dsf1.yzl.exe" (Handle: 84)
    "cmd.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\21l0dsf1.yzl.exe" (Handle: 84)
    "cmd.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\21l0dsf1.yzl.exe" (Handle: 84)
    "21l0dsf1.yzl.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS2009.tmp\WebCompanionInstaller.exe" (Handle: 220)
    "21l0dsf1.yzl.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS2009.tmp\WebCompanionInstaller.exe" (Handle: 220)
    "21l0dsf1.yzl.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS2009.tmp\WebCompanionInstaller.exe" (Handle: 220)
    "21l0dsf1.yzl.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7zS2009.tmp\WebCompanionInstaller.exe" (Handle: 220)
    "cmd.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\psk13wj0.0ws.exe" (Handle: 84)
    "cmd.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\psk13wj0.0ws.exe" (Handle: 84)
    "cmd.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\psk13wj0.0ws.exe" (Handle: 84)
    "cmd.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\psk13wj0.0ws.exe" (Handle: 84)
    "psk13wj0.0ws.exe" wrote 1500 bytes to a remote process "C:\Windows\Temp\asw.d59bc30c4f64c8b0\avast_free_antivirus_setup_online.exe" (Handle: 268)
    "psk13wj0.0ws.exe" wrote 4 bytes to a remote process "C:\Windows\Temp\asw.d59bc30c4f64c8b0\avast_free_antivirus_setup_online.exe" (Handle: 268)
    "psk13wj0.0ws.exe" wrote 32 bytes to a remote process "C:\Windows\Temp\asw.d59bc30c4f64c8b0\avast_free_antivirus_setup_online.exe" (Handle: 268)
    "psk13wj0.0ws.exe" wrote 52 bytes to a remote process "C:\Windows\Temp\asw.d59bc30c4f64c8b0\avast_free_antivirus_setup_online.exe" (Handle: 268)
    "avast_free_antivirus_setup_online.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_av_iup.tm~a03332\Instup.exe" (Handle: 408)
    "avast_free_antivirus_setup_online.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_av_iup.tm~a03332\Instup.exe" (Handle: 408)
    "avast_free_antivirus_setup_online.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_av_iup.tm~a03332\Instup.exe" (Handle: 408)
    "avast_free_antivirus_setup_online.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_av_iup.tm~a03332\Instup.exe" (Handle: 408)
    "Instup.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_av_iup.tm~a03332\New_11090912\instup.exe" (Handle: 544)
    "Instup.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_av_iup.tm~a03332\New_11090912\instup.exe" (Handle: 544)
    "Instup.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_av_iup.tm~a03332\New_11090912\instup.exe" (Handle: 544)
    "Instup.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_av_iup.tm~a03332\New_11090912\instup.exe" (Handle: 544)

    source

    API Call

    relevance

    6/10

• Network Related
  • Contacts very many different hosts

    details

    Contacted 23 (or more) hosts in at least 5 different countries

    source

    Network Traffic

    relevance

    9/10

  • Found more than one unique User-Agent

    details

    Found the following User-Agents: Avast Microstub/2.0
    BTWebClient/351S(44332)
    uTorrent(44332)/3.5.1
    Avast SimpleHttp/3.0
    avast! Antivirus

    source

    Network Traffic

    relevance

    5/10

  • Malicious artifacts seen in the context of a contacted host

    details

    Found malicious artifacts related to "104.17.61.19": ...
    URL: http://wcdownloader-qa.lavasoft.com/4.0.1753.3301 (AV positives: 1/66 scanned on 12/28/2017 01:38:19)
    URL: http://appdownload.lavasoft.com/malsync/adurllist/dailyList.zip (AV positives: 1/66 scanned on 12/16/2017 15:42:28)
    URL: http://wcdownloadercdn.lavasoft.com/4.0.1777.3330/WcInstaller.exe (AV positives: 1/66 scanned on 12/08/2017 00:47:10)
    URL: http://flow.lavasoft.com.cdn.cloudflare.net/ (AV positives: 1/66 scanned on 12/02/2017 18:50:01)
    URL: http://wcdownloadercdn.lavasoft.com/4.0.1767.3319/WcInstaller.exe (AV positives: 1/66 scanned on 11/30/2017 14:34:17)
    File SHA256: de903a444fc99f006ef13276f69989e640735cf34aeaa467675dd10f664eed7e (Date: 01/04/2018 11:44:30)
    File SHA256: daf1293df01b4f11e7e3056116b4d24e2b55e6f1bf6fdd651b7c10636efbd963 (Date: 01/04/2018 11:16:47)
    File SHA256: 4acc2f6d891bf52225b1161500c2f4a6ce83cf420d2077d1f9b0dabb0a292a22 (AV positives: 1/66 scanned on 12/27/2017 05:18:20)
    File SHA256: 866a8fb02c387b7160d43fb72cc5cfbc5acbb0df825be2f359727bafedc56d3a (Date: 12/24/2017 15:50:55)
    File SHA256: 1f609cc69834d87864af9422c0175b3d08b18879a8d053aab1a5c2370a245562 (AV positives: 1/68 scanned on 12/23/2017 08:07:25)
    File SHA256: 61c02bb77dbf7f00765667c7bb1edd82268fdbc94ae46720faacc248012b18cb (AV positives: 1/62 scanned on 12/20/2017 14:30:36)
    File SHA256: 04523d04f6f0f09e61770b42a46f1b5a744d5eaebd39350fe9606cf6720bf693 (AV positives: 4/67 scanned on 12/20/2017 08:21:58)
    File SHA256: 0e37c48d15b483eb5c97c8e71a17e8b6e649813f1b572ce86f9970e07a3285bb (AV positives: 1/66 scanned on 12/19/2017 02:48:29)
    File SHA256: ff2fdcd19ff0bb00d889778cc484e318844164a221ebd8332028f87fa782bc67 (Date: 12/18/2017 17:06:07)
    File SHA256: 530d58110e1ae90c036e4b78f41a3b2b241e83a2c71a0e4847843aee4c07d5bc (Date: 12/16/2017 12:47:43)
    Found malicious artifacts related to "104.17.116.51": ...
    URL: http://webcompanion.com/nano_download.php?partner=IO170906 (AV positives: 1/66 scanned on 12/13/2017 16:45:17)
    URL: http://webcompanion.com/nano_download.php?partner=FZ160201 (AV positives: 1/64 scanned on 05/18/2017 17:41:31)
    URL: http://webcompanion.com/test_malicious_url.exe (AV positives: 1/64 scanned on 04/27/2017 05:16:06)
    File SHA256: 0595dd113e4998abf47fc907172b9ca6092219c971bda8f242e2cd310f2404a1 (AV positives: 1/68 scanned on 01/06/2018 19:16:51)
    File SHA256: 6b7d46ef354221ef212abd7380b98d7b9189c40e95656e430294f3b283b4e47c (AV positives: 1/67 scanned on 12/24/2017 06:48:35)
    File SHA256: 1fd3aa7605d6fc7f11da6af9a467646bfc764ef2e97b31f128ae5a1f4e77ebb3 (AV positives: 1/68 scanned on 12/22/2017 15:25:29)
    File SHA256: b8e923d26ea5a49d1d6eaa631dc3af5f7ef980772fcf14a248a1a03a918079db (AV positives: 1/68 scanned on 12/13/2017 16:45:21)
    File SHA256: 03e75740e34512335619364007faa96b4f1b5bc720c52cde4d826b98c241eb9b (AV positives: 4/68 scanned on 12/11/2017 08:26:04)
    File SHA256: 0b23f15085989a19dedb3723767ab4249298582b0f648dd4ee3a005219ac4205 (Date: 05/10/2017 08:43:32)
    File SHA256: 58859238b06b8bdb928f57552b484e5e19a10ebff56ced95f351a01236561ab9 (Date: 02/24/2017 08:39:52)
    File SHA256: 5fe924737dcba6cf8dd83fc7f37756f37e808d1143f401df86c3726b37847b15 (Date: 02/24/2017 05:28:49)
    Found malicious artifacts related to "104.16.70.38": ...
    File SHA256: 5f964ffd6665549007e1c144580af6ad841fc656f02d247fbdcbdc20affd7020 (AV positives: 1/66 scanned on 01/06/2018 12:21:46)
    File SHA256: 533298add3906bea9fd5d683178f598f2956b969c54b59408e6cb3940e5e321c (AV positives: 1/66 scanned on 01/01/2018 00:18:47)
    File SHA256: 3fc701c37ccf106d98380bf35210801ca8cf3d21a9727979e2585200bf5fe113 (AV positives: 1/68 scanned on 12/13/2017 08:19:13)
    File SHA256: eeccbe6962accf360c5ff5cd0088a43aef70cf3d6243dcaefa4d58b1c028de7e (AV positives: 4/64 scanned on 10/24/2017 23:06:07)
    File SHA256: f2ec68f3a45e75e34c43b85be2083192e0fc3f37f227aedff796516f4b19985c (AV positives: 1/65 scanned on 10/17/2017 21:58:09)
    Found malicious artifacts related to "23.56.186.141": ...
    File SHA256: 7e424e3fa210d463804e23e748c16eb2cf49928b3874b484de2ce80d5f985781 (Date: 12/16/2017 01:16:19)
    File SHA256: 3c39779df6de6156e6a978b396e566b047c5a3b38b42c72f4a3f2d69df26515f (Date: 12/15/2017 21:52:35)
    File SHA256: 5ec5ebe9cc3f4354982decdd8c27a1767940ada2da4d5e59e5291ee6966f1171 (AV positives: 25/67 scanned on 11/26/2017 18:40:11)
    File SHA256: 15ad9722b54337cea1472fb0da8cbfe561d59eb0519215d923266e7f16d6ddcd (AV positives: 18/66 scanned on 11/25/2017 21:21:40)
    File SHA256: 3e25ca3d11589f0caf806ea83c4cae97e5009b3dd7bc1e903ed5a0a96950b3cf (AV positives: 1/68 scanned on 11/09/2017 23:32:01)
    File SHA256: c50b1b78e5d850ef9108f044af8d214eaf01ea885f0039cb3a70814f5a86ce41 (AV positives: 39/67 scanned on 10/31/2017 15:09:25)
    File SHA256: c62db44becb524a7c3c64ff6b9c5ff3f6060390b2984e11867381a3d71f5802e (AV positives: 2/68 scanned on 10/29/2017 18:22:18)
    Found malicious artifacts related to "77.234.45.53": ...
    File SHA256: 9bbf823b19be9102984ec57ec7cd2f645fa8794574ca85b2953d8a92bd5f083d (Date: 01/02/2018 22:35:49)
    File SHA256: 696e687b82681f86ee73954f5694aa80f7e04b6e874a443c80505264388506f8 (Date: 01/02/2018 21:06:30)
    File SHA256: 3912e4aa399146e1cc2bf77605b19ae4182b4829ef2757575cefa503a3ce095e (Date: 12/23/2017 13:35:49)
    File SHA256: 827c0f089235b14369dc3635e61de7de46f058a3434f7561fc54878cd84a3866 (Date: 12/20/2017 23:41:50)
    File SHA256: 2766d827ed786366c39246432bbfafa875976803f6b50ebf39849dd652752110 (Date: 12/20/2017 19:19:36)
    File SHA256: 41dfc0baf8953a1b80e2e1b20829b9dd630b6a00031c78ecfbc80d588eab37d8 (AV positives: 26/68 scanned on 12/18/2017 02:58:37)
    File SHA256: 15ad9722b54337cea1472fb0da8cbfe561d59eb0519215d923266e7f16d6ddcd (AV positives: 18/66 scanned on 11/25/2017 21:21:41)
    File SHA256: 225ba84e69cece00a49ddee651ab805138794c1bc80cefbdb309a5207769da19 (AV positives: 1/67 scanned on 11/15/2017 19:54:23)
    File SHA256: 87f49940095a7a016d6b1728fb886e577f5eb4d0d52fe59431db4231ba745950 (AV positives: 17/67 scanned on 11/13/2017 01:00:36)
    File SHA256: dd600b17f2f66746a38b236c769c8a956aa8e80987206ec20d79e2c9551ad75a (AV positives: 15/67 scanned on 11/12/2017 22:21:58)
    Found malicious artifacts related to "178.79.208.1": ...
    File SHA256: 7dfc0a2ab531ffcc9b969b8e5caef85e26163003452ca9deba2102a2ff3d9c1c (Date: 12/16/2017 18:51:59)
    File SHA256: 3a419c8dd18a06a2a780563e8d3c1100890cb2ba0374ee719aef0efd83527680 (Date: 12/12/2017 05:01:08)
    File SHA256: ee631d813358155c417eb7f8f77125bf9874a805be4e1285b20c9f5bb25db166 (Date: 12/09/2017 09:20:51)
    File SHA256: b51b0501045123a8ae9522a5b856daf8efbbe842036f1b783798f0b4a23542bb (Date: 12/06/2017 14:34:40)
    File SHA256: 8821e4c68899e44e5059142310c41927a554d975ef182df5e6882bd2c4518dad (Date: 12/06/2017 13:34:32)
    File SHA256: 08cecd70320cae69c6a4760c911bc5c25f93d979711b28ad4d2ef87271c89541 (AV positives: 2/64 scanned on 08/03/2017 08:37:10)
    File SHA256: cc1490d17eb99521988b6c760e34e5afab1e7dc72739d9848713829ac59189ed (AV positives: 2/65 scanned on 08/01/2017 14:59:50)
    File SHA256: b5af7f49540d52f1fa2fb6d02588d5488faf3c035114b434986aaf57823e6f36 (AV positives: 6/64 scanned on 07/24/2017 12:38:07)
    File SHA256: 8591183f242dc2b06a68acb357e0c47ec50a10d72eb2bc72ff27ff74f4be5a52 (AV positives: 12/64 scanned on 07/21/2017 13:11:44)
    File SHA256: bd57ae63f4b722135f1b936bf48d40b15062c7e1fc84f388c764a301c8381063 (AV positives: 55/64 scanned on 07/20/2017 10:39:54)

    source

    Network Traffic

    relevance

    10/10

  • Multiple malicious artifacts seen in the context of different hosts

    details

    Found malicious artifacts related to "104.17.61.19": ...
    URL: http://wcdownloader-qa.lavasoft.com/4.0.1753.3301 (AV positives: 1/66 scanned on 12/28/2017 01:38:19)
    URL: http://appdownload.lavasoft.com/malsync/adurllist/dailyList.zip (AV positives: 1/66 scanned on 12/16/2017 15:42:28)
    URL: http://wcdownloadercdn.lavasoft.com/4.0.1777.3330/WcInstaller.exe (AV positives: 1/66 scanned on 12/08/2017 00:47:10)
    URL: http://flow.lavasoft.com.cdn.cloudflare.net/ (AV positives: 1/66 scanned on 12/02/2017 18:50:01)
    URL: http://wcdownloadercdn.lavasoft.com/4.0.1767.3319/WcInstaller.exe (AV positives: 1/66 scanned on 11/30/2017 14:34:17)
    File SHA256: de903a444fc99f006ef13276f69989e640735cf34aeaa467675dd10f664eed7e (Date: 01/04/2018 11:44:30)
    File SHA256: daf1293df01b4f11e7e3056116b4d24e2b55e6f1bf6fdd651b7c10636efbd963 (Date: 01/04/2018 11:16:47)
    File SHA256: 4acc2f6d891bf52225b1161500c2f4a6ce83cf420d2077d1f9b0dabb0a292a22 (AV positives: 1/66 scanned on 12/27/2017 05:18:20)
    File SHA256: 866a8fb02c387b7160d43fb72cc5cfbc5acbb0df825be2f359727bafedc56d3a (Date: 12/24/2017 15:50:55)
    File SHA256: 1f609cc69834d87864af9422c0175b3d08b18879a8d053aab1a5c2370a245562 (AV positives: 1/68 scanned on 12/23/2017 08:07:25)
    File SHA256: 61c02bb77dbf7f00765667c7bb1edd82268fdbc94ae46720faacc248012b18cb (AV positives: 1/62 scanned on 12/20/2017 14:30:36)
    File SHA256: 04523d04f6f0f09e61770b42a46f1b5a744d5eaebd39350fe9606cf6720bf693 (AV positives: 4/67 scanned on 12/20/2017 08:21:58)
    File SHA256: 0e37c48d15b483eb5c97c8e71a17e8b6e649813f1b572ce86f9970e07a3285bb (AV positives: 1/66 scanned on 12/19/2017 02:48:29)
    File SHA256: ff2fdcd19ff0bb00d889778cc484e318844164a221ebd8332028f87fa782bc67 (Date: 12/18/2017 17:06:07)
    File SHA256: 530d58110e1ae90c036e4b78f41a3b2b241e83a2c71a0e4847843aee4c07d5bc (Date: 12/16/2017 12:47:43)
    Found malicious artifacts related to "104.17.116.51": ...
    URL: http://webcompanion.com/nano_download.php?partner=IO170906 (AV positives: 1/66 scanned on 12/13/2017 16:45:17)
    URL: http://webcompanion.com/nano_download.php?partner=FZ160201 (AV positives: 1/64 scanned on 05/18/2017 17:41:31)
    URL: http://webcompanion.com/test_malicious_url.exe (AV positives: 1/64 scanned on 04/27/2017 05:16:06)
    File SHA256: 0595dd113e4998abf47fc907172b9ca6092219c971bda8f242e2cd310f2404a1 (AV positives: 1/68 scanned on 01/06/2018 19:16:51)
    File SHA256: 6b7d46ef354221ef212abd7380b98d7b9189c40e95656e430294f3b283b4e47c (AV positives: 1/67 scanned on 12/24/2017 06:48:35)
    File SHA256: 1fd3aa7605d6fc7f11da6af9a467646bfc764ef2e97b31f128ae5a1f4e77ebb3 (AV positives: 1/68 scanned on 12/22/2017 15:25:29)
    File SHA256: b8e923d26ea5a49d1d6eaa631dc3af5f7ef980772fcf14a248a1a03a918079db (AV positives: 1/68 scanned on 12/13/2017 16:45:21)
    File SHA256: 03e75740e34512335619364007faa96b4f1b5bc720c52cde4d826b98c241eb9b (AV positives: 4/68 scanned on 12/11/2017 08:26:04)
    File SHA256: 0b23f15085989a19dedb3723767ab4249298582b0f648dd4ee3a005219ac4205 (Date: 05/10/2017 08:43:32)
    File SHA256: 58859238b06b8bdb928f57552b484e5e19a10ebff56ced95f351a01236561ab9 (Date: 02/24/2017 08:39:52)
    File SHA256: 5fe924737dcba6cf8dd83fc7f37756f37e808d1143f401df86c3726b37847b15 (Date: 02/24/2017 05:28:49)
    Found malicious artifacts related to "104.16.70.38": ...
    File SHA256: 5f964ffd6665549007e1c144580af6ad841fc656f02d247fbdcbdc20affd7020 (AV positives: 1/66 scanned on 01/06/2018 12:21:46)
    File SHA256: 533298add3906bea9fd5d683178f598f2956b969c54b59408e6cb3940e5e321c (AV positives: 1/66 scanned on 01/01/2018 00:18:47)
    File SHA256: 3fc701c37ccf106d98380bf35210801ca8cf3d21a9727979e2585200bf5fe113 (AV positives: 1/68 scanned on 12/13/2017 08:19:13)
    File SHA256: eeccbe6962accf360c5ff5cd0088a43aef70cf3d6243dcaefa4d58b1c028de7e (AV positives: 4/64 scanned on 10/24/2017 23:06:07)
    File SHA256: f2ec68f3a45e75e34c43b85be2083192e0fc3f37f227aedff796516f4b19985c (AV positives: 1/65 scanned on 10/17/2017 21:58:09)
    Found malicious artifacts related to "23.56.186.141": ...
    File SHA256: 7e424e3fa210d463804e23e748c16eb2cf49928b3874b484de2ce80d5f985781 (Date: 12/16/2017 01:16:19)
    File SHA256: 3c39779df6de6156e6a978b396e566b047c5a3b38b42c72f4a3f2d69df26515f (Date: 12/15/2017 21:52:35)
    File SHA256: 5ec5ebe9cc3f4354982decdd8c27a1767940ada2da4d5e59e5291ee6966f1171 (AV positives: 25/67 scanned on 11/26/2017 18:40:11)
    File SHA256: 15ad9722b54337cea1472fb0da8cbfe561d59eb0519215d923266e7f16d6ddcd (AV positives: 18/66 scanned on 11/25/2017 21:21:40)
    File SHA256: 3e25ca3d11589f0caf806ea83c4cae97e5009b3dd7bc1e903ed5a0a96950b3cf (AV positives: 1/68 scanned on 11/09/2017 23:32:01)
    File SHA256: c50b1b78e5d850ef9108f044af8d214eaf01ea885f0039cb3a70814f5a86ce41 (AV positives: 39/67 scanned on 10/31/2017 15:09:25)
    File SHA256: c62db44becb524a7c3c64ff6b9c5ff3f6060390b2984e11867381a3d71f5802e (AV positives: 2/68 scanned on 10/29/2017 18:22:18)
    Found malicious artifacts related to "77.234.45.53": ...
    File SHA256: 9bbf823b19be9102984ec57ec7cd2f645fa8794574ca85b2953d8a92bd5f083d (Date: 01/02/2018 22:35:49)
    File SHA256: 696e687b82681f86ee73954f5694aa80f7e04b6e874a443c80505264388506f8 (Date: 01/02/2018 21:06:30)
    File SHA256: 3912e4aa399146e1cc2bf77605b19ae4182b4829ef2757575cefa503a3ce095e (Date: 12/23/2017 13:35:49)
    File SHA256: 827c0f089235b14369dc3635e61de7de46f058a3434f7561fc54878cd84a3866 (Date: 12/20/2017 23:41:50)
    File SHA256: 2766d827ed786366c39246432bbfafa875976803f6b50ebf39849dd652752110 (Date: 12/20/2017 19:19:36)
    File SHA256: 41dfc0baf8953a1b80e2e1b20829b9dd630b6a00031c78ecfbc80d588eab37d8 (AV positives: 26/68 scanned on 12/18/2017 02:58:37)
    File SHA256: 15ad9722b54337cea1472fb0da8cbfe561d59eb0519215d923266e7f16d6ddcd (AV positives: 18/66 scanned on 11/25/2017 21:21:41)
    File SHA256: 225ba84e69cece00a49ddee651ab805138794c1bc80cefbdb309a5207769da19 (AV positives: 1/67 scanned on 11/15/2017 19:54:23)
    File SHA256: 87f49940095a7a016d6b1728fb886e577f5eb4d0d52fe59431db4231ba745950 (AV positives: 17/67 scanned on 11/13/2017 01:00:36)
    File SHA256: dd600b17f2f66746a38b236c769c8a956aa8e80987206ec20d79e2c9551ad75a (AV positives: 15/67 scanned on 11/12/2017 22:21:58)
    Found malicious artifacts related to "178.79.208.1": ...
    File SHA256: 7dfc0a2ab531ffcc9b969b8e5caef85e26163003452ca9deba2102a2ff3d9c1c (Date: 12/16/2017 18:51:59)
    File SHA256: 3a419c8dd18a06a2a780563e8d3c1100890cb2ba0374ee719aef0efd83527680 (Date: 12/12/2017 05:01:08)
    File SHA256: ee631d813358155c417eb7f8f77125bf9874a805be4e1285b20c9f5bb25db166 (Date: 12/09/2017 09:20:51)
    File SHA256: b51b0501045123a8ae9522a5b856daf8efbbe842036f1b783798f0b4a23542bb (Date: 12/06/2017 14:34:40)
    File SHA256: 8821e4c68899e44e5059142310c41927a554d975ef182df5e6882bd2c4518dad (Date: 12/06/2017 13:34:32)
    File SHA256: 08cecd70320cae69c6a4760c911bc5c25f93d979711b28ad4d2ef87271c89541 (AV positives: 2/64 scanned on 08/03/2017 08:37:10)
    File SHA256: cc1490d17eb99521988b6c760e34e5afab1e7dc72739d9848713829ac59189ed (AV positives: 2/65 scanned on 08/01/2017 14:59:50)
    File SHA256: b5af7f49540d52f1fa2fb6d02588d5488faf3c035114b434986aaf57823e6f36 (AV positives: 6/64 scanned on 07/24/2017 12:38:07)
    File SHA256: 8591183f242dc2b06a68acb357e0c47ec50a10d72eb2bc72ff27ff74f4be5a52 (AV positives: 12/64 scanned on 07/21/2017 13:11:44)
    File SHA256: bd57ae63f4b722135f1b936bf48d40b15062c7e1fc84f388c764a301c8381063 (AV positives: 55/64 scanned on 07/20/2017 10:39:54)

    source

    Network Traffic

    relevance

    10/10

• Pattern Matching
  • YARA signature match

    details

    YARA signature "win_retefe_g1" classified file "installer.exe" as "retefe,banker" based on indicators: "33c98bc7f7e20f90c1f7d90bc851e8,81f1696e65498b45e0356e74656c0bc88b45dc6a013547656e750bc8586a0059530fa2" (Author: Slavo Greminger, SWITCH-CERT)

    source

    YARA Signature

    relevance

    10/10

• System Destruction
  • Interacts with the primary disk partition (DR0)

    details

    "avast_free_antivirus_setup_online.exe" interacting with "\Device\Harddisk0\DR0" using IoControlCode 0x2d1400
    "avast_free_antivirus_setup_online.exe" interacting with "\Device\Harddisk0\DR0" using IoControlCode 0x74080
    "avast_free_antivirus_setup_online.exe" interacting with "\Device\Harddisk0\DR0" using IoControlCode 0x7c088
    "Instup.exe" interacting with "\Device\Harddisk0\DR0" using IoControlCode 0x2d1400
    "Instup.exe" interacting with "\Device\Harddisk0\DR0" using IoControlCode 0x74080
    "Instup.exe" interacting with "\Device\Harddisk0\DR0" using IoControlCode 0x7c088

    source

    API Call

    relevance

    5/10

• Unusual Characteristics
  • Checks for a resource fork (ADS) file

    details

    "Instup.exe" checked file "C:"
    "instup.exe" checked file "C:"

    source

    API Call

    relevance

    5/10

  • Spawns a lot of processes

    details

    Spawned process "<Input Sample>" (Show Process)
    Spawned process "installer.exe" with commandline ".\installer.exe" (Show Process)
    Spawned process "GenericSetup.exe" (Show Process)
    Spawned process "cmd.exe" with commandline "/C ""%TEMP%\7zS80AEF99A\Carrier.exe" /S /FORCEINSTALL 1110010101111110"" (Show Process)
    Spawned process "Carrier.exe" with commandline "/S /FORCEINSTALL 1110010101111110" (Show Process)
    Spawned process "cmd.exe" with commandline "/C ""%TEMP%\21l0dsf1.yzl.exe" --silent --homepage=1 --search=1 --partner=BT171001"" (Show Process)
    Spawned process "21l0dsf1.yzl.exe" with commandline "--silent --homepage=1 --search=1 --partner=BT171001" (Show Process)
    Spawned process "cmd.exe" with commandline "/C ""%TEMP%\psk13wj0.0ws.exe" /silent"" (Show Process)
    Spawned process "psk13wj0.0ws.exe" with commandline "/silent" (Show Process)
    Spawned process "WebCompanionInstaller.exe" with commandline ".\WebCompanionInstaller.exe --partner=BT171001 --version=4.0.1780.3335 --prod --silent --homepage=1 --search=1 --partner=BT171001" (Show Process)
    Spawned process "avast_free_antivirus_setup_online.exe" with commandline "/cookie:mmm_lvs_ppi_002_967_n /ga_clientid:114e83c8-7cac-442c-8868-6f6452f16be3 /silent" (Show Process)
    Spawned process "Instup.exe" with commandline "/edition:1 /ga_clientid:114e83c8-7cac-442c-8868-6f6452f16be3 /guid:ef47ee49-1dae-4d31-867f-ec51e593c586 /prod:ais /sfx:lite /sfxstorage:%TEMP%\_av_iup.tm~a03332 /cookie:mmm_lvs_ppi_002_967_n /ga_clientid:114e83c8-7cac-442c-8868-6f6452f16be3 /silent" (Show Process)
    Spawned process "instup.exe" with commandline "/cookie:mmm_lvs_ppi_002_967_n /edition:1 /ga_clientid:114e83c8-7cac-442c-8868-6f6452f16be3 /guid:ef47ee49-1dae-4d31-867f-ec51e593c586 /online_installer /prod:ais /sfx /sfxstorage:%TEMP%\_av_iup.tm~a03332 /silent" (Show Process)

    source

    Monitored Target

    relevance

    8/10

• Hiding 1 Malicious Indicators
  • All indicators are available only in the private webservice or standalone version

• Suspicious Indicators 39

• Anti-Reverse Engineering
• Environment Awareness
  • Contains ability to query CPU information

    details

    cpuid from PID 00002660
    cpuid at 21023-9447-0089E251

    source

    Hybrid Analysis Technology

    relevance

    10/10

  • Executes WMI queries known to be used for VM detection

    details

    "installer.exe" issued a query "SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=True"
    "installer.exe" issued a query "SELECT * FROM Win32_VideoController"
    "installer.exe" issued a query "SELECT * FROM Win32_DiskDrive"
    "installer.exe" issued a query "SELECT * FROM Win32_BaseBoard"
    "installer.exe" issued a query "SELECT * FROM Win32_BIOS"
    "installer.exe" issued a query "SELECT * FROM Win32_Processor"

    source

    API Call

    relevance

    10/10

  • Found a dropped file containing the Windows username (possible fingerprint attempt)

    details

    Found dropped filename "tsitenz@localhost[1].txt" containing the spoofed Windows username "tsITenZ"

    source

    Extracted File

    relevance

    5/10

  • Reads the active computer name

    details

    "installer.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
    "GenericSetup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
    "Carrier.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
    "psk13wj0.0ws.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
    "WebCompanionInstaller.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
    "avast_free_antivirus_setup_online.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
    "Instup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")