Trojan.MulDrop13.1644

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\cmd
<SYSTEM32>\tasks\svchost
<SYSTEM32>\tasks\conhost

Malicious functions

Reads files which store third party applications passwords

%LOCALAPPDATA%\google\chrome\user data\default\login data
%LOCALAPPDATA%\google\chrome\user data\default\web data

Modifies file system

Creates the following files

%TEMP%\commonwin\ldscjybvyo08dy6xbeol.exe
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\uqirc0d3hv
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\wfwkmyvshf
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\unlyoituvd
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\nglzv3kqdm
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\xt0cpbdkvq
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\sy54wzoopj
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\4gcsqbwijm
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\fi8euolrcg
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\o6k3ku9h5j
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\wm6mnvcgpd
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\e3npys3v20
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ifconzxyub
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ris9nrdiqh
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\xpxy83rkvd
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\zqgttnpco7
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\qqim7qa4sl
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\wbrytbys5k
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\jujxed245g
%PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
%PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
%PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
%LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ygpabji4wc
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\muudk5gbnm
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\sabsf5glsd
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\yf9lwqwrxk
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\tefd7zagxi
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\xarsxxpw4f
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\xtgxtokk7u
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ynmb0y32vf
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\qoqe6mmgi8
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ibg0t7gsyt
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\et8ei9muij
%TEMP%\commonwin\d5cno1h1p8auxnjjgfdwzrbkfnqhl6.bat
%TEMP%\commonwin\ui0pbm97lftcywshpwcwb3lwyskh2u.bat
%TEMP%\commonwin\netmonitor.exe
%TEMP%\commonwin\e5zan6tjdf3jjrxpjy3xkwihksi08a.vbe
C:\far2\pluginsdk\headers.pas\cmd.exe
C:\far2\pluginsdk\headers.pas\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228
%TEMP%\e32877f20cc6be74a571560970c4d007.tmp
%PROGRAMDATA%\sun\java\svchost.exe
%PROGRAMDATA%\sun\java\f4d236fdec2fd03914189c3b26e5cb0dfea9d761
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\conhost.exe
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\088424020bedd6b28ac7fd22ee35dcd7322895ce
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\phbut6mcec
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\zprfadktft
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\m6lsdhviqu
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\7yqxdhtx3p
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\tpxd8fdljj
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ji73lativo
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\db35ou1shh
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\waibofv8zy
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\apif9pren7
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\jsygkeuhl2
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\tvqf1jjfpf
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ovsgnycx5i
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\dxfj7dlb0j
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\vox7fo8do0
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\flyito9rdw
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\lwlcz5qghx
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\hipfta7vby
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\zzted1i6at
%TEMP%\commonwin\jxxsfl6dczytdsnwjl18n1qqynobhk.vbe
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\fndznkeycn
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\jzddsoe8vq

Deletes the following files

C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\phbut6mcec
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\nglzv3kqdm
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\xt0cpbdkvq
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\sy54wzoopj
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\4gcsqbwijm
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\fi8euolrcg
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\o6k3ku9h5j
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\wm6mnvcgpd
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\e3npys3v20
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ifconzxyub
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ris9nrdiqh
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\zqgttnpco7
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\7yqxdhtx3p
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\qqim7qa4sl
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\wbrytbys5k
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\jujxed245g
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ygpabji4wc
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\muudk5gbnm
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\sabsf5glsd
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\yf9lwqwrxk
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\tefd7zagxi
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\xarsxxpw4f
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\unlyoituvd
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\m6lsdhviqu
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\wfwkmyvshf
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ynmb0y32vf
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\zprfadktft
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\tpxd8fdljj
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\xpxy83rkvd
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\fndznkeycn
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ji73lativo
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\db35ou1shh
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\waibofv8zy
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\apif9pren7
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\jsygkeuhl2
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\tvqf1jjfpf
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ovsgnycx5i
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\dxfj7dlb0j
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\vox7fo8do0
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\flyito9rdw
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\lwlcz5qghx
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\hipfta7vby
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\zzted1i6at
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\et8ei9muij
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\ibg0t7gsyt
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\qoqe6mmgi8
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\xtgxtokk7u
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\uqirc0d3hv
C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\jzddsoe8vq

Network activity

TCP

HTTP GET requests

http://82.##6.46.245/4qg57cz05mflpyhnyu0lhml024d6da7vxjas8ookwswe6v1dn1cp9rfyzvs2i9xc6xtlrnctikueh31m7bhi38z8/d4mzjclowcvdkrzyrnb8mpmoaq1pr3zeqx667kxo237qll1t9hoxpe2knak8ns0mu1b/82c9dcae3b88eac...
http://82.##6.46.245/4qg57cz05mflpyhnyu0lhml024d6da7vxjas8ookwswe6v1dn1cp9rfyzvs2i9xc6xtlrnctikueh31m7bhi38z8/d4mzjclowcvdkrzyrnb8mpmoaq1pr3zeqx667kxo237qll1t9hoxpe2knak8ns0mu1b/4hza2v1oa17oe7b...

'ip##fo.io':443

UDP

DNS ASK ip##fo.io

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''

Creates and executes the following

'%WINDIR%\syswow64\wscript.exe' "%TEMP%\commonwin\jxxSFL6DCzYtdSnWjL18N1QqynobHK.vbe"
'%TEMP%\commonwin\ldscjybvyo08dy6xbeol.exe' -p43a8a68746f1f93679eddcc97f6ca755556a08cc
'%WINDIR%\syswow64\wscript.exe' "%TEMP%\commonwin\e5zan6TJDf3jJrxpjY3XKwiHksi08a.vbe"
'%TEMP%\commonwin\netmonitor.exe'
'C:\users\all users\package cache\{a2199617-3609-410f-a8e8-e8806c73545b}\conhost.exe'
'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\commonwin\D5cno1h1P8aUXNJJGfDwzrBKFnQHL6.bat" "' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\commonwin\ui0pBM97LfTcyWshPWcWb3lWysKH2u.bat" "' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\commonwin\D5cno1h1P8aUXNJJGfDwzrBKFnQHL6.bat" "
'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\commonwin\ui0pBM97LfTcyWshPWcWb3lWysKH2u.bat" "
'<SYSTEM32>\schtasks.exe' /create /tn "cmd" /sc ONLOGON /tr "'C:\Far2\PluginSDK\Headers.pas\cmd.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "svchost" /sc ONLOGON /tr "'%PROGRAMDATA%\Sun\Java\svchost.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{a2199617-3609-410f-a8e8-e8806c73545b}\conhost.exe'" /rl HIGHEST /f

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial