2eef4d8b88161baf2525abfb6c1bac2b

From aldeid
Jump to navigation Jump to search

Description

Summary

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Identification

MD5 2eef4d8b88161baf2525abfb6c1bac2b
SHA1 0bbb014657bf4459faa2e6faf11d0559b196187c
SHA256 3d84a7395b23bc363a52a2028cea6cedb8ea4011ebc63865581c35aaa0da5da8
ssdeep 1536:C4cQylcAbqJAyx0rrPsHPbk49aB0lG3k68Ftu3mD7:1y2RJAXfPsv6Utl7
imphash 2722c4be0952ccc449e665c2c8245a51
File size 48.8 KB ( 49969 bytes )
File type Win32 EXE
Magic literal PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID
  • Win32 Executable (generic) (42.6%)
  • Clipper DOS Executable (19.0%)
  • Generic Win/DOS Executable (18.9%)
  • DOS Executable Generic (18.9%)
  • VXD Driver (0.2%)

Antivirus detection

Antivirus Result Update
Ad-Aware Win32.Worm.Morto.A 20140213
Agnitum Trojan.Agent!MYoVp4jcZjs 20140212
AhnLab-V3 20140213
AntiVir Worm/Morto.bzrya 20140213
Antiy-AVL Worm[Net]/Win32.Morto.2 20140213
Avast Win32:Malware-gen 20140213
AVG Agent3.ACOR 20140213
Baidu-International Worm.Win32.Morto.ak 20140213
BitDefender Win32.Worm.Morto.A 20140213
Bkav W32.OnGameXLAIZUAQ.Trojan 20140213
ByteHero 20130613
CAT-QuickHeal I-Worm.Morto.b 20140213
ClamAV Worm.Morto 20140213
CMC Net-Worm.Win32.Morto!O 20140213
Commtouch 20140213
Comodo Worm.Win32.Morto.~A 20140213
DrWeb BackDoor.Tsclient.1 20140213
Emsisoft Win32.Worm.Morto.A (B) 20140213
ESET-NOD32 Win32/Morto.B 20140213
F-Prot 20140211
F-Secure Worm:W32/Morto.A 20140213
Fortinet W32/Morto.B!worm.im 20140213
GData Win32.Worm.Morto.A 20140213
Ikarus Worm.Win32.Morto 20140213
Jiangmin Backdoor/DsBot.dov 20140213
K7AntiVirus NetWorm ( 002c24bc1 ) 20140212
K7GW NetWorm ( 002c24bc1 ) 20140213
Kaspersky Net-Worm.Win32.Morto.b 20140213
Kingsoft Win32.Troj.Agent.aa.(kcloud) 20140213
Malwarebytes 20140213
McAfee W32/Morto 20140213
McAfee-GW-Edition W32/Morto 20140213
Microsoft Worm:Win32/Morto.gen!A 20140213
MicroWorld-eScan Win32.Worm.Morto.A 20140213
NANO-Antivirus Trojan.Win32.Morto.srfro 20140213
Norman Morto.D 20140213
nProtect Win32.Worm.Morto.A 20140213
Panda W32/Morto.C.worm 20140213
Qihoo-360 Worm.Win32.Morto.A 20140213
Rising PE:Trojan.Win32.Generic.12A3268B!312682123 20140213
Sophos Mal/Morto-A 20140213
SUPERAntiSpyware 20140213
Symantec W32.Morto!gen4 20140213
TheHacker Trojan/Agent.syl 20140212
TotalDefense Win32/Morto.A 20140213
TrendMicro WORM_MORTO.SMA 20140213
TrendMicro-HouseCall 20140213
VBA32 Worm.Morto 20140213
VIPRE Trojan.Win32.Morto.c (v) 20140213
ViRobot Backdoor.Win32.DsBot.53076 20140213

Links

Artifacts

Persistence

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Registry modifications

Following registry keys are added:

Key Name Type Value
HKLM\SYSTEM\WPA id REG_SZ 12651C66WSCE5MOP
HKLM\SYSTEM\WPA ie REG_SZ
HKLM\SYSTEM\WPA it REG_BINARY de 07 04 00 01 00 0e 00 07 00 09 00 1e 00 66 03
HKLM\SYSTEM\WPA md REG_NONE
HKLM\SYSTEM\WPA sn REG_SZ 6to4
HKLM\SYSTEM\WPA sr REG_SZ Sens

Files activity

Created files

The following file is created:

  • C:\WINDOWS\system32\Sens32.dll

It corresponds to a copy of the legimate Microsoft sens.dll file.

Deleted files

Following files are deleted:

File Size Type Hash
C:\WINDOWS\clb.dll 6.6 KB (6672 bytes) PE32 executable (DLL) (GUI) Intel 80386, for MS Windows fba55458ccbadc041b4515162a55975a
C:\WINDOWS\clb.dllbak 6.6 KB (6672 bytes) PE32 executable (DLL) (GUI) Intel 80386, for MS Windows fba55458ccbadc041b4515162a55975a
C:\WINDOWS\Offline Web Pages\cache.txt 5.5 KB (5632 bytes) PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 7eec6bf7e76798d5dccdd5012bc0aa43
C:\WINDOWS\Temp\ntshrui.dll 5.5 KB (5632 bytes) PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 7eec6bf7e76798d5dccdd5012bc0aa43
Note
The 2 files (C:\WINDOWS\Offline Web Pages\cache.txt and C:\WINDOWS\Temp\ntshrui.dll) with MD5 7eec6bf7e76798d5dccdd5012bc0aa43 are copies of the legitimate file WMI.DLLL

Network indicators

Contacted domains

  • dostest1.qfsl.net
  • flt1.qfsl.net
  • ms.jifr.co.be
  • ms.jifr.co.cc
  • ms.jifr.info
  • st.qfsl.net
  • t.qfsl.net

Requested DNS servers

  • 143.90.130.39
  • 156.154.70.1
  • 156.154.70.22
  • 156.154.71.1
  • 163.180.96.54
  • 165.87.13.129
  • 168.126.63.1
  • 168.167.49.240
  • 168.210.2.2
  • 168.95.1.1
  • 168.95.192.1
  • 190.211.253.2
  • 192.168.102.128
  • 192.168.102.129
  • 198.153.192.1
  • 198.153.194.1
  • 202.181.202.140
  • 202.181.224.2
  • 202.27.184.3
  • 203.128.7.10
  • 203.146.237.237
  • 203.172.246.41
  • 203.236.43.5
  • 203.248.252.2
  • 205.171.2.65
  • 205.171.3.65
  • 205.210.42.205
  • 206.141.192.60
  • 208.67.220.220
  • 208.67.222.222
  • 209.166.160.36
  • 210.141.112.163
  • 210.196.3.183
  • 210.220.163.82
  • 211.234.229.23
  • 212.76.127.133
  • 213.131.34.2
  • 216.146.35.35
  • 219.250.36.130
  • 4.2.2.1
  • 4.2.2.2
  • 46.19.140.194
  • 64.68.200.200
  • 85.185.53.4
  • 87.118.111.215
  • 8.8.4.4
  • 8.8.8.8

Static analysis

Sections

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0xe00        0xe00        5.994251    
.rdata     0x2000       0x600        0x600        4.442192    
.data      0x3000       0x46c        0x200        5.939205

Resources

None.

IAT

Module Function
KERNEL32.dll
MFC42.DLL
MSVCRT.dll

Strings

H{:N
.text
`.rdata
@.data
h|0@
5P1@
hl0@
5P1@
h`0@
5P1@
FFGG
0@;E
X_^]
X_^[
8+C4
QVWd
$<A|
<a|@<z
FFGG
HSV3
_Wh,1@
5P1@
5P1@
user
32.dP
5P1@
5P1@
5P1@
5P1@
5P1@
5,4@
u#h41@
h,2@
%  @
%$ @
%( @
%, @
%0 @
%4 @
%8 @
%< @
%@ @
%D @
%H @
%L @
%P @
%T @
%X @
%\ @
%` @
%d @
%h @
%l @
%p @
%t @
%x @
%| @
=h4@
hd4@
hh4@
hSVW
5<4@
>"u:F
XPVSS
*BFOu
MFC42.DLL
__CxxFrameHandler
exit
_except_handler3
MSVCRT.dll
__dllonexit
_onexit
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
GetStartupInfoA
GetModuleHandleA
KERNEL32.dll
malloc
free
_wcsnicmp
_setmbcp
4(%/
, 7JK
.5!)
1.!'
Drop
"me)
)(OC
RRT4
MwiA1
 : u
Lu?g:>
$TTo
u-C"
wv	:Z"
p u	
iHG)
A|oG}
^	Gx
5}3Ub
)9g	
5N\%O
T+l_;dW
,Xg%	%
~@}X
W)|Y
u#:_
Wi=Wz
uBKu
.KvIw
pH~ia2
ho1{
Rpn&"5
.EDG
rgtm<8np
3=H@
Xjoe^
pxt!B
Nbob,
ou!J
otus
iop;ubujH
|po!E
wjdp
nt/k
jgs/azd
u:Y5
%t (
$KY-.8h0d
cf"sf\5
`Rg<
l _Y
w7'3ds
hN]4@
Aqk)
X'Ag
[biy
~0UB~*%
8SN~
dp(G
xl,F
Ix7E"
-XXHO-
T`ri
	!i]
#d"Md
2d$Y$
Yl9Gyh
'$Q(
d$1$G
3a]`
d1e$
nvy=
h-&!
%GIG[
'=O)|I
7b!N
V_0W
Uijt!qs
phsbn!db
oopu!cf!
svo!j
PT!npef/
Sjdi|X
7|;O
7/'bL`
Pfmpd
2!gb
GGHH
QM7	O
pLW:F
G	kA
i9X*
Kn)P
r!gn0g
S)Q81
RoRe
g%#M
b}A={
m'6H
p0a&
TZTU}FN]X
qmjb
Mpbe
`NV-p
"U",
mm4Q
]]u<o
ou]b
E.$q
QNie
Nb`j
{-qx
u0.<
\Q2R
i	1v
"i&"(
	TV+'
`b]%
+CGPv
_uj}
KCj/
q	Y;
o%[a"
NGD5p
t`DyyG
fIbo.
tqs0"ug
di&NC6
DSU/
;uE|n
Fkv/
`gejw
LFSO
FM432w
NAP4:
} DmcB
eeE:
TfuDp
mvnoXjeu
5)&0
-!8K
66m.1
(6*n
%"	Ss
wbqj43
/6"8
('1I
Qo2&t+
(1-191
?1D1P1V1
[1h1^2\
?6E6J6U6
[6`6k6q6
-7G7a7v7
9"959J9Q
k/:L:
; ;(;6;p
;P;];g;
ZiZH
i-G|
i@68
|ru0
ik.,
9Pis
6qAZ
a~nn
pJRiAq
k|%<
Z))3
Q7S>
Od7W
X1+j	
k/Uk
Pv4i1q;
vmkpUq
|aZZ
yim>
^\5a6
=Y#s
MH!$Po%6
	)8wC
c	B<
!k0%
vI	Eb
2V7d<
!3>,
LMRR($
,!q7
VP:Q
/DWA
uXVk
VTC^Y
ACXTu0{
\ Ag
	.L:
vYTf/
	fc'To
h<QgJ
C-w~=>k
$9#q%
-7Yo
~g#2
qRThs
=4C`8e
E\-Z
Qd T
}*9_
pI^13
x}%kE
B!$,
vHp}
iN#e
DUe5
@;iB
C8-E
~W25X
c7iL
kYQk
	t>wE
uZ.L
i)D	WZ
W{cW
Wd#AAy
(A\r
CD-A
0`y}
'/\N4
|hsI
?e"f
BnRR
iYBU
0i@i9
k!TB
s7<h
p<k)
R;-$
I*#9
]wsdZ
:/vR!L"i
iW@q
Ev<Z
1Rau
52i4
=:1+O
iA$^
ri}}
/4ld
Y6Ou
)qFe6
=UR!
%_[>
 e	1
&[U6-
	q/c
\>w|
vDVi
im=iw
`"MU^
|Xu4f
5#uv
ZZ`_bK9
4<c<
E@EiE
<T}~Cj
(ku7(
yRX/A
JkU~
xmKAS
,4AD+
~8^C
2X'f
0L+1 
o3r}
'6?b eAR
sqdB]
5R#1
o	[f
1)DQ
s@Xi
eS#1
{Y$!
9luk
|})P
m\wA
Yvld
|uGJ
}u%W
  i)
u3i	
gSvr
C=Q7
x	q!
X^3A
= ,e
eg>iO
7`_q
lijm
mK:$
k	"Tw
B uAQ
#_mc
D$N+Q
o<9f
DVr}
o\O^
Vl$f
Nk,m
5tq3q
k(?a#
=-v*
gEY2
]Ghr
=v.<
N>\N
PA`&
k)Q3
:ams
 'QB
-(d^
0 +Te
-\9	
w2.o
6UkK
(2@y
8P&t
`\)}
/J,Rbt
J|#X
pH!r
m|N)
.3V]s-%
Fw7k
Y-%B
PXs8
.9Ip
Be/"
pm^7~h
dRnG
	uVY
t,S2
Qkru4
\!-	
({mQ[
v=TXU|
?9`\
#U.`
(j%q1% 5(
bg>!Q
Q^11
^eEvv
GPM9
40M?%
!Vv&
?aW9
U;ct
sx}wvTG
U6):
D`DT_
	5Z9	*?C
KR.&
t&]o
`"WD
-*-j
,\~%
$m)F
zUiA
k(;v
;$0{
uEv5nG
=IX-4
eNRU
HW6H-I
^\e\
,S/,
+TF20
]ND]
:==C)G
dr=Y
i5;j
~Y7o
Z'6Q
5xf; 	
%Nvu
a5}d
@	iE
zUFG
ai$y
F)vq	Tl
DCUyHK	
3xBZk
	&8Dq
1IA_
7Rx7
5WQ"-
	&_30A
[4/,
D;~,
YKkm
8IT.b
y}oI:
`VL4
Dg<]FH
sWk+w
#10cy
 ;U#
\?1-
g7-k5
TXXQ
3O<!P
r82D
!QFU
o ,9
ys$/J
G!n !
<ZC	
w/qP
A!GZL
Ub05
A	VH\2	vSm
Uh%W
<T37Fm
O Wk
{:\[
Ftq=
\L	s
[(@]
p+-4qh:F
w9tj
iUwh'S,
DHWgq
1?&g
	<o4x,:.
U59	Qa&
Myb;
^!m]
N#~W
D!\R
kwJ`g
UUDm$j
N	|V
/OXX
WEAql6U
v/W)?
5BV.
i.	[l*
i{RI)
YJ9I,
GkOJ
$vA4V
a-2l
+J-3
2tR0
/t1P
7Y+t5	
.h+9
/4=P
su[#
'RK-9
Hmpc
bm]`\%N
p?Ti 
K)qz
	6XBr
s;	q
|		1s
UHB.#
bM%B
|?u)XW
e}eie
e!e%e)e-e1e5e9e=eAeEeIeMeQeUeYe]eaeee
emeqeuiy/P
 IZn
lx|A
#_`#
Tm[T
1_^R
wQ+D
 !E]}
>Dxd
|H;&
"@px
%	n3
<yqJ
15X 
O!'(
ctOZ
O1Q/
b?As4
	PBsw
q	nk
	F:@
i_X`%
\j1S
<qaT
[#7t
W"3I
Q69~"U
 </1zi
#h	7p
09!W
Ro!Z
^ $$v
kcj[
Dppljf
;!ntutibp
:b	 
seqes+
U]V8
NTUTD
4+qA
ei1_
2=Jn U
Sfhj
z!Fejups
!WfstjEL\6
/11k\
ILFZ`MPD
BM`NBDIJ
OF]TP+
BSp	Njd
sptpgu]
]DvssfouaF
]Qpm#W
Tzpefn^oP#D
nquCf
w)~sBen
A#>ex
x#Fobc
mfMVB
DVS|
OU`VTFSlY~
 Bqq
Dwbu
Gmbh
OBTBEN.
4eA3fA3gA3hA3iA3j
PX75
Y263
ar!w(
u?;Y
4!,)
bupsC
qtt|
rb{3\
AT:3P8
`&v&	
2fxm<
]1!@	wh
de\$
z47:,
79`"A$
unfjof
dlzp
jmp6
|q45
Z`333
<4d"
{ydwcon
526:37e
vqMS
ser.
cdePH:
98sS
PT8a
x;8A
p&P74
-P(RB
DQCH
+vhv
tqofu%
+ tzt
UU}vqqL
]dR\Qp
@cbdlv
+ trm
kpio
`49#mRb1J
UB@pxofs
3/15@ 
!E?9
a031A
i8!e
`Ha!
fX|%y
zp_	{
X!Y(
)(!m
XwY(A
AX7L0
YAHw
;Y!3
pq"b
twdsin
poRU
@@2uzqf
gpAAVB
FAY[
fnnpwyo
Fydfqujpn!
tjdpm\/
j>j{
	`Mfbwf07
HfuGj
XTBT
<pqE7AF-
xiu&e/
qZ2UW4Kp
1LYVyMik
OQCj6ezh
AnPow>
Xg5FG[3
-Hx{E
98NrvRsS
T:lmIJ"t
mvFN
.&13
jePPXqbAN
lXupfo8
IBSEFPdE
FTDSJQUJ
}zqsbmFKC
Q-Q 
-1h?/
l	.\L(
2"8[
8=!1
)gTl
6a(n
Ha}/
+V2FJ
n49o@
!P$ 
YH"n
+IM>	
m,! 
\Y	b
""n 
m9!,[
DF_1
|>-4
oZ/!
Y9-,
	1@7(
otRv/3z`
J5- 
squ43
{Xut
TIFMM
vupx
Fyqmp
SvoNS
hfeGi
pTun]u 
tGX1S
0zxl!
`YC5El
E?y]Q
Juq:W
bgfC
tuixXPckQ
"]@@
uNbo
DmB#8
HOpQ
VqtPo
s;)t
5&%P
go)`U
zXoe
DBBT
dBs0D{igT
/FYF
L8SU;
qzTxf4
?Y	F
 HEGx
"g;xgx
xDtNq
#tl|dd6
{ivl
&/3g`
p.oQsjk
E$A0
|!0t"
gm1L
r/eb
 =uy
jZ!X
fc!Q
|o nq
dd3x
!iT5l|/
#u('q,
$=R^
bo?t
d<"C
&>6 
^X0:v
>o04
ffqB\
b-0A
inXG6
4o 2n
n;8a
92^@
85>]6
+R70
r9t ph
o$nn
5%#R
-5C4
%:o&
\x/A
YC22


Comments

Keywords: morto MFC 2eef4d8b88161baf2525abfb6c1bac2b







Retrieved from "https://www.aldeid.com/w/index.php?title=2eef4d8b88161baf2525abfb6c1bac2b&oldid=33766"