ThreatExpert Report: Trojan Horse, Backdoor.Win32.Prorat.npv, BackDoor-AVW, Troj/Prorat-19..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 21 March 2018, 03:08:43
Processing time: 5 min 30 sec
Submitted sample:

File MD5: 0xA9A9F86D48E743A425B39D3C3B8B34BF
File SHA-1: 0xA3B9028410F5B4B6CB0A5A831374971DEA03DBF4
Filesize: 350,764 bytes
Alias:

Trojan Horse [Symantec]
Backdoor.Win32.Prorat.npv [Kaspersky Lab]
BackDoor-AVW [McAfee]
Troj/Prorat-19 [Sophos]
Backdoor:Win32/Prorat.L [Microsoft]
Backdoor.Win32.VB [Ikarus]
Win-Trojan/Prorat.350764.K [AhnLab]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Backdoor.ProRAT.K	ProRAT.K is a remote administrative trojan. It allows an attacker to take full control of a compromised computer. It also logs all keystrokes to a text file which can be accessed by the attacker. It also hides itself from task manager and process monitors.
Trojan.Crypt.S	Trojan.Crypt.S is a backdoor trojan which opens a random port and allows hackers to gain unauthorised access to the infected system. It also attempts to terminate antivirus, firewall and other security related processes.
Adware.Component.Unrelated	These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
services.exe	%Windir%\services.exe	2,080,768 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	2,080,768 bytes
fservice.exe	%System%\fservice.exe	2,080,768 bytes
sservice.exe	%Windir%\system\sservice.exe	2,080,768 bytes

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
reginv.dll	%System%\reginv.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x2530000 - 0x2539000
winkey.dll	%System%\winkey.dll	Process name: services.exe Process filename: %Windir%\services.exe Address space: 0xA90000 - 0xA9B000
reginv.dll	%System%\reginv.dll	Process name: services.exe Process filename: %Windir%\services.exe Address space: 0xAD0000 - 0xAD9000
reginv.dll	%System%\reginv.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x3D0000 - 0x3D9000
winkey.dll	%System%\winkey.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1C80000 - 0x1C8B000
reginv.dll	%System%\reginv.dll	Process name: VMwareUser.exe Process filename: %ProgramFiles%\vmware\vmware tools\vmwareuser.exe Address space: 0x9A0000 - 0x9A9000

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following system services were modified:

Service Name	Display Name	New Status	Service Filename
ALG	Application Layer Gateway Service	"Stopped"	%System%\alg.exe
SharedAccess	Windows Firewall/Internet Connection Sharing (ICS)	"Stopped"	%System%\svchost.exe -k netsvcs
wscsvc	Security Center	"Stopped"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}]

StubPath = "%Windir%\system\sservice.exe"

so that %Windir%\system\sservice.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

DirectX For Microsoft? Windows = "%System%\fservice.exe"

so that %System%\fservice.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]

Bulas = "1"
FW_KILL = "1"
XP_FW_Disable = "1"
XP_SYS_Recovery = "1"
ICQ_UIN = "087/03/32/033"
ICQ_UIN2 = "046007686"
Kurban_Ismi = "whbuhl"
Mail = "cnlcdsl`oAx`inn/bnl"
Online_List = "iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh"
Port = "4001"
Sifre = "032547"
Hata = ""
KSil = "1"
LanNotifie = ""
Tport = "0"
ServerVersionInt = "19"

The following Registry Value was modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Shell =

Other details

The following Host Names were requested from a host database:

192.5.5.241
0.0.0.0

There were application-defined hook procedures installed into the hook chain (e.g. to monitor keystrokes). The installed hooks are handled by the following modules:

%System%\winkey.dll

the hook is handled by its export "Kisses_To_Trojanhunter()"

%System%\reginv.dll

the hook is handled by its export "HookProc()"

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.