Antivirus scan for 8312af396b4051e06746dcda8b3f550cabe3daed8f879b152071ca81ff85e50d at 2014-03-04 17:56:28 UTC

Antivirus	Result	Update
AhnLab-V3	PUP/Win32.TSULoader	20140304
AntiVir	Adware/InstalleRex.2108	20140304
Antiy-AVL	RiskWare[Downloader:not-a-virus,HEUR]/Win32.AdLoad	20140304
Avast	Win32:InstalleRex-BH [PUP]	20140304
AVG	MalSign.Generic.256	20140303
Comodo	Application.Win32.InstalleRex.KG	20140304
DrWeb	Trojan.WebPick.29	20140304
ESET-NOD32	a variant of Win32/InstalleRex.O	20140304
GData	Win32.Application.InstalleRex.E	20140304
K7GW	Unwanted-Program ( 0049574e1 )	20140304
Kaspersky	Trojan.Win32.AntiFW.b	20140304
Kingsoft	Win32.Troj.AntiFW.b.(kcloud)	20140304
Malwarebytes	PUP.Optional.Installer.REX	20140304
Qihoo-360	Malware.QVM20.Gen	20140304
Rising	PE:PUF.InstallRex!1.9E4C	20140304
VBA32	Downloader.AdLoad	20140304
VIPRE	Installerex/WebPick (fs)	20140304
Ad-Aware		20140304
Yandex		20140302
Baidu-International		20140304
BitDefender		20140304
Bkav		20140304
ByteHero		20140304
CAT-QuickHeal		20140304
ClamAV		20140304
CMC		20140228
Commtouch		20140304
Emsisoft		20140304
F-Prot		20140304
F-Secure		20140304
Fortinet		20140304
Ikarus		20140304
Jiangmin		20140304
K7AntiVirus		20140304
McAfee		20140304
McAfee-GW-Edition		20140304
Microsoft		20140304
eScan		20140304
NANO-Antivirus		20140304
Norman		20140304
nProtect		20140304
Panda		20140304
Sophos AV		20140304
SUPERAntiSpyware		20140304
Symantec		20140304
TheHacker		20140303
TotalDefense		20140304
TrendMicro		20140304
TrendMicro-HouseCall		20140304
ViRobot		20140304

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.

Authenticode signature block and FileVersionInfo properties

Publisher Sergey Petrov

Product Right Soft

Original name TSULoader.exe

Internal name TSULoader

File version 2014.3.2.1434

Description Installer for Right Soft

Comments WinNT (x86) Unicode Lib Rel

Signature verification Signed file, verified signature

Signers

[+] Sergey Petrov

[+] COMODO Code Signing CA 2

[+] UTN-USERFirst-Object

[+] USERTrust

PE header basic information

Target machine Intel 386 or later processors and compatible processors

Compilation timestamp 2013-03-12 08:51:45

Entry Point 0x000014DB

Number of sections 7

PE sections

Name Virtual address Virtual size Raw size Entropy MD5

.text 4096 7672 7680 6.50 b1ae6dcdc3a7ba319c6d5e0b1a2eadbc

.rdata 12288 1794 2048 4.70 cd4f20f041a2da05dfe5974fe61bd4ec

.data 16384 1040 0 0.00 d41d8cd98f00b204e9800998ecf8427e

.rsrc 20480 8288 8704 3.99 cb539ba4a412d7419c6d5edc8fc03c5e

.reloc 32768 348 512 3.02 938152484b33bca77bd622973abb524e

.tsustub 36864 120967 121344 8.00 ced43a410245fa01194fc0688a5085ee

.tsuarch 159744 175104 175104 8.00 09958aa1870a26981338585e0cfd3ddd

PE imports

[+] KERNEL32.dll

[+] USER32.dll

[+] VERSION.dll

Number of PE resources by type

RT_ICON 3

RT_MANIFEST 1

RT_VERSION 1

RT_GROUP_ICON 1

Number of PE resources by language

NEUTRAL 6

PE resources

01e6576e70a6a50ed4068389f28751b469d5688a6c3756c8bceb3443c0b352c0 data

38fff61009d6791c7dd10fe64212dfbd5fe8f43449d1fea56351c71804e2423b data

6d09cf8fd3edefc7e7e93f848b9cc0193b3f256f1dc1c854f713a1a1985ba258 data

82fd76c9bd1278884b6d6673eff8701efef964eadb1a5c6a1707665f5f48d138 data

b79eb12aa051e82ff0870617397bb433765fd337367a159e80961e34f3fd82c9 data

d1e1a7d27e0fc5855a5fc12f5a47f67edee075f769133b855d864b153a981e5a data

ExifTool file metadata

SubsystemVersion

4.0

Comments

WinNT (x86) Unicode Lib Rel

LinkerVersion

8.0

ImageVersion

6.0

ProductName

Right Soft

FileVersionNumber

2014.3.2.1434

UninitializedDataSize

LanguageCode

Neutral

FileFlagsMask

0x003f

CharacterSet

Unicode

PackageCode

{8B2F7744-2A0A-49B8-AB53-622850CC55B2}

InitializedDataSize

307712

OriginalFilename

TSULoader.exe

MIMEType

application/octet-stream

ProductCode

{1298F6E9-9E4C-4B3B-9549-0E50C623D394}

FileVersion

2014.3.2.1434

TimeStamp

2013:03:12 09:51:45+01:00

FileType

Win32 EXE

PEType

PE32

InternalName

TSULoader

FileAccessDate

2014:03:04 18:56:01+01:00

FileDescription

Installer for Right Soft

OSVersion

4.0

FileCreateDate

2014:03:04 18:56:01+01:00

FileOS

Win32

Subsystem

Windows GUI

MachineType

Intel 386 or later, and compatibles

CompanyName

Right Soft

CodeSize

7680

FileSubtype

ProductVersionNumber

1.0.0.3

EntryPoint

0x14db

ObjectFileType

Executable application

Arguments

File identification

MD5 92100d3bbe0119fd0357e0737a13e505

SHA1 edcaf0cb7cef0378856645a5a9d9d625ef4d2496

SHA256 8312af396b4051e06746dcda8b3f550cabe3daed8f879b152071ca81ff85e50d

ssdeep

6144:8rjbUzkuvcBYC47l2xhPAj9yshh1/9CSFuXWzMJSeJMLBz8xsA3:8rIkuveY3uPw4shT9Nnz62xQsA3

imphash a8286b574ff850cd002ea6282d15aa40

File size 314.2 KB ( 321712 bytes )

File type Win32 EXE

Magic literal

PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID	Win32 Executable MS Visual C++ (generic) (67.3%) Win32 Dynamic Link Library (generic) (14.2%) Win32 Executable (generic) (9.7%) Generic Win/DOS Executable (4.3%) DOS Executable Generic (4.3%)

VirusTotal metadata

First submission 2014-03-04 17:56:28 UTC ( 5 years, 1 month ago )

Last submission 2014-03-04 17:56:28 UTC ( 5 years, 1 month ago )

File names

TSULoader
TSULoader.exe
Viral Lock – Like, Google 1 or Tweet Plugin – V1.5.zip.exe

Advanced heuristic and reputation engines

ClamAV

Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

Opened files

C:\8312af396b4051e06746dcda8b3f550cabe3daed8f879b152071ca81ff85e50d (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\TsuE8861CDF.dll (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\8312af396b4051e06746dcda8b3f550cabe3daed8f879b152071ca81ff85e50d.log (successful)

C:\WINDOWS\system32\msi.dll (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\2FEC3B90.dat (successful)

\\.\PIPE\lsarpc (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\_Setup.dll (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Setup.ico (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Readme.txt (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Custom.dll (successful)

Read files

C:\8312af396b4051e06746dcda8b3f550cabe3daed8f879b152071ca81ff85e50d (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\2FEC3B90.dat (successful)

c:\autoexec.bat (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\TsuE8861CDF.dll (successful)

C:\WINDOWS\Registration\R000000000007.clb (successful)

Written files

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\TsuE8861CDF.dll (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\8312af396b4051e06746dcda8b3f550cabe3daed8f879b152071ca81ff85e50d.log (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\2FEC3B90.dat (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\_Setup.dll (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Setup.ico (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Readme.txt (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Custom.dll (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Setup.exe (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\down.1012.1.ini (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\x86\regsvr32.exe (successful)

Copied files

SRC: C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\_Setup.dll
DST: C:\Documents and Settings\All Users\Application Data\InstallMate\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\_Setup.dll (successful)

SRC: C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Setup.ico
DST: C:\Documents and Settings\All Users\Application Data\InstallMate\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Setup.ico (successful)

SRC: C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Readme.txt
DST: C:\Documents and Settings\All Users\Application Data\InstallMate\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Readme.txt (successful)

SRC: C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Custom.dll
DST: C:\Documents and Settings\All Users\Application Data\InstallMate\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Custom.dll (successful)

SRC: C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Setup.exe
DST: C:\Documents and Settings\All Users\Application Data\InstallMate\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Setup.exe (successful)

SRC: C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\TsuE8861CDF.dll
DST: C:\Documents and Settings\All Users\Application Data\InstallMate\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\TsuDll.dll (successful)

Moved files

SRC: C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\down.1012.1.ini
DST: C:\Documents and Settings\All Users\Application Data\InstallMate\2FEC3B90\cfg\1.ini (successful)

SRC: C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\TsuE8861CDF.dll
DST: (null) (successful)

SRC: C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\8312af396b4051e06746dcda8b3f550cabe3daed8f879b152071ca81ff85e50d.log
DST: C:\Documents and Settings\All Users\Application Data\InstallMate\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\20140304210930.log (successful)

Deleted files

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\2FEC3B90.dat (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\down.1012.1.ini.part (failed)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\down.1012.1.ini.part (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\_tin0B12.bat (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Setup.ico (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Setup.exe (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Readme.txt (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\Custom.dll (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\_Setup.dll (successful)

C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\{FFAAC5E9-77E5-490F-ABE4-3FC72449E71F}\x64\regsvr32.exe (successful)

Set keys

KEY: HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy
TYPE: REG_DWORD
VALUE: 1 (successful)

KEY: HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
TYPE: REG_DWORD
VALUE: 0 (successful)

KEY: HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
TYPE: REG_DWORD
VALUE: 0 (successful)

KEY: HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
TYPE: REG_BINARY
VALUE: (successful)

KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProxyBypass
TYPE: REG_DWORD
VALUE: 1 (successful)

KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\IntranetName
TYPE: REG_DWORD
VALUE: 1 (successful)

KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\UNCAsIntranet
TYPE: REG_DWORD
VALUE: 1 (successful)

KEY: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents
TYPE: REG_SZ
VALUE: C:\Documents and Settings\All Users\Documents (successful)

KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a20cd692-8e41-11e1-9999-806d6172696f}\\BaseClass
TYPE: REG_SZ
VALUE: Drive (successful)

KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Administrative Tools
TYPE: REG_SZ
VALUE: (successful)

Created processes

C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\_tin0B12.bat"" (successful)

Created mutexes

{8B2F7744-2A0A-49B8-AB53-622850CC55B2} (successful)

RasPbFile (failed)

Opened mutexes

RasPbFile (successful)

ShimCacheMutex (successful)

Searched windows

CLASS: TSUWNDW
NAME: (null)

Opened service managers

MACHINE: localhost
DATABASE: SERVICES_ACTIVE_DATABASE (successful)

Opened services

RASMAN (successful)

Runtime DLLs

c:\docume~1\<USER>~1\locals~1\temp\tsue8861cdf.dll (successful)

rpcrt4.dll (successful)

shell32.dll (successful)

ole32.dll (successful)

sxs.dll (successful)

mscoree.dll (failed)

rstrtmgr.dll (failed)

comctl32.dll (successful)

secur32.dll (successful)

userenv.dll (successful)

Additional details

The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.

HTTP requests

URL: http://r1.getapplicationmy.info/?report_version=5&
TYPE: POST
USER AGENT: TixDll

URL: http://c1.getapplicationmy.info/?step_id=1&installer_id=6528171130982340272&publisher_id=1091&source_id=0&page_id=0&affiliate_id=0&country_code=DK&locale=EN&browser_id=2&download_id=1328357027810075468&external_id=1393955739963512841&session_id=11736339046491842492&hardware_id=214676587712253389&q=Viral+Lock+%E2%80%93+Like%2C+Google+1+or+Tweet+Plugin+%E2%80%93+V1.5.zip&q=Viral+Lock+%E2%80%93+Like%2C+Google+1+or+Tweet+Plugin+%E2%80%93+V1.5.zip&product_name=Viral+Lock+%E2%80%93+Like%2C+Google+1+or+Tweet+Plugin+%E2%80%93+V1.5.zip&installer_file_name=Viral+Lock+%E2%80%93+Like%2C+Google+1+or+Tweet+Plugin+%E2%80%93+V1.5.zip&external_id=1393955739963512841&filesize=
TYPE: GET
USER AGENT: TixDll

DNS requests

r1.getapplicationmy.info (54.201.215.30)

c1.getapplicationmy.info (54.201.215.30)

TCP connections

54.201.215.30:80

UDP communications

64.4.10.33:123

SHA256:	8312af396b4051e06746dcda8b3f550cabe3daed8f879b152071ca81ff85e50d
File name:	Viral Lock – Like, Google 1 or Tweet Plugin – V1.5.zip.exe
Detection ratio:	17 / 50
Analysis date:	2014-03-04 17:56:28 UTC ( 5 years, 1 month ago )

Ciphered bundle

Authenticode signature block and FileVersionInfo properties

PE header basic information

PE sections

PE imports

Number of PE resources by type

Number of PE resources by language

PE resources

ExifTool file metadata

File identification

VirusTotal metadata

Advanced heuristic and reputation engines

Leave your comment...

Opened files

Read files

Written files

Copied files

Moved files

Deleted files

Set keys

Created processes

Created mutexes

Opened mutexes

Searched windows

Opened service managers

Opened services

Runtime DLLs

Additional details

HTTP requests

DNS requests

TCP connections

UDP communications

Recover your password

Join VirusTotal Community

Sign in