W32/Maz.B

description-logoAnalysis

  • Threat is 32bit and has a UPX compressed file size of 4096 bytes
  • This threat may have been mass-mailed as spam from a hacker or group of hackers
  • When executed, this threat will modify the registry by creating keys and modifying them to load the threat at Windows startup -

    Keys created:
    HKEY_CLASSES_ROOT\.inr
    HKEY_CLASSES_ROOT\.inr\pzeoMm6erZrondFQ
    HKEY_CLASSES_ROOT\.inr\pzeoMm6erZrondFQ\Done

    Windows startup and other key modifications:

    HKEY_CLASSES_ROOT\.inr\pzeoMm6erZrondFQ\
    Time = undefinedH

    Where undefinedH is binary data

    HKEY_CLASSES_ROOT\.inr\pzeoMm6erZrondFQ\Done
    (Default) = Done

  • This threat will attempt to connect with the IP address 65.113.119.132 (a ProHosting.com user account) and download a remote access Trojan (RAT) binary with a file size of 30,720 bytes, then execute it.

  • The downloaded Trojan will then copy itself to the Windows\System folder as "MSREXE.EXE" and also modify the registry to load at Windows startup

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    System Service = C:\Windows\System\MSREXE.EXE

    HKEY_LOCAL_MACHINE\System\
    CurrentControlSet\Services\Swartax\
    ImagePath = C:\Windows\System\MSREXE.EXE

  • The downloader threat contains these strings -

    Hello, world Inor

Telemetry logoTelemetry