See: https://www.virustotal.com/nl/url/e056cb05170bac0ef9e8899f3541493fc76e1e8ea87b1d99b488fa7925f5c093/analysis/1384036520/
File detection: https://www.virustotal.com/nl/file/7fdb2c64e137c3e631c958255245e7876f6467e82ca165d36ee07859ff466612/analysis/1384032213/
IDS alerts: http://urlquery.net/report.php?id=7554571
htxp://emang.co.kr/app/1207/boosting_zwip.exe is in Dr.Web malicious sites list!
htxp://emang.co.kr/app/1207/boosting_zwip.exe/_=95=80\pidadd.dll infected with Trojan.Adkor.45
uri’s with pidadd.dll are alerted by avast as infested - URL:Mal

pol

Lets check it.

Malwr analysis: https://malwr.com/analysis/ZDJiNzUwY2IyNDIxNGZhZWE5OGIyMDExMzM3NzExYmY/

Norton: http://safeweb.norton.com/report/show?url=emang.co.kr

AVG: http://www.avgthreatlabs.com/website-safety-reports/domain/emang.co.kr/

Checked it there independently from you: https://malwr.com/analysis/MzkwNWM0NDY5NDczNGM4YzhkMjY5MDc0MzJhNmE0ZTM/

Part of what is found there is flagged modern-wizard.bmp for instance ->: http://f.virscan.org/modern-wizard.bmp.html
nsz4.tmp is part of adware and trojan Buzus etc. and is also found inside bankstealers.
And also this “nsdialogs.dll”: http://www.threatexpert.com/files/nsDialogs.dll.html
use of YARA shellcode - Matched shellcode byte patterns could lead to FPs in signed certified files.

The accompanying VT scan: https://www.virustotal.com/nl/file/7fdb2c64e137c3e631c958255245e7876f6467e82ca165d36ee07859ff466612/analysis/

pol

I can check the file in a VM when the Malwarebytes scan of the PUP finished and the log is uploaded.

VM is resetting now.

I checked that file and got it via get in Malzilla then performed a avast scan on downloaded executable. To no avail.
See whether you get a similar result with the PUP scanner, will ye?

Damian

Not detected here on download either.

Restarting the VM now to apply Avast settings.

The trojan is restarting the VM now.

Hi Steven Winderlich,

This is interesting read on MalwareBytes’s forum: https://forums.malwarebytes.org/index.php?showtopic=130155
Verdict fresh “bankstealer” malcode.
So DrWeb’s and our findings are coming into fruitition.
Let us see how detection is going to expand ;D
And again thanks for the assist

Damian

The Trojan set an autorun key.

I cannot see anything suspicious in Temp, Roaming or Appdata.

Running an OTL Scan now.

File is sitting in C:\Program Files\boosting\boosting.exe

File is malicious for Symantec: https://www.virustotal.com/de/file/c9338bc743e36f670bc7924a162b461d03e2b39506a47a5be0cd47338fa65b00/analysis/1384041403/

OTL logs attached.

Hi Steven Winderlich,

Maybe we are up to something here. Did you upload the file to virus AT avast dot com with a link to this thread?
We have a lot of users in that theater area of the globe, so they certainly will need protection against this malcode!

Damian

File is reported and linked to here.

Thank you. That is the responsible way to go forward with this,
and that is what DavidR taught us all.
First report to avast then comment.
Well it could be undetected malware in the worst case scenario or at least a PUP detection with a ,low threat level.
It could also be a false positive on a a signed developer file (Pacifics Co.)
with most likely this FP depending on a detected packer.
In that case my best bet will be on YARA used.

Damian

File is still only detected by Symantec and DR Web.

You will also need to delete the folder C:\Programme\boosting

Nope.

I have a backup of the VM, clean.