polonus
1
See: https://www.virustotal.com/nl/url/e056cb05170bac0ef9e8899f3541493fc76e1e8ea87b1d99b488fa7925f5c093/analysis/1384036520/
File detection: https://www.virustotal.com/nl/file/7fdb2c64e137c3e631c958255245e7876f6467e82ca165d36ee07859ff466612/analysis/1384032213/
IDS alerts: http://urlquery.net/report.php?id=7554571
htxp://emang.co.kr/app/1207/boosting_zwip.exe is in Dr.Web malicious sites list!
htxp://emang.co.kr/app/1207/boosting_zwip.exe/_=95=80\pidadd.dll infected with Trojan.Adkor.45
uri’s with pidadd.dll are alerted by avast as infested - URL:Mal
pol
polonus
3
Checked it there independently from you: https://malwr.com/analysis/MzkwNWM0NDY5NDczNGM4YzhkMjY5MDc0MzJhNmE0ZTM/
Part of what is found there is flagged modern-wizard.bmp for instance ->: http://f.virscan.org/modern-wizard.bmp.html
nsz4.tmp is part of adware and trojan Buzus etc. and is also found inside bankstealers.
And also this “nsdialogs.dll”: http://www.threatexpert.com/files/nsDialogs.dll.html
use of YARA shellcode - Matched shellcode byte patterns could lead to FPs in signed certified files.
The accompanying VT scan: https://www.virustotal.com/nl/file/7fdb2c64e137c3e631c958255245e7876f6467e82ca165d36ee07859ff466612/analysis/
pol
I can check the file in a VM when the Malwarebytes scan of the PUP finished and the log is uploaded.
polonus
6
I checked that file and got it via get in Malzilla then performed a avast scan on downloaded executable. To no avail.
See whether you get a similar result with the PUP scanner, will ye?
Damian
Not detected here on download either.
Restarting the VM now to apply Avast settings.
The trojan is restarting the VM now.
polonus
10
Hi Steven Winderlich,
This is interesting read on MalwareBytes’s forum: https://forums.malwarebytes.org/index.php?showtopic=130155
Verdict fresh “bankstealer” malcode.
So DrWeb’s and our findings are coming into fruitition.
Let us see how detection is going to expand ;D
And again thanks for the assist 
Damian
The Trojan set an autorun key.
I cannot see anything suspicious in Temp, Roaming or Appdata.
Running an OTL Scan now.
File is sitting in C:\Program Files\boosting\boosting.exe
File is malicious for Symantec: https://www.virustotal.com/de/file/c9338bc743e36f670bc7924a162b461d03e2b39506a47a5be0cd47338fa65b00/analysis/1384041403/
OTL logs attached.
polonus
12
Hi Steven Winderlich,
Maybe we are up to something here. Did you upload the file to virus AT avast dot com with a link to this thread?
We have a lot of users in that theater area of the globe, so they certainly will need protection against this malcode!
Damian
File is reported and linked to here.
polonus
14
Thank you. That is the responsible way to go forward with this,
and that is what DavidR taught us all.
First report to avast then comment.
Well it could be undetected malware in the worst case scenario or at least a PUP detection with a ,low threat level.
It could also be a false positive on a a signed developer file (Pacifics Co.)
with most likely this FP depending on a detected packer.
In that case my best bet will be on YARA used.
Damian
File is still only detected by Symantec and DR Web.
You will also need to delete the folder C:\Programme\boosting
Nope.
I have a backup of the VM, clean.