Low detection “Flash_update.exe”

UIC’s [Quick Analysis] blog posts are a fast way to share some information and/or samples which are under our microscope.

About “Flash_update.exe”

During my daily malware hunting I came across a sample reported by clean-mx at the following address:
http://support.clean-mx.de/clean-mx/viruses.php?id=14808464

We have an executable named “Flash_update.exe” with (at the moment of writing) a low detection rate (1/46):

VT link: https://www.virustotal.com/en/file/1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b/analysis/

SHA256: 1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b
SHA1: b4e581f173f782a2f1da5d29c95946ee500eb2d0
MD5: 42893adbc36605ec79b5bd610759947e
File size: 60.4 KB ( 61804 bytes )
File name: Flash_update.exe
File type: Win32 EXE

 

Sample has been submitted also to malwr.com with sample, you can get more information at the following address:

https://malwr.com/analysis/MTliN2QzNDEyNzZkNDIxMzhhOWRhZDVlMmI0NDU5MmY/#

We can see that “Flash_update.exe” drops three new files in “\Documents and Settings\[USER]\Application Data”, as reported in the following picture

1

evilcry$ md5 *.*
MD5 (NvSmartMax.dll) = 2d8fb1f82724cf542cd2e3a5e041fb52
MD5 (NvSmartMax.dll.url) = 7aefbad9367ab56db1f6f20dcfcd38a0
MD5 (svchost.exe) = 09b8b54f78a10c435cd319070aa13c28

File information:

$ file *.*
NvSmartMax.dll:     PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
NvSmartMax.dll.url: data
svchost.exe:        PE32 executable for MS Windows (GUI) Intel 80386 32-bit

By setting up network capture we came across some SSL encrypted network traffic directed to

info.imly.org

SSL traffic could be intercepted and decrypted by using for example Fiddler follows a screenshot of the decrypted data sent to the server:

2

 

The pattern is:
computer=COMPUTERNAME[USER]&lanip=IP&uid=SOMEID&os=RUNNINGOS&relay=TIME&data=DATA

You can download the sample and dropped files if you like. Password is as usual: infected

Evilcry