Categories: SpyTrojan

Trojan-Spy.Win32.Stealer.vme (file analysis)

The Trojan-Spy.Win32.Stealer.vme is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Trojan-Spy.Win32.Stealer.vme virus can do?

Executable code extraction
Attempts to connect to a dead IP:Port (3 unique times)
Creates RWX memory
At least one IP Address, Domain, or File Name was found in a crypto call
Performs some HTTP requests
Unconventionial language used in binary resources: Slovenian
The binary likely contains encrypted or compressed data.
The executable is compressed using UPX
Checks for the presence of known windows from debuggers and forensic tools
Installs itself for autorun at Windows startup
Creates a hidden or system file
Attempts to identify installed AV products by installation directory
Checks the CPU name from registry, possibly for anti-virtualization
Detects VirtualBox through the presence of a registry key
Attempts to modify proxy settings
Anomalous binary characteristics

Related domains:

iplogger.org

leatherbond.top

ip-api.com

How to determine Trojan-Spy.Win32.Stealer.vme?


File Info:
crc32: 49E13BE2md5: c6c6653fc0b36d6f34095bb3ff4ea86bname: C6C6653FC0B36D6F34095BB3FF4EA86B.mlwsha1: a03247bee1aac1a7ee259d7a788fc46ab515f9easha256: 118af2c80f1a32b6159d5be25179ce15f8d3a7078e0d70b82d7f194765dc94absha512: 2f1856ac51ff7e8f0869ca51a636d8a2fd45bb64a5ece6a6e1ded120edb8750d35d7be99ef18c1e508e0b2375bd4e2b667b6cd867e602ef8163a00c1e3b03b87ssdeep: 12288:RM7SzJUf+qFyPwpuiXz1EJfpMjWnhG2AG+7jVNqgbJhJXqi7iGMbmZFO8fUyU1i:u7SzJeDEGuiXz1imWwG+nagbJhJXD7itype: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Version Info:
InternalSurname: rebound.exeProduct: 1.7.6FileVersions: 1.0.5.4LegalCo: Copyri (C) 2019, parritionsTranslation: 0x5539 0x00fa

Trojan-Spy.Win32.Stealer.vme also known as:

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.45154640
FireEye	Generic.mg.c6c6653fc0b36d6f
ALYac	Trojan.GenericKD.45154640
Cylance	Unsafe
Sangfor	Malware
BitDefender	Trojan.GenericKD.45154640
K7GW	Trojan ( 0057533c1 )
Cybereason	malicious.ee1aac
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-Spy.Win32.Stealer.vme
Alibaba	TrojanSpy:Win32/Stealer.7dd81e91
ViRobot	Trojan.Win32.Z.Kryptik.706048.AO
AegisLab	Trojan.Multi.Generic.4!c
Ad-Aware	Trojan.GenericKD.45154640
Emsisoft	Trojan.GenericKD.45154640 (B)
Comodo	.UnclassifiedMalware@0
F-Secure	Trojan.TR/AD.AHKInfoSteal.qqmpm
DrWeb	Trojan.PWS.Siggen2.60931
McAfee-GW-Edition	BehavesLike.Win32.Trojan.jc
Sophos	Mal/Generic-S
SentinelOne	Static AI – Malicious PE
Avira	TR/AD.AHKInfoSteal.qqmpm
eGambit	Unsafe.AI_Score_83%
MAX	malware (ai score=81)
Kingsoft	Win32.Troj.Stealer.v.(kcloud)
Microsoft	Trojan:Win32/Glupteba!ml
Gridinsoft	Trojan.Win32.Kryptik.oa
Arcabit	Trojan.Generic.D2B10150
ZoneAlarm	Trojan-Spy.Win32.Stealer.vme
GData	Trojan.GenericKD.45154640
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Kryptik.R360326
McAfee	GenericRXAA-AA!C6C6653FC0B3
VBA32	BScope.Trojan.Injuke
Malwarebytes	Trojan.MalPack.GS
Panda	Trj/GdSda.A
ESET-NOD32	a variant of Win32/Kryptik.HIKN
Tencent	Win32.Trojan-spy.Stealer.Taew
Ikarus	Trojan.Win32.Crypt
Fortinet	W32/Kryptik.HFSR!tr
BitDefenderTheta	Gen:NN.ZexaF.34700.RmGfaezzJvoc
AVG	Win32:PWSX-gen [Trj]
Avast	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Generic/HEUR/QVM11.1.27B0.Malware.Gen