Threat Encyclopedia

W32/Maz.B

Analysis

• Threat is 32bit and has a UPX compressed file size of 4096 bytes
  
• This threat may have been mass-mailed as spam from a hacker or group of hackers
  
• When executed, this threat will modify the registry by creating keys and modifying them to load the threat at Windows startup -

  Keys created:
  HKEY_CLASSES_ROOT\.inr
  HKEY_CLASSES_ROOT\.inr\pzeoMm6erZrondFQ
  HKEY_CLASSES_ROOT\.inr\pzeoMm6erZrondFQ\Done

  Windows startup and other key modifications:

  HKEY_CLASSES_ROOT\.inr\pzeoMm6erZrondFQ\
  Time = undefinedH

  Where undefinedH is binary data

  HKEY_CLASSES_ROOT\.inr\pzeoMm6erZrondFQ\Done
  (Default) = Done

• This threat will attempt to connect with the IP address 65.113.119.132 (a ProHosting.com user account) and download a remote access Trojan (RAT) binary with a file size of 30,720 bytes, then execute it.
  

• The downloaded Trojan will then copy itself to the Windows\System folder as "MSREXE.EXE" and also modify the registry to load at Windows startup

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run
  System Service = C:\Windows\System\MSREXE.EXE

  HKEY_LOCAL_MACHINE\System\
  CurrentControlSet\Services\Swartax\
  ImagePath = C:\Windows\System\MSREXE.EXE

• The downloader threat contains these strings -

  Hello, world Inor

Telemetry