TROJ_CUTWAIL.USVZ

January 09, 2018

Analysis by: John Anthony Banes

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

TECHNICAL DETAILS

File Size:

308,224 bytes

File Type:

EXE

Initial Samples Received Date:

30 Dec 2017

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

%User Profile%\tulgenaqixtu.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
"tulgenaqixtu" = "%User Profile%\tulgenaqixtu.exe"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\{random characters}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\{random characters}
{random characters} = {hex values}

HKEY_CURRENT_USER\Software\{random characters}
tulgenaqixtu{random characters} = {hex values}

HKEY_CURRENT_USER\Software\Microsoft
"OSversion" = {random numbers}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Regedit32 = %System%\regedit.exe

Other Details

This Trojan connects to the following possibly malicious URL:

{BLOCKED}t.com
{BLOCKED}i.net
{BLOCKED}t.com
{BLOCKED}s.net
{BLOCKED}8.com
{BLOCKED}n.com
{BLOCKED}el.com
{BLOCKED}a.org.eg
{BLOCKED}t.pl
{BLOCKED}g.com
{BLOCKED}st.com
{BLOCKED}c.com
{BLOCKED}n.com
{BLOCKED}a.net
{BLOCKED}ni.com
{BLOCKED}ist.ro
{BLOCKED}a.com
{BLOCKED}z.com.br
{BLOCKED}ex.com
{BLOCKED}-sa.gr
{BLOCKED}z.nl
{BLOCKED}r.co.id
{BLOCKED}pe.biz
{BLOCKED}r.cl
{BLOCKED}ox.es
{BLOCKED}c.si
{BLOCKED}e.com
{BLOCKED}or.com
{BLOCKED}c.at
{BLOCKED}n.com
{BLOCKED}rk.com
{BLOCKED}h.org
{BLOCKED}s.net
{BLOCKED}o.net
{BLOCKED}x.com
{BLOCKED}x.com
{BLOCKED}es.com
{BLOCKED}c.org.au
{BLOCKED}um.com
{BLOCKED}k.org
{BLOCKED}t.com
{BLOCKED}k.ca
{BLOCKED}n.com
{BLOCKED}c.com.sa
{BLOCKED}n.com
{BLOCKED}e.hu
{BLOCKED}l.ws
{BLOCKED}er.com
{BLOCKED}u.com
{BLOCKED}i.com
{BLOCKED}le.com
{BLOCKED}n.com
{BLOCKED}s.com
{BLOCKED}e.org
{BLOCKED}l.com
{BLOCKED}z.by
{BLOCKED}ve.com
{BLOCKED}era.pl
{BLOCKED}o.com
{BLOCKED}st.com
{BLOCKED}t.com.tw
{BLOCKED}i.com.ph
{BLOCKED}er.ru
{BLOCKED}d.com
{BLOCKED}ly.com
{BLOCKED}t.com
{BLOCKED}l.com
{BLOCKED}e.com
{BLOCKED}ix.com
{BLOCKED}n.com
{BLOCKED}s.com
{BLOCKED}i.org
{BLOCKED}c.com
{BLOCKED}p.net
{BLOCKED}a.com
{BLOCKED}o.ru
{BLOCKED}c.com
{BLOCKED}en.com
{BLOCKED}nt.com
{BLOCKED}a.com
cnti.{BLOCKED}n.ru
{BLOCKED}ko.com
{BLOCKED}it.fr
{BLOCKED}t.com
{BLOCKED}m.com
{BLOCKED}b.com
{BLOCKED}up.com
{BLOCKED}i.org
{BLOCKED}o.edu.pl
{BLOCKED}wn.com
{BLOCKED}e.com
{BLOCKED}l.org
{BLOCKED}d.pl
{BLOCKED}ir.com
{BLOCKED}o.com
{BLOCKED}iny.cz
{BLOCKED}o.com
{BLOCKED}ag.org
{BLOCKED}g.net
{BLOCKED}n.com
{BLOCKED}s.com
{BLOCKED}s.net
{BLOCKED}d.de
{BLOCKED}ng.com
{BLOCKED}m.cz
{BLOCKED}t.net
{BLOCKED}t.hu
{BLOCKED}i.net
{BLOCKED}o.si
{BLOCKED}a.net
{BLOCKED}n.com
{BLOCKED}i.com
{BLOCKED}c.com.au
{BLOCKED}e.net
{BLOCKED}a.com
{BLOCKED}ve.com
{BLOCKED}t.org
{BLOCKED}a.org
{BLOCKED}er.de
{BLOCKED}ws.com
{BLOCKED}c.com
{BLOCKED}k.com
{BLOCKED}s.com
{BLOCKED}s.org
{BLOCKED}w.us
{BLOCKED}a.com.pl
{BLOCKED}n.net
{BLOCKED}ox.bm
{BLOCKED}t.com
{BLOCKED}ty.com
{BLOCKED}t.com
{BLOCKED}le.com
{BLOCKED}o.com
{BLOCKED}g.com
{BLOCKED}p.com
{BLOCKED}s.com
{BLOCKED}l.com
{BLOCKED}it.org
{BLOCKED}k.com
{BLOCKED}c.com
{BLOCKED}t.com
{BLOCKED}o.ru
{BLOCKED}me.com
{BLOCKED}r.net
{BLOCKED}t.com
{BLOCKED}s.com
{BLOCKED}c.org
{BLOCKED}s.pt
{BLOCKED}l.com
{BLOCKED}f.net
{BLOCKED}an.us
{BLOCKED}i.com
{BLOCKED}t.do
{BLOCKED}x.net
{BLOCKED}es.com
{BLOCKED}r.hu
{BLOCKED}t.com
{BLOCKED}st.com
{BLOCKED}i.com
{BLOCKED}t.com
{BLOCKED}i.com
{BLOCKED}ch.pl
{BLOCKED}us.pl
{BLOCKED}u.net
{BLOCKED}m.org
{BLOCKED}r.com
{BLOCKED}n.com
{BLOCKED}g.com
{BLOCKED}k.com
{BLOCKED}o.co.uk
{BLOCKED}f.at
{BLOCKED}on.org
{BLOCKED}y.net
{BLOCKED}s.com
{BLOCKED}r.ch
{BLOCKED}l.com
{BLOCKED}n.net
{BLOCKED}me.com
{BLOCKED}l.at
{BLOCKED}a.fr
{BLOCKED}y.com.pl
{BLOCKED}m.com
{BLOCKED}ba.com
{BLOCKED}eb.com
{BLOCKED}fe.com
{BLOCKED}t.net
{BLOCKED}il.com
{BLOCKED}o.com
{BLOCKED}e.com
{BLOCKED}1.net
{BLOCKED}go.ru
{BLOCKED}n.com
{BLOCKED}to.ru
{BLOCKED}ra.com
{BLOCKED}c.com
{BLOCKED}ds.com
{BLOCKED}c.co.uk
{BLOCKED}l.co.jp
{BLOCKED}r.com
{BLOCKED}k.com
{BLOCKED}a.cz
{BLOCKED}mo.com
{BLOCKED}o.net
{BLOCKED}k.com
{BLOCKED}xx.com
{BLOCKED}ope.nl
{BLOCKED}a.info
{BLOCKED}s.si
{BLOCKED}na.org
{BLOCKED}p.com
{BLOCKED}3.com
{BLOCKED}n.com
{BLOCKED}e.com
{BLOCKED}s.com
{BLOCKED}r.com
{BLOCKED}ic.net
{BLOCKED}p.net
{BLOCKED}m.br
{BLOCKED}ck.com
{BLOCKED}p.hu
{BLOCKED}b.com
{BLOCKED}na.com
{BLOCKED}a.com
{BLOCKED}s.com
{BLOCKED}n.de
{BLOCKED}o.net
{BLOCKED}k.nl
{BLOCKED}s.co.uk
{BLOCKED}r.com
{BLOCKED}e.pl
{BLOCKED}nx.org
{BLOCKED}v.{BLOCKED}s.bg
{BLOCKED}e.co.jp
{BLOCKED}se.be
{BLOCKED}g.org
{BLOCKED}s.ru
{BLOCKED}s.com
{BLOCKED}i.com
{BLOCKED}c.edu.au
{BLOCKED}t.com
{BLOCKED}ra.com
{BLOCKED}h.ca
{BLOCKED}a.com
{BLOCKED}mo.com
{BLOCKED}s.com
{BLOCKED}a.com
{BLOCKED}nj.com
ora.{BLOCKED}et.jp
{BLOCKED}o.com
{BLOCKED}as.com
{BLOCKED}r.org
{BLOCKED}a.com
{BLOCKED}m.com
{BLOCKED}ts.ca
{BLOCKED}i.org
{BLOCKED}es.com
{BLOCKED}j.net
{BLOCKED}e.com
{BLOCKED}cu.com
{BLOCKED}es.com
{BLOCKED}s.co.uk
{BLOCKED}t.net
{BLOCKED}s.com
{BLOCKED}x.com
{BLOCKED}n.com
{BLOCKED}b.com
{BLOCKED}n.com
{BLOCKED}e.ua
{BLOCKED}od.com
{BLOCKED}me.com
{BLOCKED}k.com
{BLOCKED}cd.org
{BLOCKED}a.com
{BLOCKED}k.com
{BLOCKED}i.cz
{BLOCKED}d.org
{BLOCKED}ck.com
{BLOCKED}ok.net
{BLOCKED}h.de
{BLOCKED}t.se
{BLOCKED}a.com
{BLOCKED}l.org
{BLOCKED}a.com
{BLOCKED}r.com
{BLOCKED}ia.net
{BLOCKED}n.org
{BLOCKED}g.com
{BLOCKED}r.de
{BLOCKED}n.com
{BLOCKED}g.com
{BLOCKED}y.com
{BLOCKED}e.com
{BLOCKED}w.com
{BLOCKED}v.ro
{BLOCKED}ek.net
{BLOCKED}l.com
{BLOCKED}p.org.uk
{BLOCKED}r3.com
{BLOCKED}k.com
sgk.{BLOCKED}e.pl
{BLOCKED}s.co.uk
{BLOCKED}ts.net
{BLOCKED}t.com
{BLOCKED}r.com
{BLOCKED}s.com
{BLOCKED}le.com
{BLOCKED}m.ru
{BLOCKED}th.com
{BLOCKED}r.com
{BLOCKED}nn.com
{BLOCKED}w.com
{BLOCKED}s.org
{BLOCKED}m.ru
{BLOCKED}rl.com
{BLOCKED}ort.ru
{BLOCKED}r.it
{BLOCKED}o.net
{BLOCKED}f.it
{BLOCKED}k.com
{BLOCKED}er.com
{BLOCKED}n.net
{BLOCKED}an.com
{BLOCKED}i.com
{BLOCKED}al.net
{BLOCKED}m.ch
{BLOCKED}m.com
{BLOCKED}c.co.uk
{BLOCKED}c.com
{BLOCKED}k.net
{BLOCKED}s.net
{BLOCKED}us.nl
{BLOCKED}7.com
{BLOCKED}a.com
{BLOCKED}k.org
{BLOCKED}en.net
{BLOCKED}d.com
{BLOCKED}l.com
{BLOCKED}am.ca
{BLOCKED}o.net
{BLOCKED}n.com
{BLOCKED}ib.com
{BLOCKED}e.com
{BLOCKED}t.jp
{BLOCKED}s.fi
{BLOCKED}s.com
{BLOCKED}n.biz
{BLOCKED}a.edu.ag
{BLOCKED}x.org
{BLOCKED}r.am
{BLOCKED}s.jp
{BLOCKED}i.it
{BLOCKED}g.com
{BLOCKED}r.com
{BLOCKED}l.com
{BLOCKED}it.com
{BLOCKED}r.se
{BLOCKED}ty.com
{BLOCKED}m.com
{BLOCKED}ia.com
{BLOCKED}du.com
{BLOCKED}ay.com
{BLOCKED}is.com
{BLOCKED}nik.dk
{BLOCKED}i.pl
{BLOCKED}a.com
{BLOCKED}c.net
{BLOCKED}nt.com
{BLOCKED}d.com
{BLOCKED}y.com
{BLOCKED}s.com
{BLOCKED}rk.com
{BLOCKED}ll.nl
{BLOCKED}b.com
{BLOCKED}k.net
{BLOCKED}t.org
{BLOCKED}y.com
{BLOCKED}ran.de
{BLOCKED}us.hu
{BLOCKED}t.de
{BLOCKED}c.com
{BLOCKED}6.com
{BLOCKED}m.es
{BLOCKED}i.net
{BLOCKED}i.com
{BLOCKED}t.org
{BLOCKED}a.com
{BLOCKED}l.com
{BLOCKED}5.net
{BLOCKED}c.org
{BLOCKED}ut.com
{BLOCKED}kor.kz
{BLOCKED}ot.net
{BLOCKED}l.com
{BLOCKED}a.cz

TROJ_CUTWAIL.USVZ

OVERVIEW

TECHNICAL DETAILS

Resources

Support

About Trend

Country Headquarters

TROJ_CUTWAIL.USVZ

OVERVIEW

TECHNICAL DETAILS

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific