Skip navigation.
Home

Rakningen Trojan

A new “rakningen” Trojan is beein spammed, this time it is a downloader, which downloads this file:
"http://www. dolas.biz/ ssl. exe" (again the URL is splittet) and executes it.

This file ssl.exe droppes hook.dll, which is injected into most running processes. It creates/edits a lot of registry values.

I dont have time to do a full analysis on the ssl.exe or hook.dll file, but if anyone feel like doing this, i've added the files to the virusdatabase.

Rakningen.exe:
MD5SUM: 736b89407abcf7fd7d1dbb093e780b25
SHA1SUM: 02054ddb71902a08bb0bcbbd491cb08bf6b809d6
SHA256SUM: 64ed6eda14a78f92735bfa4b1a41188b72f3465c7b1f5d8b317f1cde299328da

ssl.exe:
MD5SUM: 1758ad0441e9f81913d8a7982dd15d95
SHA1SUM: ecd6ce40fdf078247912b1525f6f2f69a680d9af
SHA256SUM: 36eed810ed77fab7cf0d61e20e9e22c72fdd24cdad99e3497db7dbd732d4df93

hook.dll:
MD5SUM: 1669ddd28bd171648b9b627d1577a960
SHA1SUM: 5910571c2dc3aebe8a2e1ff2251d0c227e37e3ff
SHA256SUM: 0b8ead97a083a1b05da1cdcd66e9f90d28ec4feab7a7a30e1f20c03d42e14d0d

At the time of writing there is limited desktop antivirus detection on both files:

ssl.exe:
AntiVir 7.2.0.16 09.18.2006 HEUR/Malware
Authentium 4.93.8 09.17.2006 W32/Goldun.gen1@dr
Avast 4.7.844.0 09.15.2006 no virus found
AVG 386 09.15.2006 no virus found
BitDefender 7.2 09.18.2006 no virus found
CAT-QuickHeal 8.00 09.15.2006 no virus found
ClamAV devel-20060426 09.17.2006 Trojan.Downloader.Small-2338
DrWeb 4.33 09.18.2006 DLOADER.Trojan packed by BINARYRES
eTrust-InoculateIT 23.72.127 09.16.2006 no virus found
eTrust-Vet 30.3.3084 09.18.2006 no virus found
Ewido 4.0 09.17.2006 no virus found
Fortinet 2.82.0.0 09.18.2006 no virus found
F-Prot 3.16f 09.17.2006 W32/Goldun.gen1@dr
F-Prot4 4.2.1.29 09.17.2006 W32/Goldun.gen1@dr
Ikarus 0.2.65.0 09.18.2006 no virus found
Kaspersky 4.0.2.24 09.18.2006 no virus found
McAfee 4853 09.15.2006 Spy-Agent.ak
Microsoft 1.1560 09.17.2006 no virus found
NOD32v2 1.1760 09.18.2006 no virus found
Norman 5.90.23 09.15.2006 no virus found
Panda 9.0.0.4 09.17.2006 Suspicious file
Sophos 4.09.0 09.18.2006 no virus found
Symantec 8.0 09.18.2006 Trojan.Bankem.B
TheHacker 6.0.1.071 09.17.2006 no virus found
UNA 1.83 09.15.2006 no virus found
VBA32 3.11.1 09.17.2006 suspected of Malware.Agent.4
VirusBuster 4.3.7:9 09.17.2006 no virus found

rakningen.exe:
AntiVir 7.2.0.16 09.18.2006 HEUR/Malware
Authentium 4.93.8 09.17.2006 no virus found
Avast 4.7.844.0 09.15.2006 no virus found
AVG 386 09.15.2006 no virus found
BitDefender 7.2 09.18.2006 no virus found
CAT-QuickHeal 8.00 09.15.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 09.17.2006 no virus found
DrWeb 4.33 09.18.2006 no virus found
eTrust-InoculateIT 23.72.127 09.16.2006 no virus found
eTrust-Vet 30.3.3084 09.18.2006 Win32/Clagger!generic
Ewido 4.0 09.18.2006 no virus found
Fortinet 2.82.0.0 09.18.2006 suspicious
F-Prot 3.16f 09.17.2006 no virus found
F-Prot4 4.2.1.29 09.17.2006 no virus found
Ikarus 0.2.65.0 09.18.2006 no virus found
Kaspersky 4.0.2.24 09.18.2006 no virus found
McAfee 4853 09.15.2006 no virus found
Microsoft 1.1560 09.17.2006 no virus found
NOD32v2 1.1760 09.18.2006 no virus found
Norman 5.90.23 09.15.2006 Suspicious_F.gen
Panda 9.0.0.4 09.17.2006 Suspicious file
Sophos 4.09.0 09.18.2006 Troj/Clagge-Gen
Symantec 8.0 09.18.2006 no virus found
TheHacker 6.0.1.071 09.17.2006 no virus found
UNA 1.83 09.15.2006 no virus found
VBA32 3.11.1 09.17.2006 suspected of Downloader.Harnig.40
VirusBuster 4.3.7:9 09.17.2006 no virus found