A forum for reverse engineering, OS internals and malware analysis 

 #27872  by 711PartTimeJob
 Sun Feb 14, 2016 9:02 pm
I have been looking for this dropper for a while now. Here is what I know about it:
1. It adds a folder to programdata called "morenamow"
2. It drops quite a few files such as "DegwOopoo.exe", "Magufof.exe", "pitciiojpu.exe" (etc.)
3. The dropper executes a few files from the folder and adds them to a service.
4. As it drops files, it will also drop "boostwebapp_installer__1433960080.txt" to "Appdata\local\temp"
As the text file suggests, it might be a installer for boostwebapp.

Virustotal scan I found for the file in question: https://www.virustotal.com/en/file/e86b ... /analysis/

Hashes:
MD5- 5d5d38e9fc755c79598e452bf1924993
SHA1- 386a667b45e9eb79e75168e3aadddb80ec81c95e
SHA256- e86bb8a6db515fb993adb4f7503f02fcd8d99e7f561df1a5028ed9615411d22b