PUA.Win64.FusionCore.AD

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %System Root%\spltmp.bmp
• %User Temp%\0064D2DA.log
• %User Temp%\0064DD2A.log
• %User Temp%\0064DDC7.log
• %User Temp%\nsd{Random Numbers}\bootstrap_1888.html
• %User Temp%\nsd{Random Numbers}\css\ie6_main.css
• %User Temp%\nsd{Random Numbers}\css\main.css
• %User Temp%\nsd{Random Numbers}\css\sdk-ui\browse.css
• %User Temp%\nsd{Random Numbers}\css\sdk-ui\button.css
• %User Temp%\nsd{Random Numbers}\css\sdk-ui\checkbox.css
• %User Temp%\nsd{Random Numbers}\css\sdk-ui\images\button-bg.png
• %User Temp%\nsd{Random Numbers}\css\sdk-ui\images\progress-bg.png
• %User Temp%\nsd{Random Numbers}\css\sdk-ui\images\progress-bg2.png
• %User Temp%\nsd{Random Numbers}\css\sdk-ui\images\progress-bg-corner.png
• %User Temp%\nsd{Random Numbers}\css\sdk-ui\progress-bar.css
• %User Temp%\nsd{Random Numbers}\csshover3.htc
• %User Temp%\nsd{Random Numbers}\images\Loader.gif
• %User Temp%\nsd{Random Numbers}\locale\AF.locale
• %User Temp%\nsd{Random Numbers}\locale\AZ.locale
• %User Temp%\nsd{Random Numbers}\locale\BE.locale
• %User Temp%\nsd{Random Numbers}\locale\BG.locale
• %User Temp%\nsd{Random Numbers}\locale\BS.locale
• %User Temp%\nsd{Random Numbers}\locale\CA.locale
• %User Temp%\nsd{Random Numbers}\locale\CS.locale
• %User Temp%\nsd{Random Numbers}\locale\DA.locale
• %User Temp%\nsd{Random Numbers}\locale\DE.locale
• %User Temp%\nsd{Random Numbers}\locale\EL.locale
• %User Temp%\nsd{Random Numbers}\locale\EN.locale
• %User Temp%\nsd{Random Numbers}\locale\ES.locale
• %User Temp%\nsd{Random Numbers}\locale\ET.locale
• %User Temp%\nsd{Random Numbers}\locale\EU.locale
• %User Temp%\nsd{Random Numbers}\locale\FA.locale
• %User Temp%\nsd{Random Numbers}\locale\FI.locale
• %User Temp%\nsd{Random Numbers}\locale\FR.locale
• %User Temp%\nsd{Random Numbers}\locale\GU.locale
• %User Temp%\nsd{Random Numbers}\locale\HE.locale
• %User Temp%\nsd{Random Numbers}\locale\HI.locale
• %User Temp%\nsd{Random Numbers}\locale\HR.locale
• %User Temp%\nsd{Random Numbers}\locale\HT.locale
• %User Temp%\nsd{Random Numbers}\locale\HU.locale
• %User Temp%\nsd{Random Numbers}\locale\HY.locale
• %User Temp%\nsd{Random Numbers}\locale\ID.locale
• %User Temp%\nsd{Random Numbers}\locale\IS.locale
• %User Temp%\nsd{Random Numbers}\locale\IT.locale
• %User Temp%\nsd{Random Numbers}\locale\JA.locale
• %User Temp%\nsd{Random Numbers}\locale\KA.locale
• %User Temp%\nsd{Random Numbers}\locale\KK.locale
• %User Temp%\nsd{Random Numbers}\locale\KO.locale
• %User Temp%\nsd{Random Numbers}\locale\KU.locale
• %User Temp%\nsd{Random Numbers}\locale\LO.locale
• %User Temp%\nsd{Random Numbers}\locale\LT.locale
• %User Temp%\nsd{Random Numbers}\locale\LV.locale
• %User Temp%\nsd{Random Numbers}\locale\MK.locale
• %User Temp%\nsd{Random Numbers}\locale\ML.locale
• %User Temp%\nsd{Random Numbers}\locale\MR.locale
• %User Temp%\nsd{Random Numbers}\locale\MS.locale
• %User Temp%\nsd{Random Numbers}\locale\NE.locale
• %User Temp%\nsd{Random Numbers}\locale\NL.locale
• %User Temp%\nsd{Random Numbers}\locale\NO.locale
• %User Temp%\nsd{Random Numbers}\locale\PA.locale
• %User Temp%\nsd{Random Numbers}\locale\PL.locale
• %User Temp%\nsd{Random Numbers}\locale\PS.locale
• %User Temp%\nsd{Random Numbers}\locale\PT.locale
• %User Temp%\nsd{Random Numbers}\locale\RO.locale
• %User Temp%\nsd{Random Numbers}\locale\RU.locale
• %User Temp%\nsd{Random Numbers}\locale\SK.locale
• %User Temp%\nsd{Random Numbers}\locale\SL.locale
• %User Temp%\nsd{Random Numbers}\locale\SQ.locale
• %User Temp%\nsd{Random Numbers}\locale\SR.locale
• %User Temp%\nsd{Random Numbers}\locale\SV.locale
• %User Temp%\nsd{Random Numbers}\locale\TA.locale
• %User Temp%\nsd{Random Numbers}\locale\TE.locale
• %User Temp%\nsd{Random Numbers}\locale\TH.locale
• %User Temp%\nsd{Random Numbers}\locale\TL.locale
• %User Temp%\nsd{Random Numbers}\locale\TR.locale
• %User Temp%\nsd{Random Numbers}\locale\UK.locale
• %User Temp%\nsd{Random Numbers}\locale\UR.locale
• %User Temp%\nsd{Random Numbers}\locale\UZ.locale
• %User Temp%\nsd{Random Numbers}\locale\VI.locale
• %User Temp%\nsd{Random Numbers}\locale\YO.locale
• %User Temp%\nsd{Random Numbers}\locale\ZH.locale
• %User Temp%\nsd{Random Numbers}\locale\ZU.locale

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %User Temp%\ns6B37661F
• %User Temp%\nsd{Random Numbers}
• %User Temp%\nsd{Random Numbers}\css
• %User Temp%\nsd{Random Numbers}\css\sdk-ui
• %User Temp%\nsd{Random Numbers}\css\sdk-ui\images
• %User Temp%\nsd{Random Numbers}\images
• %User Temp%\nsd{Random Numbers}\locale

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Trojan connects to the following possibly malicious URL:

• http://t2.{BLOCKED}b.com/{random path}
• http://tl.{BLOCKED}d.com/{random path}
• http://cloud.{BLOCKED}tt-hod.com