Submission Summary:

What's been foundSeverity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Windir%\9480F7AF\svchsot.exe
[file and pathname of the sample #1]
81,920 bytes MD5: 0x00FFA79D96956632C659C47B4E240A64
SHA-1: 0xDD8422A06D217F4459B4DF7E06E3881C0AC7FD0A
Trojan-Spy.Win32.Agent.cbot [Kaspersky Lab]
BackDoor-FGQ [McAfee]
Troj/Agent-WIB [Sophos]
Backdoor:Win32/Morix.B [Microsoft]
Backdoor.Win32.Morix [Ikarus]
2 %Windir%\Tasks\At1.job 348 bytes MD5: 0x5930490C47B0C7586B5491E40C079C40
SHA-1: 0xEE1978F94819507E783DDE420E05CD7DA5150332
(not available)
3 %Windir%\Tasks\At10.job 348 bytes MD5: 0x7F4CA7B18CE0F0673C16F6093563F45E
SHA-1: 0x953BFE1C487501D8DA04054DA2E271377E1386E4
(not available)
4 %Windir%\Tasks\At11.job 348 bytes MD5: 0xE4201D7D440553144A0BE9DB73F92815
SHA-1: 0x20B953ABFAD3948F85CD3A28225A01FF2A4A9EDB
(not available)
5 %Windir%\Tasks\At12.job 348 bytes MD5: 0x332B3DF516DE506A5FF38DC7FC6628AE
SHA-1: 0x043DD02FF029DBC22FB288CC32B2807F6814160F
(not available)
6 %Windir%\Tasks\At13.job 348 bytes MD5: 0x85A8A48BF200029C0F7154C0384AD320
SHA-1: 0xC7D86C762E34564DA09A50C03D0A02224C1A484A
(not available)
7 %Windir%\Tasks\At14.job 348 bytes MD5: 0x1E24AB2080190913FA79D3C0B3301DA2
SHA-1: 0xC127DA1736F7B477691CFBA763AE154D4D12B80A
(not available)
8 %Windir%\Tasks\At15.job 348 bytes MD5: 0x414A0FE608E7595187427D6AEEC2A07D
SHA-1: 0x17B39ED46A2142FD9573A67DBE463BB7CF048CC0
(not available)
9 %Windir%\Tasks\At16.job 348 bytes MD5: 0x9EB7AD82675DE85C34E330780C8EA677
SHA-1: 0x4560F63895873323814D9C85DF51E9ABC49732DF
(not available)
10 %Windir%\Tasks\At17.job 348 bytes MD5: 0x9374B09AB4D0104EAF7712C58F5ED345
SHA-1: 0x0EADD0048009922450D6708E3FC6FF2DB431936E
(not available)
11 %Windir%\Tasks\At18.job 348 bytes MD5: 0x9B305F6E60A4432C5E4FE239CD4B8AF9
SHA-1: 0x5E2872651EFA42B331BB0018245E7DDA1FDA0075
(not available)
12 %Windir%\Tasks\At19.job 348 bytes MD5: 0x097D70798879B2894537152DDC7EA75A
SHA-1: 0x2487E0C3FA9CBA536EEAE9366689A18FC4CFF4D1
(not available)
13 %Windir%\Tasks\At2.job 348 bytes MD5: 0x14A80F1514963711A2B4628AEBDB3BC1
SHA-1: 0xC326062CEB592A8FAD1FE36F3F77120CB4311ECA
(not available)
14 %Windir%\Tasks\At20.job 348 bytes MD5: 0x3D70D10FFC22CFE41E7105AB64E3B841
SHA-1: 0x85694CE7C1C5287F1FFECB7B57B319EB9D00D670
(not available)
15 %Windir%\Tasks\At21.job 348 bytes MD5: 0x081C9A1854FF183C4647947545C12C57
SHA-1: 0xB6ADEEAE3E9F7C95706C3909E7DBA7BF61AF5845
(not available)
16 %Windir%\Tasks\At22.job 348 bytes MD5: 0x74560573B23EF06C5189E1B920F4AEDD
SHA-1: 0x96EE1FE36FA5A69A30F85959899D1D8A3D962C8F
(not available)
17 %Windir%\Tasks\At23.job 348 bytes MD5: 0x0849C860673FBDF5561F81B0AED8C066
SHA-1: 0x1BE0E5097F9EC7E2AF02720D8B3D4DBAFE2708A5
(not available)
18 %Windir%\Tasks\At24.job 348 bytes MD5: 0x3033E03A90D53B7FF4CEADB30FFE7E88
SHA-1: 0x512049830BBE43CEB89D872B443C4737FE571026
(not available)
19 %Windir%\Tasks\At3.job 348 bytes MD5: 0x45079DF61CB9CC2A33D0F2AA058244DE
SHA-1: 0xEAEE3EB04FE4C7AFC6166268240A2B3E508BADBA
(not available)
20 %Windir%\Tasks\At4.job 348 bytes MD5: 0x87C97E3AF3E57A1F97D138F00A391B34
SHA-1: 0x3648383071FA1AA0F1B3C65E7E34B8E28A57D04F
(not available)
21 %Windir%\Tasks\At5.job 348 bytes MD5: 0xA60330FC6DE767D7F6795D1450109EC5
SHA-1: 0xDA850F0A53D03ECC9713F348BE4A99BC466D7E14
(not available)
22 %Windir%\Tasks\At6.job 348 bytes MD5: 0x4F973FB900919EDB56D5524A81E5E9EF
SHA-1: 0x51E1DB2FAD82F2E6263A8E5DD32DC149701632B4
(not available)
23 %Windir%\Tasks\At7.job 348 bytes MD5: 0x950FE5E570310E340BF928CFAAA47D58
SHA-1: 0x8A230A5ED7D1CEEFAE991693FDDBFA3633A417CB
(not available)
24 %Windir%\Tasks\At8.job 348 bytes MD5: 0xC73D8EDB877F384EA45EE43CB8A17625
SHA-1: 0x9857AD43B73DE55839422EE2CDF488FCD5CAAA56
(not available)
25 %Windir%\Tasks\At9.job 348 bytes MD5: 0x483A61B19DC075D07B9A6956651FB2E0
SHA-1: 0xE9E5191577268617BB0C654A15D64BB93AAFF764
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]98,304 bytes

 

Registry Modifications

 

Other details

Remote HostPort Number
226625253.gnway.cc2012

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2017 ThreatExpert. All rights reserved.