ThreatExpert Report: Backdoor.Win32.Rewindor, possible-Threat.Keygen

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 20 July 2012, 08:18:01
Processing time: 11 min 15 sec
Submitted sample:

File MD5: 0x093034BA3987BB73BC15B46E41AC4AB4
File SHA-1: 0xE887C5D0330AA30A1589B787F63FEEFDA948350B
Filesize: 375,690 bytes
Alias: Backdoor.Win32.Rewindor [Ikarus]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\1.Exe	31,744 bytes	MD5: 0x59D97825E875771033EFC04B9129F7DA SHA-1: 0x1FA069300335DCA93937D780766F8BA7C0D33EAB	(not available)
2	%Temp%\10.exe	6,656 bytes	MD5: 0xDBD962FCF5F78C31BCAE810AC7ED0AC0 SHA-1: 0x0AEE2C1E6D338E1CBD2CB8D8BD0F8A9E43C8C468	(not available)
3	%Temp%\2.exe	344,576 bytes	MD5: 0x5CF12325DA9D4254C646E7EE87FE32C4 SHA-1: 0x2B63E5FDE41EA6895CD39031EBE5E885070C6627	(not available)
4	%Temp%\3.exe	28,672 bytes	MD5: 0xB72100618056DCFF26380AA81FE91AEE SHA-1: 0xC0DC1668F3D34CC1AB033206D6E4A55010D4BDB6	(not available)
5	%Temp%\4.exe	122,368 bytes	MD5: 0xF4E7F34664157FF76D078DC357964951 SHA-1: 0x64A694F52D379929B2FBB1039090A1FA0E6F7B46	(not available)
6	%Temp%\5.exe	8,704 bytes	MD5: 0x87FA81245B14383716E9D8E644A04AC5 SHA-1: 0xE0863428C71F5A10DE2E42427796DCC57079593D	Backdoor.Win32.Rewindor [Ikarus]
7	%Temp%\6.exe	17,408 bytes	MD5: 0x6314F975C6E22033030081FBDD173778 SHA-1: 0x7C4215C260ED5CD061605D2D12CE40EE92C0FD62	possible-Threat.Keygen [Ikarus]
8	%Temp%\7.exe	81,920 bytes	MD5: 0xB9BBD7F3532063353A6396DB59211D06 SHA-1: 0x8606ACBE0A49998937ACBFB265348C50F5E40DBC	(not available)
9	%Temp%\8.exe	6,656 bytes	MD5: 0xB7457F39844F3836A26B1431E5D4DD47 SHA-1: 0xE5863279AB083EAF55ADCCC0857F78991434A134	(not available)
10	%Temp%\9.exe	24,576 bytes	MD5: 0x2AE4ADC7A644318B09EEDF9A52C4A620 SHA-1: 0xA121032399053FD5E9E4CD6392F68EA024B24E1D	Backdoor.Win32.Rewindor [Ikarus]
11	[file and pathname of the sample #1]	375,690 bytes	MD5: 0x093034BA3987BB73BC15B46E41AC4AB4 SHA-1: 0xE887C5D0330AA30A1589B787F63FEEFDA948350B	Backdoor.Win32.Rewindor [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
3.exe	%Temp%\3.exe	28,672 bytes
4.exe	%Temp%\4.exe	286,720 bytes
5.exe	%Temp%\5.exe	40,960 bytes
6.exe	%Temp%\6.exe	45,056 bytes
7.exe	%Temp%\7.exe	86,016 bytes
8.exe	%Temp%\8.exe	40,960 bytes
9.exe	%Temp%\9.exe	61,440 bytes
10.exe	%Temp%\10.exe	40,960 bytes
1.Exe	%Temp%\1.exe	65,536 bytes
2.exe	%Temp%\2.exe	360,448 bytes

Other details

Analysis of the file resources indicate the following possible country of origin:

China

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.