ThreatExpert Report: Win32.SuspectCrc, Backdoor.Win32.Agent, Trojan-Spy.Win32.Banker.AHZ..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 29 September 2012, 21:39:18
Processing time: 7 min 39 sec
Submitted sample:

File MD5: 0x0FB5127A073B050BE9DFEF2E68BAF512
File SHA-1: 0xF705363ECEE9BCC0E88E07E35E96D4A1C4C5B415
Filesize: 122,880 bytes
Alias: Win32.SuspectCrc [Ikarus]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\clsx.xml	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	[file and pathname of the sample #1]	122,880 bytes	MD5: 0x0FB5127A073B050BE9DFEF2E68BAF512 SHA-1: 0xF705363ECEE9BCC0E88E07E35E96D4A1C4C5B415	Win32.SuspectCrc [Ikarus]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	131,072 bytes

Other details

The following Host Name was requested from a host database:

192.5.5.241

The following Internet download was started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://by1212.dominiotemporario.com/mdl/mdls.zip	%Windir%\system32/mdls.zip

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Downloaded File Summary:

Download details:

Download retrieved: 29 September 2012 21:46:57
Processing time: 12 min 57 sec
Downloaded sample:

File MD5: 0xD24155AAD99E9B5B64DC935BE482181C
File SHA-1: 0x21DABDBDE0768CA3AF19E357DC3FBBAA5D149FB2
Filesize: 1,703,189 bytes
Alias: Backdoor.Win32.Agent [Ikarus]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\awihts.exe	65,536 bytes	MD5: 0xD9CAA3DC84A1993162E94D54AABA1932 SHA-1: 0x6741982ED6460F59DBD72E81276CA34B1879BC6F	Trojan-Spy.Win32.Banker.AHZ [Ikarus]
2	%Temp%\cwstys.exe	3,768,320 bytes	MD5: 0x3642A90EBEBEC029AF5F4690224B54F5 SHA-1: 0xDE05D2AF5CD48DAF57A5E014F755843CB7DF3E8F	Trojan:Win32/Camec.B [Microsoft]
3	%Temp%\hvinwy.exe	3,866,624 bytes	MD5: 0xC4FCDA2EBBA5BC11CF19503106126E34 SHA-1: 0x3647860C4101DC93EB948BE213137A7E2190BD47	TrojanSpy:Win32/Hisbucken.A [Microsoft]
4	%Temp%\pkesty.exe	397,312 bytes	MD5: 0xF8948D9990B41EBC7DAE4F57E922F8C8 SHA-1: 0x97ED7317D6A1ED34C6D67911EE048E15D9D4FB9A	Mal/VB-ADO [Sophos] TrojanSpy:Win32/Zapemli.A [Microsoft] Win32.SuspectCrc [Ikarus]
5	%Temp%\sundte.exe	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
6	[file and pathname of the sample #1]	1,703,189 bytes	MD5: 0xD24155AAD99E9B5B64DC935BE482181C SHA-1: 0x21DABDBDE0768CA3AF19E357DC3FBBAA5D149FB2	Backdoor.Win32.Agent [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
hvinwy.exe	%Temp%\hvinwy.exe	3,866,624 bytes
pkesty.exe	%Temp%\pkesty.exe	401,408 bytes
sundte.exe	%Temp%\sundte.exe	14,233,600 bytes
cwstys.exe	%Temp%\cwstys.exe	3,776,512 bytes
IEXPLORE.EXE	%ProgramFiles%\Internet Explorer\IEXPLORE.EXE	102,400 bytes
awihts.exe	%Temp%\awihts.exe	69,632 bytes

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

hvinwy = "%Temp%\hvinwy.exe"
pkesty = "%Temp%\pkesty.exe"
cwstys = "%Temp%\cwstys.exe"
sundte = "%Temp%\sundte.exe"

so that hvinwy.exe runs every time Windows starts

so that pkesty.exe runs every time Windows starts

so that cwstys.exe runs every time Windows starts

so that sundte.exe runs every time Windows starts

[HKEY_CURRENT_USER\Identities]

Identity Login = 0x00098053

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

pkesty = "%Temp%\pkesty.exe"

so that pkesty.exe runs every time Windows starts

Other details

To mark the presence in the system, the following Mutex objects were created:

_SHuassist.mtx
MSIdent Logon

The following Host Name was requested from a host database:

smtp.gmail.com

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
smtp.gmail.com	465

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 465:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.