ThreatExpert Report: Trojan.Crypt, Packed.Vmpbad!gen4, Generic.dx!voj, Mal/Behav-363

Submission Summary:

Submission details:

Submission received: 10 September 2012, 14:32:12
Processing time: 13 min 34 sec
Submitted sample:

File MD5: 0x1476B6286CEC439F4912840A1E57D71D
File SHA-1: 0x454614155ECD1F1545EAA8210A0B0D698ECB3DFE
Filesize: 2,421,526 bytes
Alias: Trojan.Crypt [Ikarus]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\Alf.dll	704,512 bytes	MD5: 0x747B5AFB7A919CC43852EC5E0A3B32AB SHA-1: 0x1736F4C95313C384A170565B3A5C2BE4E85500BA	(not available)
2	%Temp%\ClientRegistry.blob	151 bytes	MD5: 0xB98C11E2C36A2DCD167DA5C6AA63FDC4 SHA-1: 0x4E8B1B04F40FB538CDAD26B2B6A5F96E90A88854	(not available)
3	%Temp%\fmodex.dll	279,552 bytes	MD5: 0x99EE081CF7FB1BFB5FBF2C4117D5398F SHA-1: 0x0418E1CB823D929E28745E1732577C85571E0365	(not available)
4	%Temp%\is-CH89T.tmp\setup.tmp %Temp%\is-FGFJM.tmp\setup.tmp	1,486,336 bytes	MD5: 0xE426F0FFBED988842FFA7315F679684E SHA-1: 0xD7A1027525CBC1BC312D5C9A3FAB7A4EC869022D	(not available)
5	%Temp%\is-OR8V2.tmp\isexec.dll %Temp%\is-TTR0F.tmp\isexec.dll	42,496 bytes	MD5: 0xA48427B666695BDA7F968B659F8AC9B2 SHA-1: 0xE8C86F2626FE70BEBE852B41757012823F402C4E	(not available)
6	%Temp%\is-OR8V2.tmp\unarc.exe %Temp%\is-TTR0F.tmp\unarc.exe	295,424 bytes	MD5: 0x7BD927FF8FD0C509E311C622FAC681BC SHA-1: 0x0481C800313EBA05C2F5B2C39D93638DD7E02C52	(not available)
7	%Temp%\is-OR8V2.tmp\_isetup\_shfoldr.dll %Temp%\is-TTR0F.tmp\_isetup\_shfoldr.dll	23,312 bytes	MD5: 0x92DC6EF532FBB4A5C3201469A5B5EB63 SHA-1: 0x3E89FF837147C16B4E41C30D6C796374E0B8E62C	(not available)
8	%Temp%\LangSelect.exe	20,608 bytes	MD5: 0x8FBA4CFBEA16D3A76786022683C7BA98 SHA-1: 0x3BB71CADBEBD24CFC90D01729D8515C94D701A9F	(not available)
9	%Temp%\libresample.dll	68,688 bytes	MD5: 0x909A5C713CB5D4F967FE676BF912B277 SHA-1: 0x575671B0014AEFF79F9BF5FAB95F1FB135398CAC	(not available)
10	%Temp%\nvtt.dll	208,896 bytes	MD5: 0x3960FB2D0D0BA153EBB630092F01B52B SHA-1: 0x5473889F634FF51AA5F32A3432101C8273E60C89	(not available)
11	%Temp%\NxCooking.dll	388,176 bytes	MD5: 0x7F588CEACF9D617F58E00B7FAF3A2BC6 SHA-1: 0xDC73D99F96C4300699F41411EEDC405A8D0701FE	(not available)
12	%Temp%\ogg.dll	19,536 bytes	MD5: 0x77902CED1C6426EEEE979A722CBA902A SHA-1: 0xC1F5BD7F9A866D345E2F113AFE5AC0B11BC4D5CF	(not available)
13	%Temp%\paul.dll	167,936 bytes	MD5: 0x7B4E4D48A1D987FE29748C547DAB4FEC SHA-1: 0x5274FD62195CDA721FEBF8D6355E100D6664DDEC	Packed.Vmpbad!gen4 [Symantec] Generic.dx!voj [McAfee] Mal/Behav-363 [Sophos] Trojan.Crypt [Ikarus]
14	%Temp%\setup.exe	818,510 bytes	MD5: 0x35D8FBAC64B744E5FE14B1E140ED34F7 SHA-1: 0x62A2FB6637975A2101F93AA5CEDE9AC17B4C537A	(not available)
15	%Temp%\SetupHelper.exe	37,752 bytes	MD5: 0xB6FCCDCDB41B33331CD0A05249FD03B4 SHA-1: 0xD3B18FC2F0BFA4AB5B3B9E9BA321AD838339C64E	(not available)
16	%Temp%\SteamAPIUpdater.dll	1,297,440 bytes	MD5: 0x30FAF6A84115607F54A614F1B0E64025 SHA-1: 0x369AEBBC8E7E866ED605CE6C72A0B17553B3D303	(not available)
17	%Temp%\steam_api.dll	121,984 bytes	MD5: 0xD1953334ED302B2BE3C509336E5C53B3 SHA-1: 0x20867924FEAB62E443E90F841822A9B43C8C8B12	(not available)
18	%Temp%\unicows.dll	258,352 bytes	MD5: 0xF8D176DB5B14AED7C9B25E0640226BD1 SHA-1: 0xA31C1C641639F5B50E79E0330CFC91E6613BF7F9	(not available)
19	%Temp%\UpdateDLLWrapper.dll	59,176 bytes	MD5: 0x14ED5B88B50D89ED97D2E8A063AF2FBF SHA-1: 0xC640680918BA329A4444B9DAC891A4C5D83DDF04	(not available)
20	[file and pathname of the sample #1]	2,421,526 bytes	MD5: 0x1476B6286CEC439F4912840A1E57D71D SHA-1: 0x454614155ECD1F1545EAA8210A0B0D698ECB3DFE	Trojan.Crypt [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%Temp%\is-CH89T.tmp
%Temp%\is-FGFJM.tmp
%Temp%\is-OR8V2.tmp
%Temp%\is-OR8V2.tmp\_isetup
%Temp%\is-TTR0F.tmp
%Temp%\is-TTR0F.tmp\_isetup

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
unarc.exe	%Temp%\is-OR8V2.tmp\unarc.exe	1,085,440 bytes
unarc.exe	%Temp%\is-TTR0F.tmp\unarc.exe	1,085,440 bytes
setup.exe	%Temp%\setup.exe	184,320 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Other details

To mark the presence in the system, the following Mutex object was created:

oleacc-msaa-loaded

The following Host Names were requested from a host database:

72.165.61.189
72.165.61.190
69.28.151.178
69.28.153.82
68.142.88.34
68.142.72.250

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
68.142.72.250	27038

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 27038:

There was an outbound traffic produced on port 27030:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.