Submission Summary:

What's been foundSeverity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.

 

Technical Details:

 

File System Modifications

#Filename(s)File SizeFile Hash
1 %AppData%\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A1630.exe 11,264 bytes MD5: 0x25D3C1A5DCE621C2F5C35BDE131B32E2
SHA-1: 0x8D1727E136F26BD8386E7237D50CC6B39CA1362E
2 %AppData%\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe 18,944 bytes MD5: 0x62C9E781ACA2CB6273A57D9D6561C3D0
SHA-1: 0x8D06B5D1ECCD9A2EA513A97F3877348455C041F2
3 %DesktopDir%\WeatherBug.lnk 1,739 bytes MD5: 0x9E73E8809C7F230EC2372BDD43390279
SHA-1: 0xEA46BA7261498FE7A18CD6AE39BD686DFC73E2E5
4 %Temp%\nsiE.tmp\inetc.dll 20,992 bytes MD5: 0xE541458CFE66EF95FFBEA40EAAA07289
SHA-1: 0xCAEC1233F841EE72004231A3027B13CDEB13274C
5 %Temp%\nsiE.tmp\System.dll 11,264 bytes MD5: 0xC17103AE9072A06DA581DEC998343FC1
SHA-1: 0xB72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
6 %Temp%\out.html 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
7 %Temp%\WeatherBugSetup.msi 3,209,728 bytes MD5: 0x8C23BE9E13B10CE4E5969ABD7D838576
SHA-1: 0xADDA1875CA69A6B9E21E4257833C508A46FA85C1
8 %Programs%\WeatherBug\Uninstall WeatherBug.lnk 513 bytes MD5: 0x21F8425D5F0DDE8DE4E85E217F84FC1C
SHA-1: 0x7260A24EB0176180B58AC954AC051EA07C64009E
9 %Programs%\WeatherBug\WeatherBug.lnk 1,912 bytes MD5: 0xF0DC458E418D4117D9B97F73CD5515DD
SHA-1: 0x64539995ED1AEDADAF89556ACA34B08AAC5FBB8B
10 %ProgramFiles%\AWS\WeatherBug\download.txt 21 bytes MD5: 0x4BAF242E90B0AC23315E09A297F55A1F
SHA-1: 0xA9D647C229C736C166B47B2E7F9ED42EF16B3741
11 %ProgramFiles%\AWS\WeatherBug\Local\1px.gif 43 bytes MD5: 0x325472601571F31E1BF00674C368D335
SHA-1: 0x2DAEAA8B5F19F0BC209D976C02BD6ACB51B00B0A
12 %ProgramFiles%\AWS\WeatherBug\Local\alert_failed.html 808 bytes MD5: 0x068EA49B62B2FBD1A80DCC6F2B6792F9
SHA-1: 0xA4BFBC206E701E155DA419B16EBAA6B8331B307D
13 %ProgramFiles%\AWS\WeatherBug\Local\Background60.jpg 101,206 bytes MD5: 0x14DB8321845F7FA28050E64A218E6F24
SHA-1: 0xE9EE9EBF0E3B1E4B79C5A272E238E57662026211
14 %ProgramFiles%\AWS\WeatherBug\Local\bot_default.html 141 bytes MD5: 0xB22AB3B443A4A81D1776AC9413650E28
SHA-1: 0xB08156A72723770590758102740CB519B5323791
15 %ProgramFiles%\AWS\WeatherBug\Local\bot_failed2.html 638 bytes MD5: 0x0294F8E1F1CF39494446C4A5B0749EC8
SHA-1: 0xE0CCE3682A0B45957425DBB3595ADD96F6B272A6
16 %ProgramFiles%\AWS\WeatherBug\Local\Bot_loading.gif
%ProgramFiles%\AWS\WeatherBug\Local\def_bot.gif
11,014 bytes MD5: 0x7DEAA994973B314179B8DC01E39367A3
SHA-1: 0xDC1980E00D341D85251933883712900AB4EE396A
17 %ProgramFiles%\AWS\WeatherBug\Local\bot_loading.html 145 bytes MD5: 0xF86C28EEE915D1741013788E5CCC4C0E
SHA-1: 0xA47458FC6FFA4D9D2C18C5B9384B6D923B631B0D
18 %ProgramFiles%\AWS\WeatherBug\Local\center_failed.html 1,650 bytes MD5: 0x1FEB4F06B136309090145B96CB2AEDC5
SHA-1: 0x7030990C2A9211849FE10CD2008C683123013E6B
19 %ProgramFiles%\AWS\WeatherBug\Local\center_loading.html 456 bytes MD5: 0xBA9DB100BED692A24CFA51484901E6BA
SHA-1: 0xB9882A74B7508DA11CBBDF91FD8E1D82C45ADC35
20 %ProgramFiles%\AWS\WeatherBug\Local\LeftNavbar60.JPG 59,164 bytes MD5: 0x9B4D3CC1DEFA1EFE0776EBF8BC72FEBA
SHA-1: 0x25935F40C61D99B2C98CA2D2780FECC1D51AD42F
21 %ProgramFiles%\AWS\WeatherBug\Local\skinmask60.bmp 68,642 bytes MD5: 0x92D00A79AD5DB3378008D291B2F97A05
SHA-1: 0x875FB977C7D5176A9D2F12D77AF7D59624F0D651
22 %ProgramFiles%\AWS\WeatherBug\Local\TopNavbar60.JPG 13,910 bytes MD5: 0xD6BFC2511F69CD46F89B8B5AD61DCC7B
SHA-1: 0xD9A79D4912C03DA74247107119F677B8168766C0
23 %ProgramFiles%\AWS\WeatherBug\Local\WBug_Loading.gif 10,080 bytes MD5: 0xD37A3A5BFB59BC81089F52D3B79CEDF6
SHA-1: 0xFEDF6D50BC29DF4121444B905D5550C7FB22B662
24 %ProgramFiles%\AWS\WeatherBug\Local\weather_window_loading.gif 9,675 bytes MD5: 0xEE302873619C0E3A199641D130A42136
SHA-1: 0xB1085049AFA12374326687ECAC81D159DB1588D5
25 %ProgramFiles%\AWS\WeatherBug\Local\WxBug.gif 1,737 bytes MD5: 0xD22D9CA5AF558490BBA451FC2A6E88E2
SHA-1: 0x42BA3614516298BE88469E755AE5BBBC3B7DFFF1
26 %ProgramFiles%\AWS\WeatherBug\Local\wxbug.wav 22,074 bytes MD5: 0x1368DBAC29C3DA0533B0A8E106AD763D
SHA-1: 0xC105F2624D2EE5A530BBB93F914A165751D0C336
27 %ProgramFiles%\AWS\WeatherBug\Local\wxbuglogo_hor.gif 3,645 bytes MD5: 0xDC199C887D8A0EF7BB467D9699758E76
SHA-1: 0x8B7F81C8D5EC35730AE1DA4C40515083147250FD
28 %ProgramFiles%\AWS\WeatherBug\Local\WxWindow_failed.html 683 bytes MD5: 0x768F40AE492330FB0E94EC3E99F03A57
SHA-1: 0x5CEB163FC2117D664835E72B2D28C0AB9AE7D4D8
29 %ProgramFiles%\AWS\WeatherBug\Local\WxWindow_loading.html 400 bytes MD5: 0xB0D89EB2F46778C5CE788FAA486336A8
SHA-1: 0x47942C37E04ECC7FCDBDA06A8EF5599A97D7F980
30 %ProgramFiles%\AWS\WeatherBug\Local\WxWindow_noconnection.gif 7,989 bytes MD5: 0xCEF5E2B038D96D86A83F8FB4F8BC7823
SHA-1: 0x7F6FDC6874736BA42593EB5B79FC0DF7BEF88605
31 %ProgramFiles%\AWS\WeatherBug\Local\xpchirpedu.bmp 22,622 bytes MD5: 0x83CCE77F84CCA0A034B779CDAD922F9A
SHA-1: 0x20EAC06F43B89D03A60B26D465CD85A8E72FC775
32 %ProgramFiles%\AWS\WeatherBug\Weather.exe 1,652,736 bytes MD5: 0xF2596401DB33C35E17D7F3FA7F38EF8B
SHA-1: 0xEF8D5826A2DEDB41759DC309AAD0B48DCB6D7F14
33 %ProgramFiles%\AWS\WeatherBug\wxdist.dll 219,136 bytes MD5: 0x9ACA98B6051AB442A3B87D0DB601900C
SHA-1: 0x3157A14165B5574832CDB93AEDA74E3D811941E1
34 %ProgramFiles%\AWS\WeatherBug\wxlocm.dll 385,536 bytes MD5: 0x819E38ECCFAEB9CD29ABA4A2095D5D99
SHA-1: 0x59B9FD5498A57E1D4A9B36E412C67DDE634921C9
35 %ProgramFiles%\AWS\WeatherBug\WxMisc.dll 179,200 bytes MD5: 0x4DABA1DF6081AA00A3F6F6D5A043FD90
SHA-1: 0x38B8F9EF5F31003F7AA9EDA06B0AF8E90BF189B0
36 %ProgramFiles%\AWS\WeatherBug\Wxpref.dll 399,360 bytes MD5: 0x219E1BB6209BC4AB733D1A3004A3A8A2
SHA-1: 0xF45B0F5826653186DDC7277CEA8236C4CB565398
37 %ProgramFiles%\AWS\WeatherBug\wxproa.dll 411,648 bytes MD5: 0x5D941C391833C56671C361F0BC746CEB
SHA-1: 0x52356D16028DE8D959FAF51CE6BFE15207D0C1D0
38 %ProgramFiles%\AWS\WeatherBug\wxreg.dll 423,936 bytes MD5: 0x8F957ECE6D02FC1FE6DDF84B4A7C993A
SHA-1: 0xBE099E9AC94B216B8679ABC7D2F6CFC14D03738E
39 %ProgramFiles%\AWS\WeatherBug\wxutil.dll 238,080 bytes MD5: 0x82C888B012D80629FD4AC31CB810DE8E
SHA-1: 0x1C6068C1CA2FF1C69839B1AF0D8AD24C5F1C04E7
40 %ProgramFiles%\AWS\WeatherBug\wxweb.dll 368,128 bytes MD5: 0xCA329A5F92754E7D8E71E2E6A4530EF1
SHA-1: 0xA9FEBD8E307DDA8693C4DD3754191448E54AB510
41 %Windir%\Installer\19653.msi 1,033,728 bytes MD5: 0x88D9726639F7365EF7398791E60B278A
SHA-1: 0x4E6A515B41D561F97C66148C3B67FFA97A366945
42 [file and pathname of the sample #1] 2,764,275 bytes MD5: 0x299ADD446AD38FE19CCAC7F97FF8D57A
SHA-1: 0x0198FB3C98EBF604E4A88228AACC83BF308429B7

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]262,144 bytes
MSI5.tmp%Windir%\Installer\MSI5.tmp28,672 bytes
iconbb6a1630.exe%AppData%\microsoft\installer\{8f018a9e-56de-4a79-a5ef-25f413f1d538}\iconbb6a1630.exe28,672 bytes
iconbb6a16301.exe%AppData%\microsoft\installer\{8f018a9e-56de-4a79-a5ef-25f413f1d538}\iconbb6a16301.exe32,768 bytes
weather.exe%ProgramFiles%\aws\weatherbug\weather.exe1,683,456 bytes
MSI14.tmp%Windir%\Installer\MSI14.tmp28,672 bytes

Service NameDisplay NameNew StatusService Filename
MSIServerWindows Installer"Running"%System%\msiexec.exe /V

 

Registry Modifications

 

Other details

PortProtocolProcess
1033TCP[file and pathname of the sample #1]

Server NameServer PortConnect as UserConnection Password
command.weatherbug.com80(null)(null)
register60.weatherbug.com80(null)(null)
i.gmtrack.com443(null)(null)

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.