ThreatExpert Report: Trojan-Dropper.Win32.Delf, Backdoor.Win32.Vipdataend

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 25 October 2012, 11:30:40
Processing time: 7 min 44 sec
Submitted sample:

File MD5: 0x3760578C3F1B23623781F79785FB361B
File SHA-1: 0x5F752F597E4B668D698A31A0CA5972728F203FDB
Filesize: 126,464 bytes

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\abcd.bat	75 bytes	MD5: 0x0849CFE65B98BA5FCD9A9EC61A671D09 SHA-1: 0x9D0CCB383C32B1BC07FD9064B9324A18E1276902
2	[file and pathname of the sample #1]	126,464 bytes	MD5: 0x3760578C3F1B23623781F79785FB361B SHA-1: 0x5F752F597E4B668D698A31A0CA5972728F203FDB

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	159,744 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\WinRAR
HKEY_CURRENT_USER\Software\WinZIP

The newly created Registry Values are:

[HKEY_CURRENT_USER\Software\WinRAR]

HWID = 7B 34 41 30 32 45 38 41 44 2D 42 41 44 38 2D 34 32 31 45 2D 41 41 38 36 2D 39 34 35 42 35 41 32 41 41 41 30 42 7D

[HKEY_CURRENT_USER\Software\WinZIP]

HWID = 7B 44 33 43 32 34 30 33 41 2D 37 45 31 33 2D 34 30 38 39 2D 38 42 45 35 2D 45 38 36 35 45 37 33 35 43 42 42 34 7D

Other details

The following Host Names were requested from a host database:

91.220.35.125
5.135.8.70

The following HTTP URLs were started reading:

http://5.135.8.70/8bd7d5194/werghw45gwe
http://5.135.8.70/8bd7d5194/brgn424t235
http://5.135.8.70/8bd7d5194/wert34g45ht
http://5.135.8.70/8bd7d5194/wergwrg3gwer
http://5.135.8.70/8bd7d5194/rebhg542

Downloaded File Summary:

Download details:

Download retrieved: 25 October 2012 11:38:25
Processing time: 7 min 46 sec
Downloaded sample #1:

File MD5: 0x72CEFBA95B2E1EDF508F7F2F88BB4785
File SHA-1: 0x77B738B8E12D55B62B46915A31E6A7F3CC3CE60B
Filesize: 302,080 bytes

Downloaded sample #2:

File MD5: 0x19ED076AB500F94A4FD259D227575865
File SHA-1: 0x887DF4496B07FA528865D70196B201086475A909
Filesize: 192,512 bytes

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\ctfmon32.exe	91,136 bytes	MD5: 0xAEECE338652CACDF02C4C94589ECC1BF SHA-1: 0x21B7CD613693BC625547A00B5CBB5467D7607574	(not available)
2	%AppData%\Microsoft\Windows\.data	466 bytes	MD5: 0x910FA3E0D6FB5CD61310D1BD55646444 SHA-1: 0x85114DAACD3273F56C6EE3BAE19E3B79C30702B8	(not available)
3	%AppData%\Microsoft\Windows\msshell.exe	18,432 bytes	MD5: 0x40E9CEDEFF4BDA7BA35C6AEBD752CF72 SHA-1: 0xDDCA9452C247FC0C025398004E43AB347B4DBBCE	Trojan-Dropper.Win32.Delf [Ikarus]
4	%AppData%\Microsoft\Windows\unicode2.nls	162,304 bytes	MD5: 0xA22FCDA4A10236F62CB1B930BECB1861 SHA-1: 0x554F8C4E127B3F869E93857804B778DC315227C8	Backdoor.Win32.Vipdataend [Ikarus]
5	[file and pathname of the sample #1]	302,080 bytes	MD5: 0x72CEFBA95B2E1EDF508F7F2F88BB4785 SHA-1: 0x77B738B8E12D55B62B46915A31E6A7F3CC3CE60B	(not available)
6	[file and pathname of the sample #2]	192,512 bytes	MD5: 0x19ED076AB500F94A4FD259D227575865 SHA-1: 0x887DF4496B07FA528865D70196B201086475A909	(not available)

Note:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
ctfmon32.exe	%AppData%\ctfmon32.exe	122,880 bytes
msshell.exe	%AppData%\microsoft\windows\msshell.exe	49,152 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	335,872 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	225,280 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
unicode2.nls	%AppData%\Microsoft\Windows\unicode2.nls	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0xD70000 - 0xD9C000

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Registry Modifications

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

ctfmon32.exe = "%AppData%\ctfmon32.exe"
MSShell = "%AppData%\Microsoft\Windows\msshell.exe"

so that ctfmon32.exe runs every time Windows starts

so that msshell.exe runs every time Windows starts

Other details

The following Host Name was requested from a host database:

192.5.5.241

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
89.144.61.145	443

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 443:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.