Submission Summary:

What's been foundSeverity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Trojan-Spy.Bankject Trojan-Spy.Bankject injects extra HTML code into internet banking webpages in order to steal passwords and credit card details. It also steals email addresses from Windows Address Book and sends all these stolen information to the attacker.

Threat CategoryDescription
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\tmp5023.tmp 8 bytes MD5: 0x069EB1025B01C70C56536AC99E35FC3B
SHA-1: 0x9FD93B7EDA29D5AEC4AACB275B840D8E025D46B7
(not available)
2 %MyDocuments%\MSDCSC\msdcsc.exe 694,784 bytes MD5: 0x8458352DD9BB153ECD47505E9A8CF6D3
SHA-1: 0x0774DD2F474399DBB730EE91952328C9C1ACDD89
W32.Neshuta [Symantec]
Virus.Win32.Neshta.a [Kaspersky Lab]
W32/Generic.Delphi.c [McAfee]
PE_NESHTA.A [Trend Micro]
W32/Bloat-A [Sophos]
Virus:Win32/Neshta.A [Microsoft]
Virus.Win32.Neshta [Ikarus]
Win32/Neshta [AhnLab]
3 %Windir%\directx.sys 49 bytes MD5: 0x5A16C26C5CB157D3EB1EA2C7A66EF051
SHA-1: 0x33777376371282C1F06ED5DF1987CA31C0F79872
(not available)
4 %Windir%\svchost.com 41,472 bytes MD5: 0x0270C09A68BD66E24BE9A5A61B2145E3
SHA-1: 0xB7F84982DD1D0B312628E1FAC80A139F194A15B0
W32.Neshuta [Symantec]
Virus.Win32.Neshta.a [Kaspersky Lab]
W32/Generic.Delphi.c [McAfee]
PE_NESHTA.A-O [Trend Micro]
W32/Bloat-A [Sophos]
Virus:Win32/Neshta.A [Microsoft]
Virus.Win32.Neshta [Ikarus]
Win32/Neshta [AhnLab]
5 [file and pathname of the sample #1] 736,256 bytes MD5: 0x3D248F573585F2E0E0207C42369F4130
SHA-1: 0xF61C1C455C381D287E3C7E0FEDE544E16A60A4E8
W32.Neshuta [Symantec]
Virus.Win32.Neshta.a [Kaspersky Lab]
W32/Generic.Delphi.c [McAfee]
PE_NESHTA.A [Trend Micro]
W32/Bloat-A [Sophos]
Virus:Win32/Neshta.A [Microsoft]
Virus.Win32.Neshta [Ikarus]
Win32/Neshta [AhnLab]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
msdcsc.exe%UserProfile%\MYDOCU~1\MSDCSC\msdcsc.exe749,568 bytes
svchost.com%Windir%\svchost.com176,128 bytes
msdcsc.exe%MyDocuments%\msdcsc\msdcsc.exe749,568 bytes
[filename of the sample #1][file and pathname of the sample #1]176,128 bytes
[filename of the sample #1]%Temp%\3582-490\[filename of the sample #1]749,568 bytes
IEXPLORE.EXEC:\PROGRA~1\INTERN~1\IEXPLORE.EXE102,400 bytes
VMEB23~1.EXEC:\PROGRA~1\VMware\VMWARE~1\VMEB23~1.EXE90,112 bytes

 

Registry Modifications

 

Other details

Russian Federation

Remote HostPort Number
ketref38.dynu.net1604

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2018 ThreatExpert. All rights reserved.