Submission Summary:

What's been foundSeverity Level
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).
Downloads/requests other files from Internet.

 

Technical Details:

 

File System Modifications

#Filename(s)File SizeFile Hash
1 %System%\kbd101b.dll
%Windir%\Temp\OLD10.tmp
6,144 bytes MD5: 0x15CC5E30A8CFFFAC6056EC7CF2070187
SHA-1: 0x520BF2D27179B0FCC0CBD6C8A0070569AF8E84CF
2 %System%\kbd101c.dll
%Windir%\Temp\OLD14.tmp
6,144 bytes MD5: 0xE1CB8EE6C0DC70E0DBCFA8D32C849E91
SHA-1: 0x85C76426A7D74B6D8216C9372355553AE0B3D41B
3 %System%\kbd103.dll
%Windir%\Temp\OLD18.tmp
5,632 bytes MD5: 0x1AB5B6C627EBC61883EA311367F51130
SHA-1: 0x9C3B9EA1AA884B36EDDD588D7AE955F22709FB32
4 %System%\kbd106.dll
%Windir%\Temp\OLD1C.tmp
6,144 bytes MD5: 0x5F5124D2FE8AE381E914C9147353D64C
SHA-1: 0x5631295E512BDE2F18C8E0FD9DF9106F7B0C2E47
5 %System%\kbdjpn.dll
%Windir%\Temp\OLD20.tmp
8,704 bytes MD5: 0x804B09FA1E3A86E729ABCCA7F30AE53C
SHA-1: 0xFD7F04B8F2DDFF19C703FC852EF7701248C65159
6 %System%\kbdkor.dll
%Windir%\Temp\OLD24.tmp
8,192 bytes MD5: 0x3244B59A0EB07E7B181F52D80D5E7385
SHA-1: 0x0E4A9EF72972142FA6211242C35CAADD131AF120
7 [file and pathname of the sample #1] 1,567,536 bytes MD5: 0x3E7917F6E2E4B28C5E18F5AE814AB397
SHA-1: 0x60B24A9ADD9A224158EC67196CB98F7A9800FF98
8 %System%\��ʼ��Ϸ��־.txt 18 bytes MD5: 0xB157A1240EBFB8F68BDCC8343D589329
SHA-1: 0x4F4166023B46D788116F56DFC3B7DC1F35C18BD6

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]3,268,608 bytes

 

Registry Modifications

 

Other details

China
Russian Federation

PortProtocolProcess
1051UDP[file and pathname of the sample #1]
1059TCP[file and pathname of the sample #1]

Remote HostPort Number
123.125.115.24380
123.125.115.7580
98.126.74.10080

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.