ThreatExpert Report: Trojan.Win32.Spy, Packed.Vmpbad!gen1, Mal/Behav-363

Submission Summary:

Submission details:

Submission received: 2 October 2012, 13:47:42
Processing time: 11 min 8 sec
Submitted sample:

File MD5: 0x42AEAEB46288E2B65D69953E3CE06472
File SHA-1: 0xAB3A76F8397FFA50C096AE24E9C9AE901E0D981A
Filesize: 1,322,534 bytes
Alias: Trojan.Win32.Spy [Ikarus]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\1.dll	79,872 bytes	MD5: 0xE67D410A7ECBFE8F8E8BB711E97F7D44 SHA-1: 0x0C2CA0B6611CE7C0619C20BB9203AA7DB342129B	Packed.Vmpbad!gen1 [Symantec] Mal/Behav-363 [Sophos] Trojan.Win32.Spy [Ikarus]
2	%Temp%\2.exe	259,072 bytes	MD5: 0x03BEDE0877A68B403BF48C4838E2975B SHA-1: 0xB24017AA53F8AFF1D555170A920969D42D26CE4A	(not available)
3	%Temp%\3.dll	122,880 bytes	MD5: 0x5892138AF7FCDFCC4ECD5CB07A7371ED SHA-1: 0x0EF750B685F520591633DD5E10F13C92B9AC4452	(not available)
4	%Temp%\4.dll	105,984 bytes	MD5: 0x3E4224A90B7900E0B4812C31FA86918A SHA-1: 0x241368683EC3EC234C7F8C129557086E93C1716E	(not available)
5	%Temp%\5.dll	421,200 bytes	MD5: 0xBC83108B18756547013ED443B8CDB31B SHA-1: 0x79BCAAD3714433E01C7F153B05B781F8D7CB318D	(not available)
6	%Temp%\6.dll	773,968 bytes	MD5: 0x0E37FBFA79D349D672456923EC5FBBE3 SHA-1: 0x4E880FC7625CCF8D9CA799D5B94CE2B1E7597335	(not available)
7	%Temp%\7.dll	28,672 bytes	MD5: 0xCC98613D25339E77FC60E0FF3D756C0D SHA-1: 0xA33EC18A3A2CF3B086FE8A67077CC89DC7AA4F79	(not available)
8	%Temp%\8.dll	991,744 bytes	MD5: 0xF01DB6521EFC47DC17B3ED6E05C06F82 SHA-1: 0x09BDBA0C143F581C88027ECA32CD916F897B7D9E	(not available)
9	[file and pathname of the sample #1]	1,322,534 bytes	MD5: 0x42AEAEB46288E2B65D69953E3CE06472 SHA-1: 0xAB3A76F8397FFA50C096AE24E9C9AE901E0D981A	Trojan.Win32.Spy [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
2.exe	%Temp%\2.exe	348,160 bytes
[generic host process]	[generic host process filename]	20,480 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
3.dll	%Temp%\3.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x3B400000 - 0x3B420000
3.dll	%Temp%\3.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x3B400000 - 0x3B420000
3.dll	%Temp%\3.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x3B400000 - 0x3B420000
5.dll	%Temp%\5.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x78050000 - 0x780B9000
5.dll	%Temp%\5.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x78050000 - 0x780B9000
5.dll	%Temp%\5.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x78050000 - 0x780B9000
7.dll	%Temp%\7.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x390000 - 0x39B000
7.dll	%Temp%\7.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x390000 - 0x39B000
7.dll	%Temp%\7.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x390000 - 0x39B000
8.dll	%Temp%\8.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB50000 - 0xC47000
8.dll	%Temp%\8.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB50000 - 0xC47000
8.dll	%Temp%\8.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB50000 - 0xC47000
1.dll	%Temp%\1.dll	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x920000 - 0x93F000

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.