ThreatExpert Report: Trojan.Delf!sd5, Trojan Horse, Trojan.Win32.Delf.hy, Mal

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 26 March 2009, 13:01:51
Processing time: 8 min 22 sec
Submitted sample:

File MD5: 0x4527D72AA7922D3ED2EB3F3CE0BAD991
File SHA-1: 0x6DDC8E5A89C579568C137CDF250A271F9CBC0751
Filesize: 201,728 bytes
Alias & packer info:

Trojan.Delf!sd5 [PCTools]
Trojan Horse [Symantec]
Trojan.Win32.Delf.hy [Kaspersky Lab]
Mal_Banker [Trend Micro]
Mal/Behav-130 [Sophos]
Win-Trojan/Xema.202240 [AhnLab]
packed with: ASPack [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan.Delf!sd5	Trojan.Delf!sd5 is a malicious program that does not infect other files but may represents security risk for your computer and/or network environment.
Trojan-Downloader.Banload.BC	Trojan.Downloader.Banload.BC contacts Brazillian web server in order to download additional malware onto a users computer without their knowledge.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1] %System%\taskimg.exe	201,728 bytes	MD5: 0x4527D72AA7922D3ED2EB3F3CE0BAD991 SHA-1: 0x6DDC8E5A89C579568C137CDF250A271F9CBC0751	Trojan.Delf!sd5 [PCTools] Trojan Horse [Symantec] Trojan.Win32.Delf.hy [Kaspersky Lab] Mal_Banker [Trend Micro] Mal/Behav-130 [Sophos] Win-Trojan/Xema.202240 [AhnLab] packed with ASPack [Kaspersky Lab]
2	%System%\winsys.bat	73 bytes	MD5: 0xF10DA0A3A6698C72CEDDB1C7DB863292 SHA-1: 0xBEA8348CB6F19821BF347B080E40B356CF9A6202	BAT_VALLA.A [Trend Micro]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
taskimg.exe	%System%\taskimg.exe	458,752 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	458,752 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\taskimg.exe

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

taskmrg.exe = "%System%\taskimg.exe"

so that taskimg.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible country of origin:

Brazil

To mark the presence in the system, the following Mutex object was created:

MysampleAppMutex_1

The following HTTP URLs were started reading:

http://cartoesuol.no.sapo.pt/mandachuva.jpg;
http://cartoesuol.no.sapo.pt/dileila.jpg;
http://cartoesuol.no.sapo.pt/amarelinho.jpg
http://cartoesuol.no.sapo.pt/gerente.jpg
http://cartoesuol.no.sapo.pt/santana.jpg
http://cartoesuol.no.sapo.pt/cbsh.jpg
http://cartoesuol.no.sapo.pt/cincoestrelas.jpg
http://cartoesuol.no.sapo.pt/unicornio.jpg
http://cartoesuol.no.sapo.pt/vermelhao.jpg
http://cartoesuol.no.sapo.pt/azulao.jpg
http://cartoesuol.no.sapo.pt/banban.jpg
http://cartoesuol.no.sapo.pt/realidadevirtual.jpg

The following Internet download was started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://cartoesuol.no.sapo.pt/versionatario.jpg	%System%\active_url.dll

Downloaded File Summary:

Download details:

Download retrieved: 26 March 2009 13:10:14
Processing time: 9 min 55 sec
Downloaded sample #1:

File MD5: 0xB92031999CDA7A99ADCBD5856222C5AF
File SHA-1: 0xEF79FB507011239856B6DDE42A065906D25BE940
Filesize: 553,984 bytes
Alias & packer info:

TrojanSpy.Banker.GT [PCTools]
Infostealer.Banpaes [Symantec]
Trojan-Banker.Win32.Banker.go [Kaspersky Lab]
Troj/Banker-GO [Sophos]
TrojanSpy:Win32/Banker [Microsoft]
Trojan-Spy.Win32.Banbra [Ikarus]
Win-Trojan/Banker.553984.J [AhnLab]
packed with: ASPack [Kaspersky Lab]

Downloaded sample #2:

File MD5: 0x90EED934A1375851B646B9AB604536C7
File SHA-1: 0x03001D8D23471BF5460DE648485DE6B35951C328
Filesize: 1,232,896 bytes
Alias & packer info:

TrojanSpy.Banker.GQ [PCTools]
Trojan Horse [Symantec]
Trojan-Banker.Win32.Banker.gp [Kaspersky Lab]
PWS-Banker.gen.i [McAfee]
Troj/Banker-GP [Sophos]
Trojan:Win32/Agent [Microsoft]
Trojan-Spy.Win32.Banbra [Ikarus]
Win-Trojan/Banker.1232896 [AhnLab]
packed with: ASPack [Kaspersky Lab]

Downloaded sample #3:

File MD5: 0x11ECA703C700BC4F39E1BA4D06828EE1
File SHA-1: 0xA81B20415759ECC4D8F257BB89E649543DAC51A6
Filesize: 287,744 bytes
Alias & packer info:

TrojanSpy.Banker.GY [PCTools]
Trojan Horse [Symantec]
Trojan-Banker.Win32.Banker.gn [Kaspersky Lab]
Troj/Banker-GN [Sophos]
TrojanSpy:Win32/Banker [Microsoft]
Trojan-PWS.Win32.QQPass [Ikarus]
Win-Trojan/Banker.287744.F [AhnLab]
packed with: ASPack [Kaspersky Lab]

Downloaded sample #4:

File MD5: 0xAD77CFEC16B4770EC5D2CF45C9BC592A
File SHA-1: 0x6588DFA61D56637A81EB8EBB33BF7287AC186BBA
Filesize: 469,504 bytes
Alias & packer info:

TrojanSpy.Banker.GX [PCTools]
Infostealer.Banpaes [Symantec]
Trojan-Banker.Win32.Banker.gm [Kaspersky Lab]
Troj/Banker-GM [Sophos]
Trojan-Spy.Win32.Banbra [Ikarus]
Win-Trojan/Banker.469504.B [AhnLab]
packed with: ASPack [Kaspersky Lab]

Downloaded sample #5:

File MD5: 0x89FB6C58E51878CF9F736A33E46C6EEB
File SHA-1: 0x92DA5692B1B1AF1B136D654E749DE892B412B6FB
Filesize: 239,616 bytes
Alias & packer info:

TrojanSpy.Banker.GV [PCTools]
Trojan Horse [Symantec]
Trojan-Banker.Win32.Banker.gl [Kaspersky Lab]
Generic.ca [McAfee]
Troj/Banker-GL [Sophos]
TrojanSpy:Win32/Banker [Microsoft]
Trojan-Spy.Win32.Banbra [Ikarus]
Win-Trojan/Banker.239616.G [AhnLab]
packed with: ASPack [Kaspersky Lab]

Downloaded sample #6:

File MD5: 0x0F45105E2E79173194681B3488DE05D6
File SHA-1: 0x3423B22F81E2721A5C5BC74B35B6DBF5E859EFBD
Filesize: 662,528 bytes
Alias & packer info:

TrojanSpy.Banker.GU [PCTools]
Infostealer.Banpaes [Symantec]
Trojan-Banker.Win32.Banker.gk [Kaspersky Lab]
Generic.dc [McAfee]
Troj/Banker-GK [Sophos]
TrojanSpy:Win32/Banker [Microsoft]
Trojan-Spy.Win32.Banbra [Ikarus]
Win-Trojan/Banker.662528.E [AhnLab]
packed with: ASPack [Kaspersky Lab]

Downloaded sample #7:

File MD5: 0x3025881A57611A4172C8FD1DF46CA7D8
File SHA-1: 0xF36C93409E3A2503A7FDE4ED24E9DE3267B108C8
Filesize: 727,552 bytes
Alias & packer info:

TrojanSpy.Banker.GW [PCTools]
Trojan Horse [Symantec]
Trojan-Banker.Win32.Banker.gj [Kaspersky Lab]
TSPY_BANBRA.Q [Trend Micro]
Troj/Banker-GJ [Sophos]
TrojanSpy:Win32/Banker [Microsoft]
Trojan-Spy.Win32.Banbra [Ikarus]
Win-Trojan/Banker.727552.L [AhnLab]
packed with: ASPack [Kaspersky Lab]

Downloaded sample #8:

File MD5: 0xEA2FE2EF5D6AE04EF72F1C43F1B207B4
File SHA-1: 0x6B7C780C52B0E51247C2BDFAD561A0CBD3643167
Filesize: 195,072 bytes
Alias & packer info:

TrojanSpy.Banker.GR [PCTools]
Infostealer.Banpaes [Symantec]
Trojan-Banker.Win32.Banker.ko [Kaspersky Lab]
Generic.cb [McAfee]
Troj/Bancos-BF [Sophos]
TrojanSpy:Win32/Banker [Microsoft]
Trojan-Spy.Win32.Banbra [Ikarus]
Win-Trojan/Banker.195072.B [AhnLab]
packed with: ASPack [Kaspersky Lab]

Downloaded sample #9:

File MD5: 0xBD4970E468D408B90F89D3C28359C9C4
File SHA-1: 0x81F02B1CF34EBBF406065BCA999B55B1C61186BE
Filesize: 339,456 bytes
Alias & packer info:

Trojan-Spy.Banpaes!sd5 [PCTools]
Infostealer.Banpaes [Symantec]
Trojan-Banker.Win32.Banpaes.g [Kaspersky Lab]
Generic.dc [McAfee]
Troj/Banpaes-G [Sophos]
TrojanSpy:Win32/Banker [Microsoft]
Trojan-Spy.Win32.Banbra [Ikarus]
Win-Trojan/Banpaes.339456 [AhnLab]
packed with: ASPack [Kaspersky Lab]

Downloaded sample #10:

File MD5: 0xF5F3FE581471FA805FF6A597DBD15072
File SHA-1: 0x640B35F852B5ACAA5EACD5B5EFB6CA4EE32C4D17
Filesize: 775,168 bytes
Alias & packer info:

Trojan.Banker.RFN [PCTools]
Trojan Horse [Symantec]
Trojan-Banker.Win32.Banker.gy [Kaspersky Lab]
Troj/Banker-GY [Sophos]
TrojanSpy:Win32/Banker [Microsoft]
Trojan-Spy.Win32.Banbra [Ikarus]
Win-Trojan/Banker.775168.Z [AhnLab]
packed with: ASPack [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan-Spy.Banpaes!sd5	Trojan-Spy.Banpaes!sd5 is a malicious application that attempts to steal passwords, login details, and other confidential information.

Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	553,984 bytes	MD5: 0xB92031999CDA7A99ADCBD5856222C5AF SHA-1: 0xEF79FB507011239856B6DDE42A065906D25BE940	TrojanSpy.Banker.GT [PCTools] Infostealer.Banpaes [Symantec] Trojan-Banker.Win32.Banker.go [Kaspersky Lab] Troj/Banker-GO [Sophos] TrojanSpy:Win32/Banker [Microsoft] Trojan-Spy.Win32.Banbra [Ikarus] Win-Trojan/Banker.553984.J [AhnLab] packed with ASPack [Kaspersky Lab]
2	[file and pathname of the sample #10]	775,168 bytes	MD5: 0xF5F3FE581471FA805FF6A597DBD15072 SHA-1: 0x640B35F852B5ACAA5EACD5B5EFB6CA4EE32C4D17	Trojan.Banker.RFN [PCTools] Trojan Horse [Symantec] Trojan-Banker.Win32.Banker.gy [Kaspersky Lab] Troj/Banker-GY [Sophos] TrojanSpy:Win32/Banker [Microsoft] Trojan-Spy.Win32.Banbra [Ikarus] Win-Trojan/Banker.775168.Z [AhnLab] packed with ASPack [Kaspersky Lab]
3	[file and pathname of the sample #2]	1,232,896 bytes	MD5: 0x90EED934A1375851B646B9AB604536C7 SHA-1: 0x03001D8D23471BF5460DE648485DE6B35951C328	TrojanSpy.Banker.GQ [PCTools] Trojan Horse [Symantec] Trojan-Banker.Win32.Banker.gp [Kaspersky Lab] PWS-Banker.gen.i [McAfee] Troj/Banker-GP [Sophos] Trojan:Win32/Agent [Microsoft] Trojan-Spy.Win32.Banbra [Ikarus] Win-Trojan/Banker.1232896 [AhnLab] packed with ASPack [Kaspersky Lab]
4	[file and pathname of the sample #3]	287,744 bytes	MD5: 0x11ECA703C700BC4F39E1BA4D06828EE1 SHA-1: 0xA81B20415759ECC4D8F257BB89E649543DAC51A6	TrojanSpy.Banker.GY [PCTools] Trojan Horse [Symantec] Trojan-Banker.Win32.Banker.gn [Kaspersky Lab] Troj/Banker-GN [Sophos] TrojanSpy:Win32/Banker [Microsoft] Trojan-PWS.Win32.QQPass [Ikarus] Win-Trojan/Banker.287744.F [AhnLab] packed with ASPack [Kaspersky Lab]
5	[file and pathname of the sample #4]	469,504 bytes	MD5: 0xAD77CFEC16B4770EC5D2CF45C9BC592A SHA-1: 0x6588DFA61D56637A81EB8EBB33BF7287AC186BBA	TrojanSpy.Banker.GX [PCTools] Infostealer.Banpaes [Symantec] Trojan-Banker.Win32.Banker.gm [Kaspersky Lab] Troj/Banker-GM [Sophos] Trojan-Spy.Win32.Banbra [Ikarus] Win-Trojan/Banker.469504.B [AhnLab] packed with ASPack [Kaspersky Lab]
6	[file and pathname of the sample #5]	239,616 bytes	MD5: 0x89FB6C58E51878CF9F736A33E46C6EEB SHA-1: 0x92DA5692B1B1AF1B136D654E749DE892B412B6FB	TrojanSpy.Banker.GV [PCTools] Trojan Horse [Symantec] Trojan-Banker.Win32.Banker.gl [Kaspersky Lab] Generic.ca [McAfee] Troj/Banker-GL [Sophos] TrojanSpy:Win32/Banker [Microsoft] Trojan-Spy.Win32.Banbra [Ikarus] Win-Trojan/Banker.239616.G [AhnLab] packed with ASPack [Kaspersky Lab]
7	[file and pathname of the sample #6]	662,528 bytes	MD5: 0x0F45105E2E79173194681B3488DE05D6 SHA-1: 0x3423B22F81E2721A5C5BC74B35B6DBF5E859EFBD	TrojanSpy.Banker.GU [PCTools] Infostealer.Banpaes [Symantec] Trojan-Banker.Win32.Banker.gk [Kaspersky Lab] Generic.dc [McAfee] Troj/Banker-GK [Sophos] TrojanSpy:Win32/Banker [Microsoft] Trojan-Spy.Win32.Banbra [Ikarus] Win-Trojan/Banker.662528.E [AhnLab] packed with ASPack [Kaspersky Lab]
8	[file and pathname of the sample #7]	727,552 bytes	MD5: 0x3025881A57611A4172C8FD1DF46CA7D8 SHA-1: 0xF36C93409E3A2503A7FDE4ED24E9DE3267B108C8	TrojanSpy.Banker.GW [PCTools] Trojan Horse [Symantec] Trojan-Banker.Win32.Banker.gj [Kaspersky Lab] TSPY_BANBRA.Q [Trend Micro] Troj/Banker-GJ [Sophos] TrojanSpy:Win32/Banker [Microsoft] Trojan-Spy.Win32.Banbra [Ikarus] Win-Trojan/Banker.727552.L [AhnLab] packed with ASPack [Kaspersky Lab]
9	[file and pathname of the sample #8]	195,072 bytes	MD5: 0xEA2FE2EF5D6AE04EF72F1C43F1B207B4 SHA-1: 0x6B7C780C52B0E51247C2BDFAD561A0CBD3643167	TrojanSpy.Banker.GR [PCTools] Infostealer.Banpaes [Symantec] Trojan-Banker.Win32.Banker.ko [Kaspersky Lab] Generic.cb [McAfee] Troj/Bancos-BF [Sophos] TrojanSpy:Win32/Banker [Microsoft] Trojan-Spy.Win32.Banbra [Ikarus] Win-Trojan/Banker.195072.B [AhnLab] packed with ASPack [Kaspersky Lab]
10	[file and pathname of the sample #9]	339,456 bytes	MD5: 0xBD4970E468D408B90F89D3C28359C9C4 SHA-1: 0x81F02B1CF34EBBF406065BCA999B55B1C61186BE	Trojan-Spy.Banpaes!sd5 [PCTools] Infostealer.Banpaes [Symantec] Trojan-Banker.Win32.Banpaes.g [Kaspersky Lab] Generic.dc [McAfee] Troj/Banpaes-G [Sophos] TrojanSpy:Win32/Banker [Microsoft] Trojan-Spy.Win32.Banbra [Ikarus] Win-Trojan/Banpaes.339456 [AhnLab] packed with ASPack [Kaspersky Lab]

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,851,392 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	3,862,528 bytes
[filename of the sample #7]	[file and pathname of the sample #7]	1,187,840 bytes
[filename of the sample #6]	[file and pathname of the sample #6]	1,662,976 bytes
[filename of the sample #4]	[file and pathname of the sample #4]	876,544 bytes
[filename of the sample #3]	[file and pathname of the sample #3]	671,744 bytes
[filename of the sample #5]	[file and pathname of the sample #5]	598,016 bytes
[filename of the sample #8]	[file and pathname of the sample #8]	503,808 bytes
[filename of the sample #9]	[file and pathname of the sample #9]	1,847,296 bytes
[filename of the sample #10]	[file and pathname of the sample #10]	1,736,704 bytes

Other details

Analysis of the file resources indicate the following possible country of origin:

Brazil

To mark the presence in the system, the following Mutex objects were created:

Tj Mutex do MODIS
Tj Modulex Show no Hide

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.