ThreatExpert Report: Mal/Banspy-K, Trojan-Banker.Win32.Banker2, Trojan-Downloader.Win32.Banload

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 25 October 2012, 09:51:57
Processing time: 11 min 52 sec
Submitted sample:

File MD5: 0x45A60AE8BCAD03BF6DCC64E1428E4E61
File SHA-1: 0xEEE94E582F0E768983B4053118A1EE1FA4B55D0A
Filesize: 1,345,024 bytes
Alias:

Mal/Banspy-K [Sophos]
Trojan-Banker.Win32.Banker2 [Ikarus]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Communication with a remote SMTP server and sending out email.
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\include	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%Windir%\olmoqpt.txt	1,448 bytes	MD5: 0xA56C41EA40A941D56680753F8938ED9A SHA-1: 0x084C9F218FD52C9A0C06ACAF4B697F75D4F79198	(not available)
3	%System%\drivers\tkpzwm.sys	61,440 bytes	MD5: 0x589312A3B46721C5A751E4D5222A89BE SHA-1: 0x3A497D3968A4F6E3C648D196DA38E5F98E75EC30	(not available)
4	%System%\Flash.exe	731,136 bytes	MD5: 0x30F3680E007D924960FD65524DE36601 SHA-1: 0x23F1E67E28052188432D2031335A79CB5AE72A8F	packed with UPX [Kaspersky Lab]
5	%System%\Plg.txt	696 bytes	MD5: 0x163788696E9FF180410F5049ACCD8C28 SHA-1: 0x4BC49B03552A8FFB8324763722F5360EFCD1A8B2	Trojan-Downloader.Win32.Banload [Ikarus]
6	[file and pathname of the sample #1]	1,345,024 bytes	MD5: 0x45A60AE8BCAD03BF6DCC64E1428E4E61 SHA-1: 0xEEE94E582F0E768983B4053118A1EE1FA4B55D0A	Mal/Banspy-K [Sophos] Trojan-Banker.Win32.Banker2 [Ikarus]

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	2,007,040 bytes
Flash.exe	%System%\flash.exe	2,834,432 bytes
cleanup.exe	C:\cleanup.exe	28,672 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zmltrduv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zmltrduv

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[filename of the sample #1] = "[file and pathname of the sample #1]"

so that [file and pathname of the sample #1] runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

Cleanup = "C:\cleanup.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zmltrduv]

ImagePath = "%System%\Drivers\tkpzwm.sys"
Start = 0x00000000
Type = 0x00000001
ErrorControl = 0x00000001
ztlrzphd = "%Windir%\olmoqpt.txt"
dcbyd = "C:\WINDOWS"
dznzp = 0x0000FF5C
Group = "miagbffi"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zmltrduv]

ImagePath = "%System%\Drivers\tkpzwm.sys"
Start = 0x00000000
Type = 0x00000001
ErrorControl = 0x00000001
ztlrzphd = "%Windir%\olmoqpt.txt"
dcbyd = "C:\WINDOWS"
dznzp = 0x0000FF5C
Group = "miagbffi"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder]

List =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder]

List =

Other details

Analysis of the file resources indicate the following possible country of origin:

Brazil

The following ports were open in the system:

Port	Protocol	Process
1038	UDP	[file and pathname of the sample #1]
1041	UDP	[file and pathname of the sample #1]

The following Host Name was requested from a host database:

mail.aminempres.dominiotemporario.com

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
mail.aminempres.dominiotemporario.com	1034

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.bradesco.com.br	80	(null)	(null)

The following GET requests were made:

index.html
index.jpg

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\Flash.exe

Generated SMTP traffic

Email Sender:

10@aminempres.dominiotemporario.com

Email Recipient:

avisos.daniel2012@gmail.com

Email Subject:

Usuario: UserName | Vers?o SO: Windows XP(vers?o 5.01 2600 Service Pack 2)

Email Body:

Endere?o: Vers?o do Windows: Windows XP( vers?o 5.01 2600 Service Pack 2) Nome no PC: COMPUTERNAME .

For example, the generated email message may look similar to the one shown below:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.