Submission Summary:

What's been foundSeverity Level
Communication with a remote IRC server.
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 c:\log_erros.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
(not available)
2 [file and pathname of the sample #1]
%System%\top.exe
331,776 bytes MD5: 0x6D85B53C0FAC205126A4F0889614F2B8
SHA-1: 0xF1A78FE21F02A3B5023AEEBE3C9D852004440A33
Cryp_PESpin [Trend Micro]
Mal/Packer [Sophos]
Packer.PESpin [Ikarus]
packed with PESpin [Kaspersky Lab]
3 %System%\TPR0R0.exe 1,533,440 bytes MD5: 0x42B3E48FD5C4246F78788B880DEFC61A
SHA-1: 0x969EE3DFC68013164C59C7664CB1A9168C70D32D
Suspicious.MH690 [Symantec]
Cryp_PESpin [Trend Micro]
Mal/Packer [Sophos]
Packer.PESpin [Ikarus]
packed with PESpin [Kaspersky Lab]
4 %System%\TPS0S0.exe 244,224 bytes MD5: 0xD3770D0A56BD82E8C8A6A65AE1C2CA6F
SHA-1: 0xF9CFA2A2984E5A0F45EDA65121EEA7F47D1D5094
Cryp_PESpin [Trend Micro]
Mal/Packer [Sophos]
Packer.PESpin [Ikarus]
packed with PESpin [Kaspersky Lab]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
TPR0R0.exe%System%\tpr0r0.exeN/A
top.exe%System%\top.exeN/A
TPS0S0.exe%System%\tps0s0.exeN/A

Service NameDisplay NameNew StatusService Filename
ALGApplication Layer Gateway Service"Stopped"%System%\alg.exe
SharedAccessWindows Firewall/Internet Connection Sharing (ICS)"Stopped"%System%\svchost.exe -k netsvcs

 

Registry Modifications

 

Other details

Brazil

PortProtocolProcess
1061TCPTPR0R0.exe (%System%\TPR0R0.exe)

Remote HostPort Number
200.196.254.16480
204.0.5.2680
209.85.225.97443
211.0.153.34443
211.11.149.195443
213.30.110.65443
213.30.110.70443
69.65.3.14419425
69.65.3.14421

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.