ThreatExpert Report: Trojan.Crypt, Trojan.Gen.2, Mal/EncPk-ZC, Trojan-Dropper.Agent, Mal/KeyGen-M..

Submission Summary:

Submission details:

Submission received: 18 August 2012, 07:14:44
Processing time: 9 min 6 sec
Submitted sample:

File MD5: 0x838F20537C69099D71EE161F48EEB145
File SHA-1: 0x9EF602D7CF4A33AB1F3BE4A7C43F62A5CBBEC621
Filesize: 3,323,009 bytes
Alias: Trojan.Crypt [Ikarus]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\16.exe	6,496 bytes	MD5: 0x12D6DDF907A124B680F8A98DFD5B9DDF SHA-1: 0x4D7192B0F37D2C9FBCBB281C289130AA20E9C185	(not available)
2	%Temp%\17.exe	9,216 bytes	MD5: 0xF6C9748A9D958331AFB54EFC0B3D9537 SHA-1: 0x17439DBB44DEED7A97FAB30E91B818E363057783	Trojan.Gen.2 [Symantec] Mal/EncPk-ZC [Sophos] Trojan.Crypt [Ikarus]
3	%Temp%\18.exe	22,560 bytes	MD5: 0x19E973F1B5EE3D05A0A87E63998C891B SHA-1: 0x17398FC4B5656231505F373A340B83E4646D4E3E	(not available)
4	%Temp%\19.exe	21,536 bytes	MD5: 0x25C1FF136AA9A20D3BF614381FA8FD86 SHA-1: 0xCACF834622A36D1042C58F4BF1E82C4C8EE7DA51	(not available)
5	%Temp%\20.exe	47,616 bytes	MD5: 0x33703793AF3A3B0958FFCF187E0AD94D SHA-1: 0xAC3C0A9851F449CAE31514DB65CD06B7028348DC	(not available)
6	%Temp%\21.exe	17,761 bytes	MD5: 0xA829A2E6E45CD9A7024DFD1ADC1725EA SHA-1: 0x29395D470DEB39D5A813FBF7611FB4B42C79A714	(not available)
7	%Temp%\22.exe	765,223 bytes	MD5: 0xC45DB89D7D55A70DAE8E044477EEDD7D SHA-1: 0x405A73AA7311D8FB589B54D832FB9888D06A928B	Trojan-Dropper.Agent [Ikarus]
8	%Temp%\23.exe	33,280 bytes	MD5: 0xE7F96A0F844567C91B43C99F0B6618B1 SHA-1: 0x332215D6EE2C8D7C13D0F907670F8B8EA88B318B	(not available)
9	%Temp%\24.exe	61,440 bytes	MD5: 0x1004D910B38B502C0E2980D2D504266E SHA-1: 0x7592BA4AA1ED25873BDC1A2A8F1A6CF988B7D065	Mal/KeyGen-M [Sophos]
10	%Temp%\25.exe	20,350 bytes	MD5: 0x5DBA9FC6952540A6CF7913DAEE22E48D SHA-1: 0xE134B0E607D045943FE19EFDC3070AB28AFD66A4	Tool-TPatch [McAfee] Trojan.SuspectCRC [Ikarus]
11	%Temp%\26.exe	147,968 bytes	MD5: 0x9C6C876E1F74052CFA9A2A4F80685F8C SHA-1: 0x1EB000D03FC55B57C1E8AF37CDAC0D74796A0390	possible-Threat.Keygen [Ikarus] packed with UPX [Kaspersky Lab]
12	%Temp%\27.exe	6,766 bytes	MD5: 0xCC3F281253F190D6EE961B46F1C597DF SHA-1: 0x88974393603A6340F1F28568206E711D460FBF3F	Trojan Horse [Symantec] Mal/Packer [Sophos] packed with FSG [Kaspersky Lab]
13	%Temp%\28.exe	271,872 bytes	MD5: 0xD3C5243ED61D4C40BAA6F859F822035B SHA-1: 0x2EDFE3985E7146AA7C2F6542E8A4986547AAA15E	(not available)
14	%Temp%\29.exe	2,063,872 bytes	MD5: 0xAB740F99F5AD340C8B10BB2D163F1362 SHA-1: 0xAE1ED94A4A71B3A082DC58439F57F986B6E6BB3C	Packed.Vmpbad!gen4 [Symantec] Mal/Behav-363 [Sophos]
15	%Temp%\30.exe	724,671 bytes	MD5: 0xA4DD2C290FF84C34DC17CE8CDD6CDD6C SHA-1: 0x1359DFBAA860E6ED015F1A20EFA7493B7A6CADE9	Trojan.Gen [Symantec] Trojan-Dropper.Agent [Ikarus]
16	[file and pathname of the sample #1]	3,323,009 bytes	MD5: 0x838F20537C69099D71EE161F48EEB145 SHA-1: 0x9EF602D7CF4A33AB1F3BE4A7C43F62A5CBBEC621	Trojan.Crypt [Ikarus]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
23.exe	%Temp%\23.exe	65,536 bytes
24.exe	%Temp%\24.exe	237,568 bytes
25.exe	%Temp%\25.exe	33,792 bytes
26.exe	%Temp%\26.exe	360,448 bytes
27.exe	%Temp%\27.exe	36,864 bytes
30.exe	%Temp%\30.exe	733,184 bytes
17.exe	%Temp%\17.exe	36,864 bytes
19.exe	%Temp%\19.exe	69,632 bytes
20.exe	%Temp%\20.exe	143,360 bytes
21.exe	%Temp%\21.exe	77,824 bytes
18.exe	%Temp%\18.exe	69,632 bytes
29.exe	%Temp%\29.exe	8,380,416 bytes
22.exe	%Temp%\22.exe	733,184 bytes
28.exe	%Temp%\28.exe	N/A

Other details

To mark the presence in the system, the following Mutex object was created:

naZ9d9Yn

The following port was open in the system:

Port	Protocol	Process
1033	TCP	28.exe (%Temp%\28.exe)

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.