Submission Summary:

What's been foundSeverity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Downloads/requests other files from Internet.

 

Technical Details:

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %CommonPrograms%\Windows Risk Minimizer.lnk 936 bytes MD5: 0xCE7A006C400A4C67FE62C9076C14395E
SHA-1: 0xEA8A39DEDB5A3FC4E99A81B16DF4892897AB42E8
(not available)
2 %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol 102 bytes MD5: 0x8548AC8F2A90DFEAA7AC7E24BA675533
SHA-1: 0x5EB7CCA867CFC1C21E20EF9B1C969A06A4A63EBF
(not available)
3 %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 479 bytes MD5: 0x7666EA0675DDED0D716C03621D924D07
SHA-1: 0x63EF8663ADE20AC7BD2EB4873FB5AAFDAA7B4BCB
(not available)
4 %DesktopDir%\Windows Risk Minimizer.lnk 906 bytes MD5: 0x3030439CB96FA4B2E28DBFAA0732DF6F
SHA-1: 0xAF844AD1CD0DD0A9038A4B5337C375DE4A987591
(not available)
5 %AppData%\NPSWF32.dll 8,527,008 bytes MD5: 0xDE3745A51B7AC7FEDC356A83F76C8023
SHA-1: 0x7043C94CDE62CEC4FC5840121B7944463B227411
(not available)
6 %AppData%\Protector-ich.exe 1,966,592 bytes MD5: 0x65A93CB59B089BD678AB56B60FB7A060
SHA-1: 0x5BF9EFE4DF77C1838FD8D39BF8BC1FA1B63C2A2B
Mal/FakeAV-MJ, Mal/FakeAV-MJ, Mal/FakeAV-MJ [Sophos]
packed with PE_Patch [Kaspersky Lab]
7 %AppData%\result.db 346 bytes MD5: 0x609C489F3AFB5279284A20E7ED47A20F
SHA-1: 0xE3FC039CBD96DE5F9397E0611DDE6BE4A1354B15
(not available)
8 %Temp%\RarSFX0\temp.exe 2,044,394 bytes MD5: 0xAF211D2B578BE48A9FF226C00D53E9F6
SHA-1: 0x02247608E3DCD6FC6E5FC3B78D086AD60AB4E6F9
Trojan-Dropper.RAR.Agent.a [Kaspersky Lab]
9 [file and pathname of the sample #1] 2,101,355 bytes MD5: 0x8803B11DFDD25468983D1D2F9FF97F14
SHA-1: 0xDDBFE075D202F0EB40643FC989258F06E0A4EE0F
Trojan-Dropper.RAR.Agent.a [Kaspersky Lab]
Generic Dropper.ady [McAfee]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
Protector-ich.exe%AppData%\protector-ich.exe4,145,152 bytes

Module NameModule FilenameAddress Space Details
npswf32.dll%AppData%\npswf32.dllProcess name: Protector-ich.exe
Process filename: %AppData%\protector-ich.exe
Address space: 0x36E0000 - 0x3FEA000

 

Registry Modifications

 

Other details

PortProtocolProcess
1053UDPProtector-ich.exe (%AppData%\Protector-ich.exe)

Remote HostPort Number
107.20.206.18780
95.143.37.15380
95.143.37.15480

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.