Submission Summary:

What's been foundSeverity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.


Technical Details:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.


Possible Security Risk

Security RiskDescription
Trojan-Spy.Bankject Trojan-Spy.Bankject injects extra HTML code into internet banking webpages in order to steal passwords and credit card details. It also steals email addresses from Windows Address Book and sends all these stolen information to the attacker.
Virus.Neshta Virus.Neshta infects executable files by apending its encrypted code to the host file.

Threat CategoryDescription
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body


File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\3582-490\[filename of the sample #1]
109,568 bytes MD5: 0xEF7FB89899B7D8BABF0DE9D849D42C44
SHA-1: 0xCB46314FD322774394929E338EFBAA8F1E9DCE01
Backdoor.Nitol [Symantec]
Trojan-Spy.Win32.Agent.btsm [Kaspersky Lab]
Troj/Dloadr-DNE [Sophos]
DDoS:Win32/Nitol.A [Microsoft]
Trojan.Win32.ServStart [Ikarus]
2 %Temp%\tmp5023.tmp 8 bytes MD5: 0x6DE51F2CAA6D4293CB5FF22AC938A928
SHA-1: 0x6D8DF9A0651B71756E1E0B12DC67BAB9F799FFBE
(not available)
3 %Windir%\directx.sys 33 bytes MD5: 0xCF4C20A90A31F5E8DC1B9183788E5E23
SHA-1: 0x3BD3FB2BD932745ACC7E1A6E46E8672E49551A6A
(not available)
4 %Windir%\ 41,472 bytes MD5: 0x36FD5E09C417C767A952B4609D73A54B
SHA-1: 0x299399C5A2403080A5BF67FB46FAEC210025B36D
W32.Neshuta [Symantec]
Virus.Win32.Neshta.a [Kaspersky Lab]
W32/HLLP.41472.e [McAfee]
PE_NESHTA.A-O [Trend Micro]
W32/Bloat-A [Sophos]
Virus:Win32/Neshta.A [Microsoft]
Virus.Win32.Neshta [Ikarus]
Win32/Neshta [AhnLab]
5 [file and pathname of the sample #1] 151,040 bytes MD5: 0x88820E2A32465A703F4B580354DD6627
SHA-1: 0x6099297610F2976E37B55783E261225F8C85F29B
Backdoor.Nitol [Symantec]
Virus.Win32.Neshta.a [Kaspersky Lab]
W32/HLLP.41472.e [McAfee]
PE_NESHTA.A [Trend Micro]
W32/Bloat-A [Sophos]
Virus:Win32/Neshta.A [Microsoft]
Virus.Win32.Neshta [Ikarus]
Win32/Neshta [AhnLab]


Memory Modifications

Process NameProcess FilenameMain Module Size
kkwgks.exe%System%\kkwgks.exe126,976 bytes
IEXPLORE.EXEC:\PROGRA~1\INTERN~1\IEXPLORE.EXE102,400 bytes\svchost.com110,592 bytes
[filename of the sample #1][file and pathname of the sample #1]110,592 bytes
VMEB23~1.EXEC:\PROGRA~1\VMware\VMWARE~1\VMEB23~1.EXE90,112 bytes
[filename of the sample #1]%Temp%\3582-490\[filename of the sample #1]126,976 bytes

Service NameDisplay NameStatusService Filename
NationalmuaNationalgou Instruments Domain Service"Running"%System%\kkwgks.exe


Registry Modifications


Other details

Russian Federation

1033TCPkkwgks.exe (%System%\kkwgks.exe)

Remote HostPort Number


Outbound traffic (potentially malicious)



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2018 ThreatExpert. All rights reserved.