ThreatExpert Report

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 August 2012, 03:46:25
Processing time: 6 min 29 sec
Submitted sample:

File MD5: 0x89A11F5DA8F8E58CFD2ECA972D9C6597
File SHA-1: 0xEB4C27B480B1BC55B00F26CE5B85132610F41A0A
Filesize: 144,896 bytes

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\abcd.bat	75 bytes	MD5: 0x0849CFE65B98BA5FCD9A9EC61A671D09 SHA-1: 0x9D0CCB383C32B1BC07FD9064B9324A18E1276902
2	[file and pathname of the sample #1]	144,896 bytes	MD5: 0x89A11F5DA8F8E58CFD2ECA972D9C6597 SHA-1: 0xEB4C27B480B1BC55B00F26CE5B85132610F41A0A

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	102,400 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\WinRAR

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\WinRAR]

HWID = 7B 41 34 37 36 45 38 38 31 2D 45 34 31 35 2D 34 32 39 43 2D 41 44 42 31 2D 46 37 43 32 34 34 32 41 42 41 44 39 7D

Other details

The following Host Names were requested from a host database:

74.53.97.68
74.53.97.69
www.admirals.ae
deltaset.com
81.91.9.66

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
74.53.97.68	8080

The following HTTP URLs were started reading:

http://www.admirals.ae/EF40.exe
http://deltaset.com/4Vvsz.exe
http://81.91.9.66/pVJH.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8080:

00000000 | 504F 5354 202F 666F 7275 6D2F 7669 6577 | POST /forum/view
00000010 | 746F 7069 632E 7068 7020 4854 5450 2F31 | topic.php HTTP/1
00000020 | 2E30 0D0A 486F 7374 3A20 3734 2E35 332E | .0..Host: 74.53.
00000030 | 3937 2E36 380D 0A41 6363 6570 743A 202A | 97.68..Accept: *
00000040 | 2F2A 0D0A 4163 6365 7074 2D45 6E63 6F64 | /*..Accept-Encod
00000050 | 696E 673A 2069 6465 6E74 6974 792C 202A | ing: identity, *
00000060 | 3B71 3D30 0D0A 436F 6E74 656E 742D 4C65 | ;q=0..Content-Le
00000070 | 6E67 7468 3A20 3435 340D 0A43 6F6E 6E65 | ngth: 454..Conne
00000080 | 6374 696F 6E3A 2063 6C6F 7365 0D0A 436F | ction: close..Co
00000090 | 6E74 656E 742D 5479 7065 3A20 6170 706C | ntent-Type: appl
000000A0 | 6963 6174 696F 6E2F 6F63 7465 742D 7374 | ication/octet-st
000000B0 | 7265 616D 0D0A 436F 6E74 656E 742D 456E | ream..Content-En
000000C0 | 636F 6469 6E67 3A20 6269 6E61 7279 0D0A | coding: binary..
000000D0 | 5573 6572 2D41 6765 6E74 3A20 4D6F 7A69 | User-Agent: Mozi
000000E0 | 6C6C 612F 342E 3020 2863 6F6D 7061 7469 | lla/4.0 (compati
000000F0 | 626C 653B 204D 5349 4520 352E 303B 2057 | ble; MSIE 5.0; W
00000100 | 696E 646F 7773 2039 3829 0D0A 0D0A 4352 | indows 98)....CR
00000110 | 5950 5445 4430 948E 0119 A53F 45D2 4D28 | YPTED0.....?E.M(
00000120 | 1DAB 4659 CA51 C0C0 AA4D FFE4 1FA0 D569 | ..FY.Q...M.....i
00000130 | D686 B818 6678 98C3 1191 4685 6837 5A43 | ....fx....F.h7ZC
00000140 | 0FD4 DCED 1432 F02E 42E8 DC2A DAB1 4110 | .....2..B..*..A.
00000150 | C5A5 4160 B8B2 C65B 79E3 F5A6 BDCA CA95 | ..A`...[y.......
00000160 | 59E8 EA5C D10A 2382 63DC 3C48 A7D3 205C | Y..\..#.c.<H.. \
00000170 | 7514 825A 44CC 205F 4D40 7A7A 27E5 899B | u..ZD. _M@zz'...
00000180 | F637 BECA 9F90 9FC3 3CB1 44F3 6507 53CD | .7......<.D.e.S.
00000190 | 403B 67A1 76E8 4FCB 2530 3960 E7EA 97F3 | @;g.v.O.%09`....
000001A0 | EA6F 2B4A 60C7 E5DA 447A D9E7 8916 439B | .o+J`...Dz....C.
000001B0 | 0EC1 1E97 15F8 FDEB 2246 3FDB 6D1F C7D4 | ........"F?.m...
000001C0 | 43F5 1804 1CC3 CBC7 0D73 0474 D619 5506 | C........s.t..U.
000001D0 | 3C46 B77E 2E41 39AA 5281 9C80 8FF0 1321 | <F.~.A9.R......!
000001E0 | 8AF6 488F 1B92 214D B875 FE5D 0BF5 2A21 | ..H...!M.u.]..*!
000001F0 | 419E C900 2C0B 36A0 F461 00AE 558E D462 | A...,.6..a..U..b
00000200 | AE0B 2447 CDCE 3A95 D825 EBA6 E48B 5CC7 | ..$G..:..%....\.
00000210 | C532 6E80 4BC4 E181 366F 5124 A658 79CF | .2n.K...6oQ$.Xy.
00000220 | 9A1E 2B1B 10CF BF71 5CDA 68C6 F98A 6954 | ..+....q\.h...iT
00000230 | E21D 0A58 7463 6D81 00EE 2E96 4E6B 3F0C | ...Xtcm.....Nk?.
00000240 | 27CE C415 6F9E 17A4 EE7D AE8D BD14 5E3A | '...o....}....^:
00000250 | 1C9A 618E 6ED8 A869 712D 6B97 B07F BD63 | ..a.n..iq-k....c
00000260 | E0A8 7C68 DB44 3B0E 3146 CCED 0556 C38C | ..|h.D;.1F...V..
00000270 | DE81 7E7C 6CEA 9A17 8CE0 6562 0E01 89ED | ..~|l.....eb....
00000280 | 767E 0C05 2670 7711 3A52 8481 60F8 F041 | v~..&pw.:R..`..A
00000290 | 7F11 621B 2174 AA63 162C D446 1D91 08A3 | ..b.!t.c.,.F....
000002A0 | B1EC A4D3 E97E 4375 51B3 0B6F 2D3B 8DFE | .....~CuQ..o-;..
000002B0 | E0CB CB61 5835 380D 3AC8 8D1F 5AFC AF17 | ...aX58.:...Z...
000002C0 | C4B5 3FE2 2130 C972 95C4 8F51 7E95 0D02 | ..?.!0.r...Q~...
000002D0 | B2F7 7F59                               | ...Y

Downloaded File Summary:

Download details:

Download retrieved: 18 August 2012 03:52:54
Processing time: 3 min 39 sec
Downloaded sample:

File MD5: 0x5119DA3E601BE70E134249BCED8E4985
File SHA-1: 0xC6913281022DA029C6CF4D48CD81D7A19D0A645B
Filesize: 312,321 bytes

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%AppData%\Lilaol\ahtuy.exe	312,321 bytes	MD5: 0xF812D34E2CD0EFDEB83E24CA12EF18D4 SHA-1: 0x76925EDCF492D5F0871EE28D76A83CEBE76FEA29
2	%AppData%\rarox.ire	1,322 bytes	MD5: 0x53C6714F65D0008DD4F9973EE2A4F6FF SHA-1: 0xFB104B0D29C128A939E94FA473E5D1ED84F918D4
3	%Temp%\tmp2dcbe175.bat	168 bytes	MD5: 0xD32A463E4CBF7127519EB8EE161C3A8D SHA-1: 0xB7B3E3794E7E5EC66CD85ADDFA998172936AC46A
4	[file and pathname of the sample #1]	312,321 bytes	MD5: 0x5119DA3E601BE70E134249BCED8E4985 SHA-1: 0xC6913281022DA029C6CF4D48CD81D7A19D0A645B

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directory was created:

%AppData%\Lilaol

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	229,376 bytes
ahtuy.exe	%AppData%\Lilaol\ahtuy.exe	229,376 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
cmd.exe	%System%\cmd.exe	278,528 bytes

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\Zoiwzo

The newly created Registry Values are:

[HKEY_CURRENT_USER\Identities]

Identity Login = 0x00098053

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy]

CleanCookies = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

{3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = ""%AppData%\Lilaol\ahtuy.exe""

so that ahtuy.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Zoiwzo]

1i6g40jb = A9 5A 18 EA FA 8D 50 78 D3 6C B0 80 D8 FD 02 97 72 2B 8A 68
1dg1gd15 = 8E 5A 7D EA
dg4f065 = 2F 08 7D EA 1F A3 39 78 A9 6C DF 80

The following Registry Values were modified:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

1406 =
1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1406 =
1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

1406 =
1609 =

Other details

To mark the presence in the system, the following Mutex object was created:

Local\{FA4803F7-084F-6AC9-A6BA-A75086AF8442}

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
www.google.com	80	(null)	(null)
wkwckzutcdicmijtfigmcieybmcu.net	80	(null)	(null)
dxgnfjbgiqxypijjrqcercga.com	80	(null)	(null)
zijemhkzjzxkhhamhaivail.ru	80	(null)	(null)
nvtdcmdugalbmzzxwtslkvuw.com	80	(null)	(null)
ssgdmcufvoaqtbyydpdqkpnkbyx.net	80	(null)	(null)
kcyvocabqbyjfdqvcovjrcymrqsro.org	80	(null)	(null)
rcvkzdkfyllrxvorgizwocuvxl.info	80	(null)	(null)
ojjrdaugsgcylhqhpzljlbmjtkkncq.biz	80	(null)	(null)
ewsjbpzkrbezpbmfeukhacqxuk.ru	80	(null)	(null)

The following GET request was made:

index.html

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.