ThreatExpert Report: Generic.gl

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 31 August 2012, 03:08:48
Processing time: 8 min 3 sec
Submitted sample:

File MD5: 0x8BE90F457F213A554B0D5A8A03E54B97
File SHA-1: 0x5801B0D982A7691B378DC641ED69B4E0694227A1
Filesize: 2,547,712 bytes
Alias: Generic.gl [McAfee]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\bo1.exe %ProgramFiles%\safe\Server\Server2.03.exe	1,304,064 bytes	MD5: 0xD0CCD240FF9DC5F11D2D342609F2F919 SHA-1: 0x42815708A95539FE3924C182204ED86C355F1C9A	packed with PE_Patch [Kaspersky Lab]
2	[file and pathname of the sample #1]	2,547,712 bytes	MD5: 0x8BE90F457F213A554B0D5A8A03E54B97 SHA-1: 0x5801B0D982A7691B378DC641ED69B4E0694227A1	Generic.gl [McAfee]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%ProgramFiles%\safe
%ProgramFiles%\safe\Server

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	5,324,800 bytes
bo1.exe	%AppData%\bo1.exe	2,961,408 bytes

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

Www.DarkST.coM

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 2007:

00000000 | 0000 0000 B0B5 D7E9 BCBC CAF5 C2DB CCB3 | ................
00000010 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000020 | 0000 0000 0C00 0000 3200 0000 5769 6E64 | ........2...Wind
00000030 | 6F77 7320 5850 2035 2E31 2028 3236 3030 | ows XP 5.1 (2600
00000040 | 2E53 6572 7669 6365 2050 6163 6B20 3229 | .Service Pack 2)
00000050 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000060 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000070 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000080 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000090 | 2400 0000 434F 4D50 5554 4552 4E41 4D45 | $...COMPUTERNAME
000000A0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000B0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000C0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000D0 | 0000 0000 0C00 0000 0000 0000 0000 0000 | ................
000000E0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000000F0 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000100 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000110 | 0000 0000 0000 0000 B0B5 D7E9 D7A8 B0E6 | ................
00000120 | 0000 0000 0000 4841 434B 0000           | ......HACK..

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.