Submission Summary:

• Submission details:
• Submission received: 31 March 2017, 02:12:57
• Processing time: 5 min 32 sec
• Submitted sample:
• File MD5: 0x90CBE8F393DF4BE90787DE033A748EC3
• File SHA-1: 0x39B1230326DF1FE782477FA4044FF8C5773B9007
• Filesize: 109,568 bytes
• Alias:
• Backdoor.Nitol [Symantec]
• Trojan-Spy.Win32.Agent.btsm [Kaspersky Lab]
• Troj/Dloadr-DNE [Sophos]
• DDoS:Win32/Nitol.A [Microsoft]
• Trojan.Win32.ServStart [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

Memory Modifications

• There were new processes created in the system:

• Note:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• There was a new service created in the system:

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALQLT
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALQLT\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALQLT\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalqlt
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalqlt\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalqlt\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALQLT
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALQLT\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALQLT\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalqlt
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalqlt\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalqlt\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALQLT\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "Nationalqlt"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALQLT\0000]
• Service = "Nationalqlt"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Nationaljvt Instruments Domain Service"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALQLT]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalqlt\Enum]
• 0 = "Root\LEGACY_NATIONALQLT\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalqlt\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalqlt]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%System%\rebfec.exe"
• DisplayName = "Nationaljvt Instruments Domain Service"
• ObjectName = "LocalSystem"
• Description = "Providessyg a domain server for NI security."
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALQLT\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "Nationalqlt"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALQLT\0000]
• Service = "Nationalqlt"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Nationaljvt Instruments Domain Service"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALQLT]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalqlt\Enum]
• 0 = "Root\LEGACY_NATIONALQLT\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalqlt\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalqlt]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000000
• ImagePath = "%System%\rebfec.exe"
• DisplayName = "Nationaljvt Instruments Domain Service"
• ObjectName = "LocalSystem"
• Description = "Providessyg a domain server for NI security."

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
• (Default) =
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
• (Default) =

Other details

• To mark the presence in the system, the following Mutex object was created:
• Nationalqlt

• The following port was open in the system:

• The following Host Names were requested from a host database:
• 192.5.5.241
• 00saejin.codns.com

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 1234: