ThreatExpert Report: Trojan-Dropper.Win32.VBInject.s, Win-Trojan/Buzus.98304.X, Trojan.Gen..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 23 September 2012, 04:01:26
Processing time: 10 min 12 sec
Submitted sample:

File MD5: 0x925C365576CBF8B30F44246946ABE197
File SHA-1: 0x2E8F4738B7D15E2688AD062702D027D095990B23
Filesize: 999,850 bytes
Alias:

Trojan-Dropper.Win32.VBInject.s [Kaspersky Lab]
Win-Trojan/Buzus.98304.X [AhnLab]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\699c4b9cdebca7aaea5193cae8a50098_a7bcc1a4-f7a4-4502-8650-8579e607f7f7	50 bytes	MD5: 0x5B63D4DD8C04C88C0E30E494EC6A609A SHA-1: 0x884D5A8BDC25FE794DC22EF9518009DCF0069D09	(not available)
2	%Temp%\IXP000.TMP\Crypter.exe %Temp%\IXP001.TMP\Crypter.exe	67,590 bytes	MD5: 0x5FC6D1783AACBBEDECF1B0726953341F SHA-1: 0xEC9BD56FCF6253A2997AA79341C4C162C5342A35	Trojan.Gen [Symantec] Trojan.Win32.Buzus.klat [Kaspersky Lab] Generic.dx!bczf [McAfee] VirTool:Win32/Vbinder.CN [Microsoft] Trojan.SuspectCRC [Ikarus]
3	%Temp%\IXP000.TMP\YEIKEL~1.EXE %Temp%\IXP001.TMP\YEIKEL~1.EXE	536,576 bytes	MD5: 0x45EDBB358882DC52FB8FE356A6DC6335 SHA-1: 0xBD342B5291AB680AA1484C411CBCC8DE5B8F7C8C	Trojan.Gen [Symantec] Trojan-Dropper.Win32.Agent.eauv [Kaspersky Lab] Generic.bfr!ez [McAfee] Trojan:Win32/Orsam!rts [Microsoft] Trojan-Dropper.Win32.KGen [Ikarus]
4	c:\Extracted\2012 Yeikel Crypter.exe	535,552 bytes	MD5: 0xB6CFE283A559CAB730C842AD83E339AA SHA-1: 0x8D65872B071F1DBC50FF2271D5104A1454E3C30B	Trojan.Gen [Symantec] Trojan-Dropper.Win32.Agent.eauv, Trojan.Win32.Buzus.klat [Kaspersky Lab] Trojan.SuspectCRC [Ikarus]
5	c:\Extracted\Stub.exe	429,534 bytes	MD5: 0xE4D632835563C623FF7ECE7DBF9C9815 SHA-1: 0xE4DF30CA2AD43F3B7D35819A17FE36D308414FB2	Trojan.Gen [Symantec] Trojan-Dropper.Win32.VBInject.s [Kaspersky Lab] VirTool:Win32/VBInject.UG [Microsoft] Trojan-Dropper.Win32.VB [Ikarus]
6	[file and pathname of the sample #1]	999,850 bytes	MD5: 0x925C365576CBF8B30F44246946ABE197 SHA-1: 0x2E8F4738B7D15E2688AD062702D027D095990B23	Trojan.Win32.Buzus.klat, Trojan-Dropper.Win32.VBInject.s [Kaspersky Lab] Win-Trojan/Buzus.98304.X [AhnLab]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%Temp%\IXP001.TMP
%Temp%\IXP000.TMP
c:\Extracted

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
YEIKEL~1.EXE	%Temp%\ixp001.tmp\yeikel~1.exe	540,672 bytes
crypter.exe	%Temp%\ixp000.tmp\crypter.exe	319,488 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	122,880 bytes
YEIKEL~1.EXE	%Temp%\IXP000.TMP\YEIKEL~1.EXE	540,672 bytes
Crypter.exe	%Temp%\IXP001.TMP\Crypter.exe	20,480 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

wextract_cleanup0 = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%Temp%\IXP000.TMP\""
wextract_cleanup1 = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%Temp%\IXP001.TMP\""

Other details

To mark the presence in the system, the following Mutex object was created:

)!VoqA.I4

The following Host Name was requested from a host database:

bonbino.no-ip.info

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
bonbino.no-ip.info	3460

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\MSVBVM60.DLL

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 3460:

00000000 | 3021 68B5 0F39 C3F9 7AC9 E678 C40E F8DF | 0!h..9..z..x....
00000010 | B91A CDA9 0366 7601 BCB6 05CE E23F 4B39 | .....fv......?K9
00000020 | D79E CEB8 9176 A4A0 4E11 1B22 72B2 B767 | .....v..N.."r..g
00000030 | 0A0F F330 92E2 813F B5EE F376 A8B0 9A5D | ...0...?...v...]
00000040 | F21C 4017 6E1F FF41 2912 1C15 4468 EB87 | ..@.n..A)...Dh..
00000050 | 9AC2 6FEB 8DA3 5DFE F527 21DC AF94 3198 | ..o...]..'!...1.
00000060 | D4D5 F4F4 B024 087C EAB2 C76A 281F 761E | .....$.|...j(.v.
00000070 | 4965 296E 336A A26A F8C2 D777 3C63 FCD8 | Ie)n3j.j...w<c..
00000080 | A9BA 6B82 3FE9 B45A 70CA 68DD F699 7980 | ..k.?..Zp.h...y.
00000090 | E4DF FE68 28E4 1363 741B F79F 9160 E9EA | ...h(..ct....`..
000000A0 | 8CFD 2710 C732 56A1 63B8 3625 69EE DED2 | ..'..2V.c.6%i...
000000B0 | 43E2 450F ACE6 657F 3C2E 72B0 823A 19E3 | C.E...e.<.r..:..
000000C0 | B83F 8FAD E81C D5E3 375C 0C4B F87C 685F | .?......7\.K.|h_
000000D0 | 8144 F47E 8963 B413 1287 6CF0 EE25 40F2 | .D.~.c....l..%@.
000000E0 | CD70 D5DF EDC0 ADA8 B6A1 C96E 1AC3 9E4E | .p.........n...N
000000F0 | C0E3 49E2 C953 7BA7 BA01 346E AE29 824F | ..I..S{...4n.).O
00000000 | FDD9 F531 99BF 6999 9687 9303 EAB2 9EF6 | ...1..i.........
00000010 | A058 798A 0892 B6E2 4033 9586 6BE4 3648 | .Xy.....@3..k.6H
00000020 | 9FFA 534B 13D3 E332 21D1 0B60 19FF F37C | ..SK...2!..`...|
00000030 | 2482 EF41 707E BF82 FB0B F94B BD86 6B01 | $..Ap~.....K..k.
00000040 | EC3C 136E 7EAB 0099 17A4 BB22 3FFB F6A1 | .<.n~......"?...
00000050 | C615 53CA 5289 F027 CAE1 79E8 EB16 2440 | ..S.R..'..y...$@
00000060 | 4626 25EF 192C 9983 5DC1 A18C 3194 1F3F | F&%..,..]...1..?
00000070 | 0CE1 2A89 363B 1BA7 7320 C33A CCB7 320C | ..*.6;..s .:..2.
00000080 | 86BC 983B CA30 D2FC B9D4 36CE A99B E21B | ...;.0....6.....
00000090 | 15A1 B5F0 8859 C3AA CFAF 0CE9 E1F7 BFE7 | .....Y..........
000000A0 | 7540 3282 6F4A 5764 8335 BBD9 693C 74BD | u@2.oJWd.5..i<t.
000000B0 | 11CC 804F A426 3078 2490 35C3 D9D0 C39D | ...O.&0x$.5.....
000000C0 | 6B97 268F D440 05E9 27BD FA00 0C91 2622 | k.&..@..'.....&"
000000D0 | A3E8 E1F9 63D2 515C F31F 22AD 5127 6D7C | ....c.Q\..".Q'm|
000000E0 | 3F7A C404 E4E4 0CFF 41C1 DCB3 F828 441B | ?z......A....(D.
000000F0 | 1047 50EE 83A5 1E8D 4216 AD72 DA7E 1FE2 | .GP.....B..r.~..

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.