ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 26 October 2012, 10:14:49
Processing time: 13 min 50 sec
Submitted sample:

File MD5: 0x97E9EE53ACC897F5FB8ACEF6EF7FEBD2
File SHA-1: 0xC59D3ADCC6E9670D3BBC0B371847DE147D1B68D0
Filesize: 70,656 bytes

Summary of the findings:

What's been found	Severity Level
Capability to steal information such personal financial data (credit card numbers, online banking login details), user profiles, software registration keys, passwords.
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash
1	[file and pathname of the sample #1]	70,656 bytes	MD5: 0x97E9EE53ACC897F5FB8ACEF6EF7FEBD2 SHA-1: 0xC59D3ADCC6E9670D3BBC0B371847DE147D1B68D0

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	770,048 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\WinRAR

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\WinRAR]

HWID = 7B 46 31 41 41 34 33 34 31 2D 44 36 38 43 2D 34 45 35 39 2D 41 36 44 46 2D 41 34 42 42 37 32 36 35 41 43 39 41 7D

Other details

The following Host Names were requested from a host database:

210.56.23.100
61.7.235.35
59.90.221.6
200.169.13.84

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
210.56.23.100	8080

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8080:

00000000 | 504F 5354 202F 6173 702F 696E 7472 6F2E | POST /asp/intro.
00000010 | 7068 7020 4854 5450 2F31 2E30 0D0A 486F | php HTTP/1.0..Ho
00000020 | 7374 3A20 3231 302E 3536 2E32 332E 3130 | st: 210.56.23.10
00000030 | 300D 0A41 6363 6570 743A 202A 2F2A 0D0A | 0..Accept: */*..
00000040 | 4163 6365 7074 2D45 6E63 6F64 696E 673A | Accept-Encoding:
00000050 | 2069 6465 6E74 6974 792C 202A 3B71 3D30 |  identity, *;q=0
00000060 | 0D0A 436F 6E74 656E 742D 4C65 6E67 7468 | ..Content-Length
00000070 | 3A20 3435 330D 0A43 6F6E 6E65 6374 696F | : 453..Connectio
00000080 | 6E3A 2063 6C6F 7365 0D0A 436F 6E74 656E | n: close..Conten
00000090 | 742D 5479 7065 3A20 6170 706C 6963 6174 | t-Type: applicat
000000A0 | 696F 6E2F 6F63 7465 742D 7374 7265 616D | ion/octet-stream
000000B0 | 0D0A 436F 6E74 656E 742D 456E 636F 6469 | ..Content-Encodi
000000C0 | 6E67 3A20 6269 6E61 7279 0D0A 5573 6572 | ng: binary..User
000000D0 | 2D41 6765 6E74 3A20 4D6F 7A69 6C6C 612F | -Agent: Mozilla/
000000E0 | 342E 3020 2863 6F6D 7061 7469 626C 653B | 4.0 (compatible;
000000F0 | 204D 5349 4520 352E 303B 2057 696E 646F |  MSIE 5.0; Windo
00000100 | 7773 2039 3829 0D0A 0D0A 4352 5950 5445 | ws 98)....CRYPTE
00000110 | 4430 B6A0 1444 4BB3 56AE 4F62 6109 AD62 | D0...DK.V.Oba..b
00000120 | C2C9 C5E7 C850 4925 BF5E 44CB 7C32 0C73 | .....PI%.^D.|2.s
00000130 | 3BBF 708A E154 3D8B B959 2218 982E DDE9 | ;.p..T=..Y".....
00000140 | ECE6 BBED EC4D 5FBF C3AE 56DD CF65 00FE | .....M_...V..e..
00000150 | C219 107C C3B2 86FB 646C 2329 9862 B9B9 | ...|....dl#).b..
00000160 | CAFE 02C9 8F75 FCD1 034F D56B A712 834C | .....u...O.k...L
00000170 | AD84 08DF 0581 5AA6 BCBD 228F 3928 2089 | ......Z...".9( .
00000180 | 9A08 4FED 31D2 2C77 A818 D20C 8E89 537A | ..O.1.,w......Sz
00000190 | 6181 C537 D376 868B C4A4 8E30 6EE4 899F | a..7.v.....0n...
000001A0 | D0F0 41E5 9FC0 A3D1 D6E8 2EA4 B37F A584 | ..A.............
000001B0 | 972B 0BDD D2AE AE53 0CDF 7DB1 F58A 1773 | .+.....S..}....s
000001C0 | B33A 6081 7108 7F17 EF51 BAB4 0C8A 661B | .:`.q....Q....f.
000001D0 | E697 1E66 B0E0 C129 9A4D D8B9 8F3F DD9F | ...f...).M...?..
000001E0 | 743C 450A E059 44CC DDD6 549D 084D D5AA | t<E..YD...T..M..
000001F0 | 3A7E AFAB 6541 8880 8BDA 4F48 07B0 1F23 | :~..eA....OH...#
00000200 | E379 653D C201 8D6C 7544 7A36 EB75 419F | .ye=...luDz6.uA.
00000210 | 40DF 7CCE A6EA 3D67 992A 705A E6AE 093C | @.|...=g.*pZ...<
00000220 | 6525 D8E0 816E C7BD 0F95 31B0 0D01 CE1D | e%...n....1.....
00000230 | 5DFC AA54 CD0E BEA8 6A94 165D 2531 2FF9 | ]..T....j..]%1/.
00000240 | F0B8 28C5 99B1 0601 AFEB 7EDE 4752 9BD9 | ..(.......~.GR..
00000250 | 26F9 B4BF 37F1 6788 2FD9 DD6B F399 15EC | &...7.g./..k....
00000260 | 3F4F 7D7F A81C B17A CC61 0697 1D91 EEC7 | ?O}....z.a......
00000270 | 737C 6B75 13E1 65F1 0AC2 510E 5BF2 2932 | s|ku..e...Q.[.)2
00000280 | 346C 9B95 485A 2F8A 5FB0 B64C E099 AAF0 | 4l..HZ/._..L....
00000290 | 8E5E DA83 3970 0C49 D005 EB6F 9558 F98E | .^..9p.I...o.X..
000002A0 | D215 A8C9 8EB6 29CD B2EE 61DA 3A10 F365 | ......)...a.:..e
000002B0 | 5DD2 F66A 9056 BEB0 D63F 4CD4 0C2A 5BE5 | ]..j.V...?L..*[.
000002C0 | 23AF C6AA 6153 9CDE 3982 547C 9726 0B   | #...aS..9.T|.&.

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.