ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 15 August 2012, 15:45:26
Processing time: 7 min 51 sec
Submitted sample:

File MD5: 0x9BA5E38288F6B4EC8C93B0CB8F6966B0
File SHA-1: 0x8AA8EE902BC58BB3227934E6F940736CCF607F51
Filesize: 147,968 bytes

Summary of the findings:

What's been found	Severity Level
Capability to steal information such personal financial data (credit card numbers, online banking login details), user profiles, software registration keys, passwords.
Produces outbound traffic.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\abcd.bat	75 bytes	MD5: 0x0849CFE65B98BA5FCD9A9EC61A671D09 SHA-1: 0x9D0CCB383C32B1BC07FD9064B9324A18E1276902
2	[file and pathname of the sample #1]	147,968 bytes	MD5: 0x9BA5E38288F6B4EC8C93B0CB8F6966B0 SHA-1: 0x8AA8EE902BC58BB3227934E6F940736CCF607F51

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	102,400 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\WinRAR

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\WinRAR]

HWID = 7B 35 45 38 44 42 45 41 37 2D 42 39 30 30 2D 34 42 37 34 2D 41 45 30 38 2D 33 30 31 32 37 42 31 38 42 35 36 36 7D

Other details

The following Host Names were requested from a host database:

74.53.97.66
74.53.97.67
orion.obidigital.net
ftp.lastraautosport.com.ar

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
74.53.97.66	8080

The following HTTP URLs were started reading:

http://orion.obidigital.net/d09ZhGf.exe
http://ftp.lastraautosport.com.ar/xjH.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8080:

00000000 | 504F 5354 202F 666F 7275 6D2F 7669 6577 | POST /forum/view
00000010 | 746F 7069 632E 7068 7020 4854 5450 2F31 | topic.php HTTP/1
00000020 | 2E30 0D0A 486F 7374 3A20 3734 2E35 332E | .0..Host: 74.53.
00000030 | 3937 2E36 360D 0A41 6363 6570 743A 202A | 97.66..Accept: *
00000040 | 2F2A 0D0A 4163 6365 7074 2D45 6E63 6F64 | /*..Accept-Encod
00000050 | 696E 673A 2069 6465 6E74 6974 792C 202A | ing: identity, *
00000060 | 3B71 3D30 0D0A 436F 6E74 656E 742D 4C65 | ;q=0..Content-Le
00000070 | 6E67 7468 3A20 3435 370D 0A43 6F6E 6E65 | ngth: 457..Conne
00000080 | 6374 696F 6E3A 2063 6C6F 7365 0D0A 436F | ction: close..Co
00000090 | 6E74 656E 742D 5479 7065 3A20 6170 706C | ntent-Type: appl
000000A0 | 6963 6174 696F 6E2F 6F63 7465 742D 7374 | ication/octet-st
000000B0 | 7265 616D 0D0A 436F 6E74 656E 742D 456E | ream..Content-En
000000C0 | 636F 6469 6E67 3A20 6269 6E61 7279 0D0A | coding: binary..
000000D0 | 5573 6572 2D41 6765 6E74 3A20 4D6F 7A69 | User-Agent: Mozi
000000E0 | 6C6C 612F 342E 3020 2863 6F6D 7061 7469 | lla/4.0 (compati
000000F0 | 626C 653B 204D 5349 4520 352E 303B 2057 | ble; MSIE 5.0; W
00000100 | 696E 646F 7773 2039 3829 0D0A 0D0A 4352 | indows 98)....CR
00000110 | 5950 5445 4430 948E 0119 A53F 45D2 4D28 | YPTED0.....?E.M(
00000120 | 1DAB 4959 CA51 C0C0 AA4D FFE4 1FA0 D569 | ..IY.Q...M.....i
00000130 | D686 B818 6678 98C3 1191 4685 6837 5A43 | ....fx....F.h7ZC
00000140 | 0FD4 DCED 1432 F02E 42E8 DC2A DAB1 4110 | .....2..B..*..A.
00000150 | C5A5 4160 B8B2 C65B 79E3 F5A6 BDCA CA95 | ..A`...[y.......
00000160 | 59E8 EA5C D10A 2382 63DC 3C48 A7D3 205C | Y..\..#.c.<H.. \
00000170 | 7514 825A 44CC 205F 4D40 7A7A 27E5 899B | u..ZD. _M@zz'...
00000180 | F637 BECA 9F90 9FC3 3CB1 44F3 6573 22C2 | .7......<.D.es".
00000190 | 323C FED8 76EE 4FAE F435 A829 E12A 0A5B | 2<..v.O..5.).*.[
000001A0 | 1DD1 2030 97B2 D52C 8541 1BE6 9B32 4FD0 | .. 0...,.A...2O.
000001B0 | BFE4 5FE2 1B2F E460 A359 7948 27C2 F46C | .._../.`.YyH'..l
000001C0 | D929 141A 87E4 9B57 018D CBF8 F11D 7A55 | .).....W......zU
000001D0 | 2334 0834 49FC 35A2 0753 9133 E2BF 642E | #4.4I.5..S.3..d.
000001E0 | F5FF 9587 398C A15E F6E2 FD29 37B6 2BDC | ....9..^...)7.+.
000001F0 | F325 B26F E902 30BD 3335 BF41 B57A 35F1 | .%.o..0.35.A.z5.
00000200 | 9F77 97DD FF06 1E7F 0298 43DC A40B 555B | .w........C...U[
00000210 | 8246 428A 5AF0 545D 3829 7E6E F076 C3AF | .FB.Z.T]8)~n.v..
00000220 | E827 5A8E 8FF5 8F19 4ECB 9E42 1910 96F1 | .'Z.....N..B....
00000230 | 51A3 01C1 CC86 EDF4 D30F 2F60 3827 3F6F | Q........./`8'?o
00000240 | 1FA1 A477 8D44 1541 4A20 8820 8780 FF2D | ...w.D.AJ . ...-
00000250 | 439D 7193 1ACD 2C17 5395 4634 AA69 159A | C.q...,.S.F4.i..
00000260 | 4D71 42D3 0FC7 AB4C DF45 84C0 70DE 4DEE | MqB....L.E..p.M.
00000270 | D115 53A3 237D 0D0E F092 624B BA5F 4AFB | ..S.#}....bK._J.
00000280 | 00B6 CD79 CB4D 1015 C70F 3ED0 917C 08A1 | ...y.M....>..|..
00000290 | 7088 EDC6 543D 34E0 59C8 F565 CEB4 8ECD | p...T=4.Y..e....
000002A0 | B4E7 E47F 454D E579 20CD A7D0 06B5 91B4 | ....EM.y .......
000002B0 | F797 4CCE F63D 040A 2BC5 893D 1DBA 2F5E | ..L..=..+..=../^
000002C0 | 3383 C7A2 F659 C12D 16FC A0CA AEB9 1084 | 3....Y.-........
000002D0 | 9652 438C 85A9 64                       | .RC...d

Downloaded File Summary:

Download details:

Download retrieved: 15 August 2012 15:53:18
Processing time: 7 min 54 sec
Downloaded sample:

File MD5: 0x90F380FC2626B105B41BAA201C25941D
File SHA-1: 0xCA19C292ECC0B7D5CAE3B858465D52B0C73E87F6
Filesize: 314,369 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%AppData%\Ypzi\unsye.exe	314,369 bytes	MD5: 0x8AF09E5470A8EF39655CB28A274B76CA SHA-1: 0x5872C8C48DC190220261D2454C919DAE0E7C0C5E
2	%AppData%\fuybli.olf	1,322 bytes	MD5: 0xEDCBF252CFDDAFC0D299C8F1FDEC14B7 SHA-1: 0x3393B2AEB89EC9CCF3DF3799392C68BFAE5A36A8
3	%Temp%\tmp201b4ded.bat	168 bytes	MD5: 0x19092E269BC09C5CCF348D2F70AB7D8E SHA-1: 0xC844CB1CE4F847B3BFDE7CB281E14A4EA715F721
4	[file and pathname of the sample #1]	314,369 bytes	MD5: 0x90F380FC2626B105B41BAA201C25941D SHA-1: 0xCA19C292ECC0B7D5CAE3B858465D52B0C73E87F6

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directory was created:

%AppData%\Ypzi

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	229,376 bytes
unsye.exe	%AppData%\Ypzi\unsye.exe	229,376 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
cmd.exe	%System%\cmd.exe	278,528 bytes

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\Luic

The newly created Registry Values are:

[HKEY_CURRENT_USER\Identities]

Identity Login = 0x00098053

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy]

CleanCookies = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

{3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = ""%AppData%\Ypzi\unsye.exe""

so that unsye.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Luic]

18fb0ih2 = AB 90 80 8A CE AD D6 A9 22 F3 22 AE
1d83gd3c = "lpDhig=="
2d58bf7g = "kNPhirzJsqkT8xSu"

The following Registry Values were modified:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

1406 =
1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1406 =
1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

1406 =
1609 =

Other details

To mark the presence in the system, the following Mutex object was created:

Local\{FA4803F7-084F-6AC9-A6BA-A75086AF8442}

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
www.google.com	80	(null)	(null)
qyhrtsztaqloztlmzjfdeyxswfq.biz	80	(null)	(null)

The following GET request was made:

index.html

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.