Submission Summary:

What's been foundSeverity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Communication with a remote IRC server.
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.


Technical Details:


Possible Security Risk

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment


File System Modifications

#Filename(s)File SizeFile Hash
1 %Windir%\Help\Hexa.dll 3,280,896 bytes MD5: 0x2AA0C3C94841CDBAC9DAAA1B7DBED3C4
SHA-1: 0xFEEC259A2D06F02509D2961C09889310DC5FC0B3
2 %Windir%\Help\Hexa.hlp 3 bytes MD5: 0x9FC08C4F2E97894E4665BCED565424CB
SHA-1: 0x099462ED691484224638E092912DF9545939441A
3 %Windir%\system\iTunesHelper.exe 3,820,032 bytes MD5: 0x6BB2FE0DBDAEB24DB732178DC0F90FE0
SHA-1: 0xEF5B397505E71FE6E0238374C5E2DA6D93A7D680
4 %Windir%\system\library.exe 254,464 bytes MD5: 0x961413F0CA9B56AF8D4BC3F98B449B5E
SHA-1: 0xD8C91A88CC39F99C90C51D89045003AC32D67DD2
5 [file and pathname of the sample #1] 483,328 bytes MD5: 0x9CD9918489E7457C23C4AD404B073A82
SHA-1: 0x046EA589C117C2B3E88619C5B0B062715145F38A


Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]819,200 bytes
iTunesHelper.exe%Windir%\system\ituneshelper.exe4,157,440 bytes
library.exe%Windir%\system\library.exe737,280 bytes

Module NameModule FilenameAddress Space Details
Hexa.dll%Windir%\Help\Hexa.dllProcess name: telnet.exe
Process filename: %System%\telnet.exe
Address space: 0x9B0000 - 0xE7F000
Hexa.dll%Windir%\Help\Hexa.dllProcess name: telnet.exe
Process filename: %System%\telnet.exe
Address space: 0x930000 - 0xDFF000

Service NameDisplay NameNew StatusService Filename
ALGApplication Layer Gateway Service"Stopped"%System%\alg.exe
SharedAccessWindows Firewall/Internet Connection Sharing (ICS)"Stopped"%System%\svchost.exe -k netsvcs


Registry Modifications


Other details


1051UDP[file and pathname of the sample #1]

Remote HostPort Number


Outbound traffic (potentially malicious)



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 ThreatExpert. All rights reserved.