ThreatExpert Report: Trojan:Win32/ServStart.gen!A

Submission Summary:

Submission details:

Submission received: 15 May 2017, 02:23:35
Processing time: 5 min 35 sec
Submitted sample:

File MD5: 0xA98AC11837D942CDD7EB65D292D779C0
File SHA-1: 0x82DAD506470B4089A0978ED8F193BEBC491393B4
Filesize: 61,440 bytes
Alias: Trojan:Win32/ServStart.gen!A [Microsoft]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.

Technical Details:

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\rebfec.exe [file and pathname of the sample #1]	61,440 bytes	MD5: 0xA98AC11837D942CDD7EB65D292D779C0 SHA-1: 0x82DAD506470B4089A0978ED8F193BEBC491393B4	Trojan:Win32/ServStart.gen!A [Microsoft]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
rebfec.exe	%System%\rebfec.exe	65,536 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	65,536 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
Stuvwx Abcdefgh Jkl	Stuvwxya Cdefghijk Mnopqrs Uvwxyabc Efg	"Running"	%System%\rebfec.exe

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Stuvwx Abcdefgh Jkl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Stuvwx Abcdefgh Jkl\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Stuvwx Abcdefgh Jkl\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh Jkl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh Jkl\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh Jkl\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "Stuvwx Abcdefgh Jkl"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL\0000]

Service = "Stuvwx Abcdefgh Jkl"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Stuvwxya Cdefghijk Mnopqrs Uvwxyabc Efg"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Stuvwx Abcdefgh Jkl\Enum]

0 = "Root\LEGACY_STUVWX_ABCDEFGH_JKL\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Stuvwx Abcdefgh Jkl\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Stuvwx Abcdefgh Jkl]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\rebfec.exe"
DisplayName = "Stuvwxya Cdefghijk Mnopqrs Uvwxyabc Efg"
ObjectName = "LocalSystem"
Description = "Stuvwx Abcdefgh Jklmnopq Stuv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "Stuvwx Abcdefgh Jkl"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL\0000]

Service = "Stuvwx Abcdefgh Jkl"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Stuvwxya Cdefghijk Mnopqrs Uvwxyabc Efg"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STUVWX_ABCDEFGH_JKL]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh Jkl\Enum]

0 = "Root\LEGACY_STUVWX_ABCDEFGH_JKL\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh Jkl\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh Jkl]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\rebfec.exe"
DisplayName = "Stuvwxya Cdefghijk Mnopqrs Uvwxyabc Efg"
ObjectName = "LocalSystem"
Description = "Stuvwx Abcdefgh Jklmnopq Stuv"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

Stuvwx Abcdefgh Jkl

The following port was open in the system:

Port	Protocol	Process
1033	TCP	rebfec.exe (%System%\rebfec.exe)

The following Host Name was requested from a host database:

123.249.26.6

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
123.249.26.6	12315

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 12315:

00000000 | 0200 0000 5769 6E64 6F77 7320 5850 0000 | ....Windows XP..
00000010 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000020 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000030 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000040 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000050 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000060 | 0000 0000 0000 0000 0100 0000 0000 0000 | ................
00000070 | B70B 0000 0000 0000 0028 2400 A4FC A000 | .........($.....
00000080 | 00D0 FD7F A4FC A000 948E 917C 54FC A000 | ...........|T...
00000090 | 878F 917C 00D0 FD7F 00A0 FD7F 0000 0000 | ...|............
000000A0 | 1400 0000 0100 0000 0000 0000 0000 0000 | ................
000000B0 | 1000 0000 0000 0000 0000 0000 0000 0000 | ................
000000C0 | 0000 0000 0000 0000 0000 0000 00A0 FD7F | ................
000000D0 | C120 4F77 A41E 2400 48FC A000 0000 0000 | . Ow..$.H.......
000000E0 | 0CFD A000 18EE 907C D08E 917C FFFF FFFF | .......|...|....
000000F0 | 748E 917C C4E8 907C FA8D 917C 30FD A000 | t..|...|...|0...
00000100 | 18EE 907C 0000 0000 0000 0000 0000 0000 | ...|............
00000110 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000120 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000130 | 0000 0000 0000 0000 00D0 FD7F 0000 0000 | ................
00000140 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000150 | B0FC A000 0000 0000 FFFF FFFF 18EE 907C | ...............|
00000160 | 008E 917C FFFF FFFF FA8D 917C 25D6 907C | ...|.......|%..|
00000170 | CFEA 907C 30FD A000 0100 0000 1700 0100 | ...|0...........
00000180 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
00000190 | 0000 0000 0000 0000 0000 0000 0000 0000 | ................
000001A0 | 3087 9B81 5C6A 06F8 471E 5280 78D9 7881 | 0...\j..G.R.x.x.
000001B0 | 0000 0000 5F3E 4F80 0000 E72F 3C6B 06F8 | ...._>O..../<k..
000001C0 | 9F74 5780 30F0 7E81 0000 0000 8B77 5780 | .tW.0.~......wW.
000001D0 | 18F0 7E81 B49B 8381 046C 06F8 0000 1800 | ..~......l......
000001E0 | 806A 06F8 0000 3400 986A 06F8 0000 0000 | .j....4..j......
000001F0 | 0000 0000 0000 0000 109B 8381 1601 1200 | ................
00000200 | 0000 0000 2600 0000 0000 0000 3800 0000 | ....&.......8...
00000210 | 2300 0000 2300 0000 E0FC 9000 18EE 907C | #...#..........|
00000220 | 0000 0000 FFFF FFFF 3207 917C 7023 4000 | ........2..|p#@.
00000230 | EB06 917C 5608 817C 1B00 0000 0002 0000 | ...|V..|........
00000240 | FCFF A000 2300 0000 3E93 72F9 A0C3 73F9 | ....#...>.r...s.
00000250 | FFFF FFFF E431 5380 2C00 0000 0000 0000 | .....1S.,.......
00000260 | A8F5 1300 68D5 7881 EC6A 06F8 809E 8081 | ....h.x..j......
00000270 | 3C6D 06F8 1050 5380 C0C5 4D80 FFFF FFFF | <m...PS...M.....
00000280 | E431 5380 E463 6080 4371 6080 646D 06F8 | .1S..c`.Cq`.dm..
00000290 | 78F4 1300 3E63 6080 D030 4EE1 0400 0000 | x...>c`..0N.....
000002A0 | A86D 6681 486D 06F8 1315 5C80 28F9 1300 | .mf.Hm....\.(...
000002B0 | 0400 0000 AF23 5C80 646D 06F8 28F9 1300 | .....#\.dm..(...
000002C0 | 0500 0000 0030 4EE1 0000 0000 0000 0000 | .....0N.........
000002D0 | 4032 4EE1 B032 4EE1 0500 0000 0500 0000 | @2N..2N.........
000002E0 | 609E 80E1 8883 01E1 0200 0000 FEFF F800 | `...............
000002F0 | 8063 26E1 609E 80E1 382E 5B00 0000 0000 | .c&.`...8.[.....
00000300 | 0000 0000 5C00 5200 FFFF FFFF 286C 06F8 | ....\.R.....(l..
00000310 | 5E36 5B80 4903 0000 3400 00C0 109B 8381 | ^6[.I...4.......
00000320 | 7089 01E1 B49B 8381 686C 06F8 8889 01E1 | p.......hl......
00000330 | 7089 01E1 286C 06F8 6936 5B80 849B 8381 | p...(l..i6[.....
00000340 | B49B 8381 109B 8381 1000 F800 F262 26E1 | .............b&.
00000350 | 7C00 F800 0263 26E1 6C89 01E1 12D8 5280 | |....c&.l.....R.
00000360 | 6464 6681 246C 06F8 D99A 4F80 E19A 4F80 | ddf.$l....O...O.
00000370 | 3464 6681 C862 6681 FC62 6681 007A 9C81 | 4df..bf..bf..z..
00000380 | 8683 6380 381A 6681 C862 6681 00D0 FD7F | ..c.8.f..bf.....
00000390 | 846C 06F8 2C01 5080 0000 0000 0500 0000 | .l..,.P.........
000003A0 | 0000 0000 0000 0000 0000 0000 30D0 4F80 | ............0.O.
000003B0 | 0000 0000 0000 0000 ECD0 4F80 E202 6D80 | ..........O...m.
000003C0 | C862 6681 506D 06F8 68F4 1300 0000 0000 | .bf.Pm..h.......
000003D0 | 0100 0000 0000 0000 381A 6681 DEFC 4F80 | ........8.f...O.
000003E0 | 0000 0000 0000 0000 0000 0000 1401 5080 | ..............P.
000003F0 | 9C6C 06F8 350C 6D80 0000 0000 B0FF A000 | .l..5.m.........
00000400 | 7A23 4000                               | z#@.

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.