Submission Summary:

What's been foundSeverity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Creates a startup registry entry.
Contains characteristics of an identified security risk.


Technical Details:


Possible Security Risk

Security RiskDescription
Backdoor.ProRAT.K ProRAT.K is a remote administrative trojan. It allows an attacker to take full control of a compromised computer. It also logs all keystrokes to a text file which can be accessed by the attacker. It also hides itself from task manager and process monitors.
Trojan.Crypt.S Trojan.Crypt.S is a backdoor trojan which opens a random port and allows hackers to gain unauthorised access to the infected system. It also attempts to terminate antivirus, firewall and other security related processes.
Adware.Component.Unrelated These common components have files and keys that are in different threats but the threats are not related to one another in that the author of the signature is not the same. It is recommended that all these entries be removed.

Threat CategoryDescription
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment


Memory Modifications

Process NameProcess FilenameMain Module Size
services.exe%Windir%\services.exe2,080,768 bytes
[filename of the sample #1][file and pathname of the sample #1]2,080,768 bytes
fservice.exe%System%\fservice.exe2,080,768 bytes
sservice.exe%Windir%\system\sservice.exe2,080,768 bytes

Module NameModule FilenameAddress Space Details
reginv.dll%System%\reginv.dllProcess name: dllhost.exe
Process filename: %System%\dllhost.exe
Address space: 0x2530000 - 0x2539000
winkey.dll%System%\winkey.dllProcess name: services.exe
Process filename: %Windir%\services.exe
Address space: 0xA90000 - 0xA9B000
reginv.dll%System%\reginv.dllProcess name: services.exe
Process filename: %Windir%\services.exe
Address space: 0xAD0000 - 0xAD9000
reginv.dll%System%\reginv.dllProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x3D0000 - 0x3D9000
winkey.dll%System%\winkey.dllProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x1C80000 - 0x1C8B000
reginv.dll%System%\reginv.dllProcess name: VMwareUser.exe
Process filename: %ProgramFiles%\vmware\vmware tools\vmwareuser.exe
Address space: 0x9A0000 - 0x9A9000

Service NameDisplay NameNew StatusService Filename
ALGApplication Layer Gateway Service"Stopped"%System%\alg.exe
SharedAccessWindows Firewall/Internet Connection Sharing (ICS)"Stopped"%System%\svchost.exe -k netsvcs
wscsvcSecurity Center"Stopped"%System%\svchost.exe -k netsvcs


Registry Modifications


Other details



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2018 ThreatExpert. All rights reserved.