ThreatExpert Report

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 August 2012, 04:11:55
Processing time: 3 min 31 sec
Submitted sample:

File MD5: 0xB96E80D76D78BC54FDF92D18BF7A96DB
File SHA-1: 0xEFB6C746F78AB4BA2FF3FD9AEE15952642C53DF7
Filesize: 144,896 bytes

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\abcd.bat	75 bytes	MD5: 0x0849CFE65B98BA5FCD9A9EC61A671D09 SHA-1: 0x9D0CCB383C32B1BC07FD9064B9324A18E1276902
2	[file and pathname of the sample #1]	144,896 bytes	MD5: 0xB96E80D76D78BC54FDF92D18BF7A96DB SHA-1: 0xEFB6C746F78AB4BA2FF3FD9AEE15952642C53DF7

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	102,400 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\WinRAR

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\WinRAR]

HWID = 7B 32 37 33 42 36 38 30 32 2D 42 32 36 33 2D 34 39 42 46 2D 39 37 32 30 2D 32 44 38 45 43 45 44 32 41 34 32 39 7D

Other details

The following Host Names were requested from a host database:

74.53.97.68
74.53.97.69
blog.aviator.shop.com.br
angelinapagano.eu
sidneimachado.com.br

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
74.53.97.68	8080

The following HTTP URLs were started reading:

http://blog.aviator.shop.com.br/bruJq30.exe
http://angelinapagano.eu/03DDz.exe
http://sidneimachado.com.br/1hAAaf.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8080:

00000000 | 504F 5354 202F 666F 7275 6D2F 7669 6577 | POST /forum/view
00000010 | 746F 7069 632E 7068 7020 4854 5450 2F31 | topic.php HTTP/1
00000020 | 2E30 0D0A 486F 7374 3A20 3734 2E35 332E | .0..Host: 74.53.
00000030 | 3937 2E36 380D 0A41 6363 6570 743A 202A | 97.68..Accept: *
00000040 | 2F2A 0D0A 4163 6365 7074 2D45 6E63 6F64 | /*..Accept-Encod
00000050 | 696E 673A 2069 6465 6E74 6974 792C 202A | ing: identity, *
00000060 | 3B71 3D30 0D0A 436F 6E74 656E 742D 4C65 | ;q=0..Content-Le
00000070 | 6E67 7468 3A20 3435 380D 0A43 6F6E 6E65 | ngth: 458..Conne
00000080 | 6374 696F 6E3A 2063 6C6F 7365 0D0A 436F | ction: close..Co
00000090 | 6E74 656E 742D 5479 7065 3A20 6170 706C | ntent-Type: appl
000000A0 | 6963 6174 696F 6E2F 6F63 7465 742D 7374 | ication/octet-st
000000B0 | 7265 616D 0D0A 436F 6E74 656E 742D 456E | ream..Content-En
000000C0 | 636F 6469 6E67 3A20 6269 6E61 7279 0D0A | coding: binary..
000000D0 | 5573 6572 2D41 6765 6E74 3A20 4D6F 7A69 | User-Agent: Mozi
000000E0 | 6C6C 612F 342E 3020 2863 6F6D 7061 7469 | lla/4.0 (compati
000000F0 | 626C 653B 204D 5349 4520 352E 303B 2057 | ble; MSIE 5.0; W
00000100 | 696E 646F 7773 2039 3829 0D0A 0D0A 4352 | indows 98)....CR
00000110 | 5950 5445 4430 948E 0119 A53F 45D2 4D28 | YPTED0.....?E.M(
00000120 | 1DAB 4A59 CA51 C0C0 AA4D FFE4 1FA0 D569 | ..JY.Q...M.....i
00000130 | D686 B818 6678 98C3 1191 4685 6837 5A43 | ....fx....F.h7ZC
00000140 | 0FD4 DCED 1432 F02E 42E8 DC2A DAB1 4110 | .....2..B..*..A.
00000150 | C5A5 4160 B8B2 C65B 79E3 F5A6 BDCA CA95 | ..A`...[y.......
00000160 | 59E8 EA5C D10A 2382 63DC 3C48 A7D3 205C | Y..\..#.c.<H.. \
00000170 | 7514 825A 44CC 205F 4D40 7A7A 27E5 899B | u..ZD. _M@zz'...
00000180 | F637 BECA 9F90 9FC3 3CB1 44F3 6574 50C9 | .7......<.D.etP.
00000190 | 3448 2DA1 7C62 4F48 22EE 7BA0 EC26 AB5B | 4H-.|bOH".{..&.[
000001A0 | 5119 9C38 8161 9611 F2CD 230D B94B 4E12 | Q..8.a....#..KN.
000001B0 | 13E4 0BA3 1D76 9813 C55F F8A4 CA71 BE3C | .....v..._...q.<
000001C0 | 0F4C 2A2B 8BE1 8570 6D1D 35F8 AA1D 6952 | .L*+...pm.5...iR
000001D0 | 451C E975 0E02 3C63 515B 96F4 EFD1 4616 | E..u..<cQ[....F.
000001E0 | 8DF0 EAF1 F384 DD90 E5AC B215 0DB0 59AB | ..............Y.
000001F0 | 6F76 B26F AB4D BF14 2F35 FDC4 9B6E C0DE | ov.o.M../5...n..
00000200 | E5C4 21C9 58BB 3E97 96C1 776B BB70 4BC5 | ..!.X.>...wk.pK.
00000210 | 1558 1BA7 5BBD 1247 9717 DEFE 3900 5307 | .X..[..G....9.S.
00000220 | FE62 2803 8FAD 8864 2400 148C EB66 21D0 | .b(....d$....f!.
00000230 | 466F 7AC0 3159 A2CD ACDD 032F C5CE 1A06 | Foz.1Y...../....
00000240 | 76F2 19D1 23E0 53CE 4865 69B6 04B2 AFF8 | v...#.S.Hei.....
00000250 | E0DC 758D 03C9 5C72 5862 8E9F 5A4C 672D | ..u...\rXb..ZLg-
00000260 | 812B EFAE 319F 208E CF48 8BCC D76C B200 | .+..1. ..H...l..
00000270 | 6AA5 6981 60D9 636E F982 0E32 9846 DB14 | j.i.`.cn...2.F..
00000280 | 6417 3C66 A0B7 5107 8C94 5A9E C0D9 F9DB | d.<f..Q...Z.....
00000290 | 000A 6C5D C330 41B7 2B63 8EEB EFB7 B73D | ..l].0A.+c.....=
000002A0 | 83FF F969 1333 49E9 A2CE D5BF B6D8 365B | ...i.3I.......6[
000002B0 | DF32 39B3 71CA 6BE0 4E28 FA7F 86A9 F26F | .29.q.k.N(.....o
000002C0 | 19C5 E2EB AC7B E810 2390 0E77 812D D06C | .....{..#..w.-.l
000002D0 | 347D 82D1 DDC0 EBB8                     | 4}......

Downloaded File Summary:

Download details:

Download retrieved: 18 August 2012 04:18:29
Processing time: 3 min 10 sec
Downloaded sample:

File MD5: 0xDD0BD46DCDF87161145233581A02A638
File SHA-1: 0x3D28224AF65E6786AFE7AE11D22AEE8302E248C8
Filesize: 320,513 bytes

Technical Details:

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash
1	[file and pathname of the sample #1]	320,513 bytes	MD5: 0xDD0BD46DCDF87161145233581A02A638 SHA-1: 0x3D28224AF65E6786AFE7AE11D22AEE8302E248C8

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.