ThreatExpert Report: Suspicious.Emit, Trojan-Spy.Win32.Agent.cbot, Mal/EncPk-NQ, Mal/EncPk-NQ..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 8 September 2012, 15:17:28
Processing time: 8 min 9 sec
Submitted sample:

File MD5: 0xC996849E13875247B4B253E2CB31868E
File SHA-1: 0xAF9EAB5C31141FC8137AC5CFA38577D645935753
Filesize: 122,527 bytes
Alias & packer info:

Suspicious.Emit [Symantec]
Trojan-Spy.Win32.Agent.cbot [Kaspersky Lab]
Mal/EncPk-NQ, Mal/EncPk-NQ [Sophos]
Backdoor:Win32/Morix.B [Microsoft]
Virus.Win32.VBInject [Ikarus]
packed with: PE_Patch.RLPack [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\37B927C8\svchsot.exe	122,527 bytes	MD5: 0xC996849E13875247B4B253E2CB31868E SHA-1: 0xAF9EAB5C31141FC8137AC5CFA38577D645935753	Suspicious.Emit [Symantec] Trojan-Spy.Win32.Agent.cbot [Kaspersky Lab] Mal/EncPk-NQ, Mal/EncPk-NQ [Sophos] Backdoor:Win32/Morix.B [Microsoft] Virus.Win32.VBInject [Ikarus] packed with PE_Patch.RLPack [Kaspersky Lab]
2	%Windir%\Tasks\At1.job	348 bytes	MD5: 0x1BA28642936D1C164BC34C32A24E1DD9 SHA-1: 0x415E9FEAC28DD63F256463A51D7772F3A618C348	(not available)
3	%Windir%\Tasks\At10.job	348 bytes	MD5: 0xE070274386011D32E83B968EDD297451 SHA-1: 0x1631D7A8DD11DF34D23C2AFC0EE5A6A6B1B25BEC	(not available)
4	%Windir%\Tasks\At11.job	348 bytes	MD5: 0x1B1B190A5FA088C7D5B4F36081559686 SHA-1: 0xBD69D708029AD4DF4198E7A47844B08E8869148A	(not available)
5	%Windir%\Tasks\At12.job	348 bytes	MD5: 0x9A5DF96CCADAF35F0F268734C1F7B943 SHA-1: 0x307C655D0E9EC910DC2B46274848B63FAF6A5641	(not available)
6	%Windir%\Tasks\At13.job	348 bytes	MD5: 0x7BEFE7CEC4F14604C1D2CCADB45443CC SHA-1: 0x04C3B151E5BC0158B3B5C0BCF789451D809DEA9F	(not available)
7	%Windir%\Tasks\At14.job	348 bytes	MD5: 0x473B5E835A381C64C262E5A8B16B7494 SHA-1: 0xFD11047D8DE837EA084596C6176F81AF3DB8BC80	(not available)
8	%Windir%\Tasks\At15.job	348 bytes	MD5: 0xFF12B38F449B2F916494500584172C26 SHA-1: 0xCBBC36511C1C0CB56679E8C20D2FBC83CAA11E3D	(not available)
9	%Windir%\Tasks\At16.job	348 bytes	MD5: 0xCB8E679CE1D2CC862A469571D0C73056 SHA-1: 0x4D877CE9D1982C8CE39DEEF8284141C8F8E97361	(not available)
10	%Windir%\Tasks\At17.job	348 bytes	MD5: 0xEF3BC1FF3A7C786E0B68FB8E55F30233 SHA-1: 0xC14E6EC080364540E8AF91929092AB0B73A93CD1	(not available)
11	%Windir%\Tasks\At18.job	348 bytes	MD5: 0x461867CAE54B2FF7038D3A8C80064F07 SHA-1: 0x7B9CBB41EA34D1EC85262A638F6B7413F0BC5347	(not available)
12	%Windir%\Tasks\At19.job	348 bytes	MD5: 0xC9CC5FBBD9EAA04E7B97326DADD67B96 SHA-1: 0x5A22FB7516D40344A13C0D213D98260C57294D86	(not available)
13	%Windir%\Tasks\At2.job	348 bytes	MD5: 0xB8B60D731E709E2A27D2AE9C0AF1E29F SHA-1: 0xE5FDF62053E401F42CB15989347DFFD82732736F	(not available)
14	%Windir%\Tasks\At20.job	348 bytes	MD5: 0x1E1C01BBEA723216508E5695B23248EF SHA-1: 0xEF353F6184B73F5FD5E2AD94F3F80883ED2B0D00	(not available)
15	%Windir%\Tasks\At21.job	348 bytes	MD5: 0x9B323B48C465122EF13B59E98BC862A0 SHA-1: 0xA098AD70578CD461CA992D69B78B27F44654D888	(not available)
16	%Windir%\Tasks\At22.job	348 bytes	MD5: 0xC8A05348B03B4C2450B4F4567B7173CA SHA-1: 0xE2931FB22BF5A3723D89EC9CDDE9217056832EB1	(not available)
17	%Windir%\Tasks\At23.job	348 bytes	MD5: 0xC792AF0EBB4924E2B83048F30BCFD284 SHA-1: 0xBCCAEAF484C8BF58BBD75F6FD72AD5C0759E0A54	(not available)
18	%Windir%\Tasks\At24.job	348 bytes	MD5: 0xB89E16574EDEF5928D6D0AFDD618F045 SHA-1: 0xC734D6F8518CAFF6F02357469F64EED43D60C7FC	(not available)
19	%Windir%\Tasks\At3.job	348 bytes	MD5: 0x19CA92493874630A07CB8932CD88099F SHA-1: 0xD6EDFA6224FA63D965DC0FC3B9FB47185A6D90D7	(not available)
20	%Windir%\Tasks\At4.job	348 bytes	MD5: 0xA26067314846335DC5F4CECC988AC087 SHA-1: 0xBC255E4E017BE5BFB3F38DBD81B983A3E7D11D93	(not available)
21	%Windir%\Tasks\At5.job	348 bytes	MD5: 0xF01C10E0D2F78AFC3B3EDC38D4DF549C SHA-1: 0xBBA27E7EE8DC055E247003AE5C56B8C89306E763	(not available)
22	%Windir%\Tasks\At6.job	348 bytes	MD5: 0x961C08BAC2C6F8FFF1793479711AFB16 SHA-1: 0x9F1241306B3766CE9DB21B32DB82D8C7C13A2843	(not available)
23	%Windir%\Tasks\At7.job	348 bytes	MD5: 0x6568A5F2D5975C6876CE0269551056AE SHA-1: 0x986FBEA04DFFFB73ECEE4145E2BEA64B58896684	(not available)
24	%Windir%\Tasks\At8.job	348 bytes	MD5: 0x346A6590E5469C1A3A81D96E6FB6452D SHA-1: 0x6364524299D2F03706E30B2D48E3C6F436D8D0D9	(not available)
25	%Windir%\Tasks\At9.job	348 bytes	MD5: 0xDB97503E653FC588BED7F272439BF16D SHA-1: 0xDEB2D9618CB663EAB853277285C11D088D885D68	(not available)

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

%Windir%\37B927C8

Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

37B927C8 = "%Windir%\37B927C8\svchsot.exe"

so that svchsot.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

asdsad11.dnip.net:8888127.0.0.1:2012127.0.0.1:2012

The following Host Names were requested from a host database:

192.5.5.241
asdsad11.dnip.net

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
asdsad11.dnip.net	8888
asdsad11.dnip.net	2012

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.