Submission Summary:

What's been foundSeverity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %System%\43C84F52 4 bytes MD5: 0x9F86307A00325A28BA8179F593291790
SHA-1: 0x27DAD88631482FDA4301DF1D6FBF9278C94C0F1F
(not available)
2 %Windir%\Tasks\At1.job 360 bytes MD5: 0x35548428778CACE6BAFCA15020B9C286
SHA-1: 0x0BCD77328B23290567AC14D4FF7B12ACBC88D89C
Troj/FakeJob-A [Sophos]
3 %Windir%\Tasks\At10.job 360 bytes MD5: 0xC6A978E18937F932F73E611C0E86CC9E
SHA-1: 0x209DC044A2F630A00846A9E8DB3D6D89B1B92057
Troj/FakeJob-A [Sophos]
4 %Windir%\Tasks\At11.job 360 bytes MD5: 0xE06BBF64A385451EF5D43F53404F4072
SHA-1: 0xB9B38B28457A57AC4A9EAB851C03C962CAB0481C
Troj/FakeJob-A [Sophos]
5 %Windir%\Tasks\At12.job 360 bytes MD5: 0xE07A7DD017485EEE3A20E2650CCE1A0A
SHA-1: 0x4B2D0638D48D833CF7CE0DC3F9A8175E58BD4075
Troj/FakeJob-A [Sophos]
6 %Windir%\Tasks\At13.job 360 bytes MD5: 0x4281BE32BC40DE51FBD27EC254A369F1
SHA-1: 0x7A1503B34F812DAE6A64E1E31CCD571650A05E4A
Troj/FakeJob-A [Sophos]
7 %Windir%\Tasks\At14.job 360 bytes MD5: 0x2E11A05E225718AC0A1C3FD9B9586987
SHA-1: 0xB929F1C9353D2108351CAE0AEF0C08D730AB233E
Troj/FakeJob-A [Sophos]
8 %Windir%\Tasks\At15.job 360 bytes MD5: 0xA3AA6AB8A3BDD882A453FA882DA241CF
SHA-1: 0x41EC8ABE624C66CF2D2460BD05270880F6430BA6
Troj/FakeJob-A [Sophos]
9 %Windir%\Tasks\At16.job 360 bytes MD5: 0x843738253C0863BCDF663E2763057C6E
SHA-1: 0x1E1A5049BB409AC6706EB05900A865A304F156D8
Troj/FakeJob-A [Sophos]
10 %Windir%\Tasks\At17.job 360 bytes MD5: 0x4CBC6EC5687AF742944178134F009284
SHA-1: 0xF215DD85617903677FA917207E53916C32F13D89
Troj/FakeJob-A [Sophos]
11 %Windir%\Tasks\At18.job 360 bytes MD5: 0x4031D267C6B66AEA6567AD4940380F88
SHA-1: 0x937DC7575C9FB05BFF762152C13E97C897BEE5C2
Troj/FakeJob-A [Sophos]
12 %Windir%\Tasks\At19.job 360 bytes MD5: 0x50235774A601127DF79791EC89F9AAB9
SHA-1: 0x0DEFA2F389DF88996B5D617F38FB2455CAF14526
Troj/FakeJob-A [Sophos]
13 %Windir%\Tasks\At2.job 360 bytes MD5: 0xF3EB0A03E9B2B6DE677846A32FEA9FE9
SHA-1: 0x6D86CA9530EB24F1E45673FF268A5767FF287D38
Troj/FakeJob-A [Sophos]
14 %Windir%\Tasks\At20.job 360 bytes MD5: 0x16924B240004566A67A2065A0FAF5C5A
SHA-1: 0x65BF79E850DEE1A63879B048A2DAD81FD1C6570B
Troj/FakeJob-A [Sophos]
15 %Windir%\Tasks\At21.job 360 bytes MD5: 0x88D7D320F9D4D5080A99B32EAFA93F05
SHA-1: 0xB51259039A04D6615C229016F64CBEFCF7F63F03
Troj/FakeJob-A [Sophos]
16 %Windir%\Tasks\At22.job 360 bytes MD5: 0x99BEB0A5E20F56683DEA3C31BC5091EA
SHA-1: 0xAE9556EE2648C8C208D55F23E8280A5A88EE194D
Troj/FakeJob-A [Sophos]
17 %Windir%\Tasks\At23.job 360 bytes MD5: 0x9B8104F34C9F94C8196D49D220A2EA40
SHA-1: 0xAF63412295773FA5B2C2FFC6251012A9CDC5DB6D
Troj/FakeJob-A [Sophos]
18 %Windir%\Tasks\At24.job 360 bytes MD5: 0xE1BFD1393BCCDAE96A674C5C92568D38
SHA-1: 0xF49DA58CB0B55C2F5D4ED812AC36B84E14C92A9C
Troj/FakeJob-A [Sophos]
19 %Windir%\Tasks\At3.job 360 bytes MD5: 0x38D8E12E932BE538C27680F0C5C40003
SHA-1: 0xE3BD66826A5AD86E0A719940F82540B1D0E09CE4
Troj/FakeJob-A [Sophos]
20 %Windir%\Tasks\At4.job 360 bytes MD5: 0x52D69D616EC523475906D6E7AC1705CA
SHA-1: 0x71553C8705FAF2BB196A3FBCF561043100A62D6A
Troj/FakeJob-A [Sophos]
21 %Windir%\Tasks\At5.job 360 bytes MD5: 0x9BBEB795804283264E23C60851A436AC
SHA-1: 0x4F63F705312BB0F98290C70CAF860D51607EA838
Troj/FakeJob-A [Sophos]
22 %Windir%\Tasks\At6.job 360 bytes MD5: 0x5E5E6B1B28F0A6C0D6E2D0705F3899C3
SHA-1: 0xB0DA737412A101D5ADA867E2BB6716D6684F27DD
Troj/FakeJob-A [Sophos]
23 %Windir%\Tasks\At7.job 360 bytes MD5: 0x97DD6519E77753D077E0F7D0213493CF
SHA-1: 0xC4D033E1D74391BC31B3B8CD559DCC03ED6BE38C
Troj/FakeJob-A [Sophos]
24 %Windir%\Tasks\At8.job 360 bytes MD5: 0x4A9C1B64509CA80B4A8F8C69D84CE85F
SHA-1: 0x0EA103C749FAEBC3D480677E85796899089195A8
Troj/FakeJob-A [Sophos]
25 %Windir%\Tasks\At9.job 360 bytes MD5: 0x77055725557C6FA5FBB59CD283CE4D0B
SHA-1: 0x692626AA3739628743FE6FD24D8A46EA999B2330
Troj/FakeJob-A [Sophos]
26 %Windir%\XXXXXX43C84F52\svchsot.exe 234,496 bytes MD5: 0xCD65692E3E9339B4AE35323BB0527805
SHA-1: 0x5ACEA7B9AC21034E724D58E262F1C0D75FD9C0CC
Backdoor.Win32.Agent.bwcb [Kaspersky Lab]
BackDoor-EMA.gen.e [McAfee]
Backdoor:Win32/Zegost.AD [Microsoft]
Backdoor.Win32.Zegost [Ikarus]

 

Memory Modifications

Process NameMain Module Size
svchso245,760 bytes
svchso245,760 bytes

 

Registry Modifications

 

Other details

Remote HostPort Number
192.168.1.398000
bbs.hackdark.com2011

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2018 ThreatExpert. All rights reserved.