ThreatExpert Report: Mal/DelpBank-A, Mal/DelpBank-A, Trojan-Banker.Win32.Banz

Submission Summary:

Submission details:

Submission received: 27 November 2012, 09:13:48
Processing time: 8 min 46 sec
Submitted sample:

File MD5: 0xCFF3B8EC4C49051811213D3551EB3C28
File SHA-1: 0xE815D540ABB0C63CC428F3A190D2C52951D3EB7D
Filesize: 1,566,560 bytes
Alias: Mal/DelpBank-A, Mal/DelpBank-A [Sophos]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	1,566,560 bytes	MD5: 0xCFF3B8EC4C49051811213D3551EB3C28 SHA-1: 0xE815D540ABB0C63CC428F3A190D2C52951D3EB7D	Mal/DelpBank-A, Mal/DelpBank-A [Sophos]
2	%Windir%\Win_pwr.pdf	51,154 bytes	MD5: 0x4D6C08C3D31B65221BA0676CF0C750FD SHA-1: 0xC211472E60C9AD11535EB1BA202B60813EA2035C	(not available)

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,597,440 bytes

Other details

Analysis of the file resources indicate the following possible country of origin:

Brazil

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
update.adobe.com	80	(null)	(null)

The following GET request was made:

pub/adobe/acrobat/js/6.x/rdr/win/enu/DataScript.js

The data identified by the following URLs was then requested from the remote web server:

???
???j
https://som.egnyte.com/h-s-internal/20121018/e8060f993e8d45b8
https://som.egnyte.com/h-s-internal/20121017/c7b9b4b1550047ff
https://som.egnyte.com/h-s-internal/20121017/46dadb6adbd74e92

Downloaded File Summary:

Download details:

Download retrieved: 27 November 2012 09:22:34
Processing time: 14 min 16 sec
Downloaded sample #1:

File MD5: 0x54347AE2FF693729F420CD45FABAF63D
File SHA-1: 0x1896D0CC28F958FFBB78CF89D3542EE15333C0E2
Filesize: 8,920,542 bytes
Alias: Trojan-Banker.Win32.Banz [Ikarus]

Downloaded sample #2:

File MD5: 0x9D6DF3E5D383BFEA815C4F3859751A20
File SHA-1: 0x8228446A1387A427E0ADBC8588163EE603142F87
Filesize: 4,217,344 bytes
Alias: Trojan-Banker.Win32.Banz [Ikarus]

Downloaded sample #3:

File MD5: 0xC20A7ED35C820BC24CD4F6BB684D7598
File SHA-1: 0x75D0F84C5808E593ED4E43E70E20624BB72D0EEF
Filesize: 11,898,329 bytes
Alias: Trojan-Banker.Win32.Banz [Ikarus]

Summary of the findings:

What's been found	Severity Level
Communication with a remote SMTP server and sending out email.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\0409ca5892422fa7f542723c98992fad_a7bcc1a4-f7a4-4502-8650-8579e607f7f7	2,042 bytes	MD5: 0x83735E91ADE91A4134B2C2AA86B7EAF0 SHA-1: 0x9EDE92A3808203C384E255E4F58FB602E0498D61	(not available)
2	%AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\405e1a235f4d3730178facbfcb9cf8ca_a7bcc1a4-f7a4-4502-8650-8579e607f7f7	2,042 bytes	MD5: 0xF43DE7D300C9AF10CA0CBC17D0934422 SHA-1: 0xEB50187ECA0206FEF23AC7774901E24B9E43B804	(not available)
3	%AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\5a8ff7a6ad7e38ec83dcaa35f9967198_a7bcc1a4-f7a4-4502-8650-8579e607f7f7	2,042 bytes	MD5: 0xDF459759C5E1098952965860CA9B17E0 SHA-1: 0x1129C4942E6F9F06B7459D26A55262BF2C0B5DB3	(not available)
4	%AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\a8cb3137329d642872dd6b2116ec212e_a7bcc1a4-f7a4-4502-8650-8579e607f7f7	2,042 bytes	MD5: 0x1D20F355004B048AE9C4A8D6E3EE17C7 SHA-1: 0xD6619000A5404A5ECA31BA1E585C20502DF1396D	(not available)
5	%AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\d010246837dab01e4404dba1dca0efef_a7bcc1a4-f7a4-4502-8650-8579e607f7f7	2,042 bytes	MD5: 0x5FEE7BA20D687644D2575305DC80192F SHA-1: 0xCF27D3DC2144609172902365323D2D11526DA580	(not available)
6	%AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\d71375b114e472f50fdecc6000e0f0a4_a7bcc1a4-f7a4-4502-8650-8579e607f7f7	2,041 bytes	MD5: 0x9C0FE84A94C8106914B7F7F5ACE725B2 SHA-1: 0x69E5F6D01B4E75F8288D16D1F0725E935B2C9E41	(not available)
7	%Temp%\WIDEAWAKE1.ecl	9,388,544 bytes	MD5: 0xEBDB3DC4F3D6EC0C75B872A12B5B0A0A SHA-1: 0x038148A9ECEDE455F8A2BA4023C02262966F607B	Trojan-Banker.Win32.Banz [Ikarus]
8	%Temp%\WIDEAWAKE2.ecl	4,656,128 bytes	MD5: 0xA928A9B761B371128B1E20F6669A7D30 SHA-1: 0x83779EA2E2EC5F894CE63CBDEE8D07746CCEBF79	Trojan-Banker.Win32.Banz [Ikarus]
9	%Temp%\WIDEAWAKE3.ecl	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
10	%MyDocuments%\Gb.zip	22 bytes	MD5: 0x76CDB2BAD9582D23C1F6F4D868218D6C SHA-1: 0xB04F3EE8F5E43FA3B162981B50BB72FE1ACABB33	(not available)
11	%Windir%\A777(1)(2).txt %Windir%\A777(1).txt %Windir%\B777(222)(222).txt %Windir%\B777(222).txt %Windir%\C111(3)(2).txt %Windir%\C111(3).txt %Windir%\WLog777.txt	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
12	%System%\GbPlugin-M?dulo de Seguran?a.com %Windir%\xwizard(3).exe	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
13	%System%\GbPlugin-M?dulo de Seguran?a.exe %Windir%\xwizard(1).exe	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
14	%System%\GbPlugin-M?dulo de Seguran?a.scr %Windir%\xwizard(2).exe	7,577,352 bytes	MD5: 0x39E1678B04EBBD9AFCDB26B3C21353DE SHA-1: 0x194292C204172D3C94F88E14D4A6D6ECAD1C1657	(not available)
15	[file and pathname of the sample #1]	8,920,542 bytes	MD5: 0x54347AE2FF693729F420CD45FABAF63D SHA-1: 0x1896D0CC28F958FFBB78CF89D3542EE15333C0E2	Trojan-Banker.Win32.Banz [Ikarus]
16	[file and pathname of the sample #2]	4,217,344 bytes	MD5: 0x9D6DF3E5D383BFEA815C4F3859751A20 SHA-1: 0x8228446A1387A427E0ADBC8588163EE603142F87	Trojan-Banker.Win32.Banz [Ikarus]
17	%Windir%\YW2.zip	3,785,654 bytes	MD5: 0x1BDE0BE28581D393DD9D78411A408288 SHA-1: 0xE669A017E4C7C2BBB50231AF32ED0ADFC9456D40	(not available)
18	%Windir%\YW22.zip	8,486,415 bytes	MD5: 0xC9DA7041197B312567314FCF12E536CF SHA-1: 0xE6F78BE7C3212CCDDA31309D1EF9732770780ED3	(not available)
19	%Windir%\YW222.zip	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%MyDocuments% is a variable that refers to the file system directory used to physically store a user's common repository of documents. A typical path is C:\Documents and Settings\[UserName]\My Documents.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
WIDEAWAKE2.ecl	%Temp%\WIDEAWAKE2.ecl	4,685,824 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\kd1399223419b.fqx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pb1877864549o.shh
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\sp1980281197r.bcf

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\kd1399223419b.fqx]

(Default) = 31 DE 82 1A 3E 0B C3 72 81 44 BC 5A 5C 49 8A AD 22 DB F0 16 1A 5B D6 C4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pb1877864549o.shh]

(Default) = 74 8D 12 AF 0E 9F BE 93 5B 78 42 8C FB BD 24 84 A0 C8 EF FA 3B 03 CB AC

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\sp1980281197r.bcf]

(Default) = E2 F8 5A F5 37 CE E8 C5 45 B9 AA 57 88 73 C1 B9 16 92 C4 5F 0B C5 C5 4C

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

WinEx7 = "%Windir%\xwizard(2).exe"
WinEx72 = "%Windir%\xwizard(2).exe"
Calculator = "%Windir%\xwizard(1).exe"
Calculator2 = "%Windir%\xwizard(1).exe"
Notepad = "%Windir%\xwizard(3).exe"
Notepad2 = "%Windir%\xwizard(3).exe"

so that xwizard(2).exe runs every time Windows starts

so that xwizard(1).exe runs every time Windows starts

so that xwizard(3).exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible country of origin:

Brazil

The following Host Name was requested from a host database:

smtp.email.it

Generated SMTP traffic

Email Sender:

anamariabraga@email.it <anamariabraga@email.it>

Email Recipient:

umanodourado2010.3@gmail.com

Email Subject:

Eu Te Adoro 2012 / Saborosas Manh?s 2012

Email Body:

--------------------------------------------------- Sente a? meu irm?o ? uma coisa rara de ver O ano ? bom, muito bom Estou feliz podes crer --------------------------------------------------- .

For example, the generated email message may look similar to the one shown below:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.