ThreatExpert Report: Trojan.SuspectCRC

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 23 September 2012, 14:23:42
Processing time: 8 min 18 sec
Submitted sample:

File MD5: 0xCFFD1A1FB4D118B1997C3F017288D9D4
File SHA-1: 0xDBBFD20C4CE2CAE08FCEB2A79E6145937373AD47
Filesize: 692,736 bytes
Alias & packer info:

Trojan.SuspectCRC [Ikarus]
packed with: PKLite32 [Kaspersky Lab]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\8295810\bassmod.dll	36,044 bytes	MD5: 0xE3A6587BA5A4EE4514ECAA4265DD9B2C SHA-1: 0xB44BB9B5FC3478FA6EA5140603857EE0C2D4C4FD	(not available)
2	%Temp%\8295810\generell.ini	1,634 bytes	MD5: 0x123DD7070AB6A4B404997E4D94E96AA1 SHA-1: 0x3D7062F5C1472249A9FAC712BE566690794FFA62	(not available)
3	%Temp%\8295810\info-btn-down.jpg	5,106 bytes	MD5: 0xFFBF74F8D6340F83BB684BD6D7A86D91 SHA-1: 0x6527ACC1A364CC301D3A84A389E89450357475CF	(not available)
4	%Temp%\8295810\info-btn-pressed.jpg	3,287 bytes	MD5: 0x5987BEB910C89728C30714AB322D22AA SHA-1: 0x34F9E97B56DD886CCF75AD2FD7FEC6045E124042	(not available)
5	%Temp%\8295810\info-mask.bmp	767,158 bytes	MD5: 0x53C712521EB4F6DEFF996B8CB29E6C01 SHA-1: 0x3C5A49D998B533ECC93F829AD634F96636604116	(not available)
6	%Temp%\8295810\info-normal.jpg	35,191 bytes	MD5: 0x4DC5C1B68B505BFD807D2A163EB38710 SHA-1: 0x8E98BFB45E4FE642FAA2910A78326451E9E45474	(not available)
7	%Temp%\8295810\install-btn-down.jpg	6,285 bytes	MD5: 0x7A4524F6C440ADCB468C0BEF67AA78B7 SHA-1: 0xBFF75C777EB621DB787B95592F74FA8BB5E3215F	(not available)
8	%Temp%\8295810\install-btn-pressed.jpg	1,961 bytes	MD5: 0x6110585206BA168C66DAF38BFC426AFB SHA-1: 0x22C27E9ABEECC46E4928F3D841F82E0941D856AC	(not available)
9	%Temp%\8295810\install-normal.jpg	32,719 bytes	MD5: 0x325F1A875B04C828492EE00E7603FECD SHA-1: 0xDB505502D15CBF793CFE89C18F0605E12A8FE3AA	(not available)
10	%Temp%\8295810\instskin.ini	269 bytes	MD5: 0x7CDB3E4BED0662C7E8D872A9167776F6 SHA-1: 0xA0F1F34FA98069A4EE7EE31C779C3FC5D017D34D	(not available)
11	%Temp%\8295810\main-mask.bmp	429,366 bytes	MD5: 0x114F8E2E3C09B6FE90ABE44F6F1F17BA SHA-1: 0xF4592563ACA474919B37600A6415D56FD7F7A2DE	(not available)
12	%Temp%\8295810\mainskin.ini	349 bytes	MD5: 0x6A0B5FE00C597D0E4BF646EDCF4C53BD SHA-1: 0x1008CA9287686467DF3F1BDBB1EC211B800EDEA6	(not available)
13	%Temp%\8295810\Mod.At_Tesko_This_Week.mod	23,770 bytes	MD5: 0x6DD8B25763DA33831E5117E76721D827 SHA-1: 0x52A98A0268BC6BC39FB781AC4B104531103E16CE	(not available)
14	%Temp%\8295810\nfoskin.ini	228 bytes	MD5: 0x5C466245B0F40A286CD6E36709D3242D SHA-1: 0x4FFD178C7BCD7BE496E17BC7F2A83FAF5B4B72E9	(not available)
15	%Temp%\8295810\smalldos.fon	37,472 bytes	MD5: 0xE280F0B7AA3E80FBC0C45A56B94AE52E SHA-1: 0x366613A372EDCCA1BA6795D0D2E38F02E0123AAF	(not available)
16	%Temp%\8295810\startup-btn-down.jpg	8,926 bytes	MD5: 0xF564C842956A6934496FFEA606E5E128 SHA-1: 0x5600C5B1B8CE2F02691B3DC62D649E5E63D5E757	(not available)
17	%Temp%\8295810\startup-btn-pressed-yellow.jpg	6,454 bytes	MD5: 0xCA97F3264651BA462C5199DD2DC35B67 SHA-1: 0xB330E00FC10436B489FFAC5DEDAB472EFE9E34CA	(not available)
18	%Temp%\8295810\startup-normal.jpg	53,795 bytes	MD5: 0xF562BBC2A49A8522150B30018796A365 SHA-1: 0xA37E610FC07293F697A90F4634528FCACA195417	(not available)
19	%Temp%\8295810\unacev2.dll %Temp%\8295810\unzdll.dll	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
20	%Temp%\8295810\unrar.dll	157,696 bytes	MD5: 0xB05455365143D7E5E6E96715101F99E3 SHA-1: 0xFE0862C511C38873D8F0439143D03DB0A53CB017	(not available)
21	[file and pathname of the sample #1]	692,736 bytes	MD5: 0xCFFD1A1FB4D118B1997C3F017288D9D4 SHA-1: 0xDBBFD20C4CE2CAE08FCEB2A79E6145937373AD47	Trojan.SuspectCRC [Ikarus] packed with PKLite32 [Kaspersky Lab]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directory was created:

%Temp%\8295810

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	3,649,536 bytes

Other details

Analysis of the file resources indicate the following possible country of origin:

Germany

To mark the presence in the system, the following Mutex objects were created:

DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__
DirectSound DllMain mutex (0x0000009C)

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\DInput.dll

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.