ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 18 August 2012, 04:21:03
Processing time: 7 min 48 sec
Submitted sample:

File MD5: 0xFA4CA8038C1427356EC67158B6758F1E
File SHA-1: 0x082A165A1998D582692657698DB3F7502754DBFB
Filesize: 144,896 bytes

Summary of the findings:

What's been found	Severity Level
Capability to steal information such personal financial data (credit card numbers, online banking login details), user profiles, software registration keys, passwords.
Produces outbound traffic.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\abcd.bat	75 bytes	MD5: 0x0849CFE65B98BA5FCD9A9EC61A671D09 SHA-1: 0x9D0CCB383C32B1BC07FD9064B9324A18E1276902
2	[file and pathname of the sample #1]	144,896 bytes	MD5: 0xFA4CA8038C1427356EC67158B6758F1E SHA-1: 0x082A165A1998D582692657698DB3F7502754DBFB

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	102,400 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\WinRAR

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\WinRAR]

HWID = 7B 41 46 32 37 30 34 38 31 2D 43 46 32 32 2D 34 44 46 34 2D 39 45 43 36 2D 32 44 45 44 32 32 41 45 33 46 30 34 7D

Other details

The following Host Names were requested from a host database:

192.5.5.241
74.53.97.68
74.53.97.69
sam.gergosnet.com
www.imprentavalenciaofertas.es

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
74.53.97.68	8080

The following HTTP URLs were started reading:

http://sam.gergosnet.com/cTpT.exe
http://www.imprentavalenciaofertas.es/R3SfreR.exe

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8080:

00000000 | 504F 5354 202F 666F 7275 6D2F 7669 6577 | POST /forum/view
00000010 | 746F 7069 632E 7068 7020 4854 5450 2F31 | topic.php HTTP/1
00000020 | 2E30 0D0A 486F 7374 3A20 3734 2E35 332E | .0..Host: 74.53.
00000030 | 3937 2E36 380D 0A41 6363 6570 743A 202A | 97.68..Accept: *
00000040 | 2F2A 0D0A 4163 6365 7074 2D45 6E63 6F64 | /*..Accept-Encod
00000050 | 696E 673A 2069 6465 6E74 6974 792C 202A | ing: identity, *
00000060 | 3B71 3D30 0D0A 436F 6E74 656E 742D 4C65 | ;q=0..Content-Le
00000070 | 6E67 7468 3A20 3435 340D 0A43 6F6E 6E65 | ngth: 454..Conne
00000080 | 6374 696F 6E3A 2063 6C6F 7365 0D0A 436F | ction: close..Co
00000090 | 6E74 656E 742D 5479 7065 3A20 6170 706C | ntent-Type: appl
000000A0 | 6963 6174 696F 6E2F 6F63 7465 742D 7374 | ication/octet-st
000000B0 | 7265 616D 0D0A 436F 6E74 656E 742D 456E | ream..Content-En
000000C0 | 636F 6469 6E67 3A20 6269 6E61 7279 0D0A | coding: binary..
000000D0 | 5573 6572 2D41 6765 6E74 3A20 4D6F 7A69 | User-Agent: Mozi
000000E0 | 6C6C 612F 342E 3020 2863 6F6D 7061 7469 | lla/4.0 (compati
000000F0 | 626C 653B 204D 5349 4520 352E 303B 2057 | ble; MSIE 5.0; W
00000100 | 696E 646F 7773 2039 3829 0D0A 0D0A 4352 | indows 98)....CR
00000110 | 5950 5445 4430 948E 0119 A53F 45D2 4D28 | YPTED0.....?E.M(
00000120 | 1DAB 4659 CA51 C0C0 AA4D FFE4 1FA0 D569 | ..FY.Q...M.....i
00000130 | D686 B818 6678 98C3 1191 4685 6837 5A43 | ....fx....F.h7ZC
00000140 | 0FD4 DCED 1432 F02E 42E8 DC2A DAB1 4110 | .....2..B..*..A.
00000150 | C5A5 4160 B8B2 C65B 79E3 F5A6 BDCA CA95 | ..A`...[y.......
00000160 | 59E8 EA5C D10A 2382 63DC 3C48 A7D3 205C | Y..\..#.c.<H.. \
00000170 | 7514 825A 44CC 205F 4D40 7A7A 27E5 899B | u..ZD. _M@zz'...
00000180 | F637 BECA 9F90 9FC3 3CB1 44F3 6507 21C8 | .7......<.D.e.!.
00000190 | 414E 10AD 74E8 4F71 DFF0 0558 52D3 22F7 | AN..t.Oq...XR.".
000001A0 | CB6B A83E 813F 6955 78AC 87BC 5B4C 46CD | .k.>.?iUx...[LF.
000001B0 | 57BD 1E97 83E7 FDEB 22C2 21DB 0E1C C72D | W.......".!....-
000001C0 | 7D33 0019 9ADB BFC7 CC73 8774 D019 2B06 | }3.......s.t..+.
000001D0 | 3C78 B77E 8D41 39AA 4B54 9EE0 8FF0 1321 | <x.~.A9.KT.....!
000001E0 | 756C 6A8F 2292 1703 F7A8 FE5D E169 5BD3 | ulj."......].i[.
000001F0 | 9A9E BC00 248E 338C F44D 000E 5088 AD62 | ....$.3..M..P..b
00000200 | E072 8D48 3982 2931 0404 8E30 5F1C 508B | .r.H9.)1...0_.P.
00000210 | E833 659A B103 6EFC B2A6 F41E CC58 0BCB | .3e...n......X..
00000220 | 943D 2BFC 8EC2 0061 9209 D471 F994 6954 | .=+....a...q..iT
00000230 | E20C 0A84 4D7B 8D81 76CB 2E0B 2702 BA3E | ....M{..v...'..>
00000240 | E9AA 607E 6F00 526F EE7D 6105 BD14 4F3A | ..`~o.Ro.}a...O:
00000250 | 1C9A 24FE 0BCE A83E AC70 4E36 99B5 BD5B | ..$....>.pN6...[
00000260 | E0BE 24A2 BDD1 3B50 3DD9 A531 051F C397 | ..$...;P=..1....
00000270 | DF76 AEEC 6C84 8A1C 8CE0 65C3 A90D 0EA1 | .v..l.....e.....
00000280 | 69F8 AE2A E1EF 6840 0771 8488 60F8 FA43 | i..*..h@.q..`..C
00000290 | 6BF6 6224 B34A E032 1692 3E33 ACE2 10BE | k.b$.J.2..>3....
000002A0 | A7C4 A485 F47E 7907 A602 770E 1FD4 F229 | .....~y...w....)
000002B0 | E065 3C83 09DF 6442 3AC8 081F 87FC 7217 | .e<...dB:.....r.
000002C0 | 19B5 E7E2 BD05 E406 953C DB51 8045 69FB | .........<.Q.Ei.
000002D0 | F3BA EF33                               | ...3

Downloaded File Summary:

Download details:

Download retrieved: 18 August 2012 04:28:52
Processing time: 11 min 41 sec
Downloaded sample:

File MD5: 0x8A2CFDBB5E2FF32FE534AFC845CC2A8A
File SHA-1: 0xCFC16A4DB58ED908DF02F19C1FA13F7658EE9E61
Filesize: 312,321 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%AppData%\Obpaux\azdoe.exe	312,321 bytes	MD5: 0x1C68533D6CF529990B59F63FB432A222 SHA-1: 0xA2084BD18332AF607A61E655EEEF85F29484A40A
2	%AppData%\koefqo.ehx	1,322 bytes	MD5: 0x65AE4AEB793B8DE8B00685AD830F3520 SHA-1: 0x46CD1B6EB11A51F24B0C09B430BCEBEAFF4FE037
3	%Temp%\tmp3ae1b8c5.bat	168 bytes	MD5: 0x68274314AD5AFFF289670710EEF1F9A5 SHA-1: 0xFA9328DAC1EF567EA9AE591FEC7AA03F21D2997F
4	[file and pathname of the sample #1]	312,321 bytes	MD5: 0x8A2CFDBB5E2FF32FE534AFC845CC2A8A SHA-1: 0xCFC16A4DB58ED908DF02F19C1FA13F7658EE9E61

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directory was created:

%AppData%\Obpaux

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
azdoe.exe	%AppData%\obpaux\azdoe.exe	229,376 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	229,376 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
cmd.exe	%System%\cmd.exe	278,528 bytes

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\Miri

The newly created Registry Values are:

[HKEY_CURRENT_USER\Identities]

Identity Login = 0x00098053

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy]

CleanCookies = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

{3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = ""%AppData%\Obpaux\azdoe.exe""

so that azdoe.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Miri]

1a43gae2 = "v6RWSF4kuCLz6E6L"
15b6j2ic = 0x4833A49D
2g0i6gj4 = A4 9F 33 48 C5 72 CE 22 C2 E8 76 8B

The following Registry Values were modified:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

1406 =
1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1406 =
1609 =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

1406 =
1609 =

Other details

To mark the presence in the system, the following Mutex object was created:

Local\{FA4803F7-084F-6AC9-A6BA-A75086AF8442}

The following Host Name was requested from a host database:

192.5.5.241

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
www.google.com	80	(null)	(null)
dyozovgyrojfidiswwmbq.info	80	(null)	(null)
cmzhqzdlvsinivbipjhmfemqgd.com	80	(null)	(null)
jnjrayqkvlejklrhmqgewcsp.ru	80	(null)	(null)
gehxotghiplvpxpvkzgmmlf.com	80	(null)	(null)
tgdalrobmmrswhxtllnukgex.biz	80	(null)	(null)
bmhknpcanfhmtgspfusylzz.org	80	(null)	(null)
bexwaymvmvphuxamletsttpv.net	80	(null)	(null)
hyjvuczhvulcawsvgmfvspjfa.com	80	(null)	(null)
ukkbijnnfzxamhabqjtcuoaikrby.ru	80	(null)	(null)
ibgsohqnvbmcovkrqrgygqvir.biz	80	(null)	(null)
nvijzpfyqvcojbetkxppwomz.net	80	(null)	(null)
tgciaeuhnzyxtlmbjntmnp.org	80	(null)	(null)
lfutemeyleyltoemgeweqby.info	80	(null)	(null)
inizhmpfndmdqsqfymfeozth.com	80	(null)	(null)
hskdyldenvivyqougmjdyhh.ru	80	(null)	(null)
dajfswgyxexwtsbeqodwgpcy.com	80	(null)	(null)
smrhpfijtoonxkzeiddmreah.info	80	(null)	(null)

The following GET request was made:

index.html

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.