Submission Summary:

What's been foundSeverity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.


Technical Details:


Possible Security Risk

Security RiskDescription
Trojan-Spy.Bankject Trojan-Spy.Bankject injects extra HTML code into internet banking webpages in order to steal passwords and credit card details. It also steals email addresses from Windows Address Book and sends all these stolen information to the attacker.

Threat CategoryDescription
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body


File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\2017.vbs
29,664 bytes MD5: 0x5F0D8B07983952FCCCEF98E13307F5DE
(not available)
2 %Temp%\3582-490\LIST MANAGER.exe 2,435,584 bytes MD5: 0x5B435F57C116649133F864FF5BE9E922
SHA-1: 0x79516478DEBD0D765FF9DF446468275A9C5C745D
(not available)
3 %Temp%\LIST MANAGER.exe 2,477,056 bytes MD5: 0xB94AEE308B116230B9F3349242C071E9
SHA-1: 0x3FB60BCC78FDEB29043A691E65E0E946B90A1F1C
W32.Neshuta [Symantec]
Virus.Win32.Neshta.a [Kaspersky Lab]
W32/Generic.Delphi.c [McAfee]
PE_NESHTA.A [Trend Micro]
W32/Bloat-A [Sophos]
Virus:Win32/Neshta.A [Microsoft]
Virus.Win32.Neshta [Ikarus]
Win32/Neshta [AhnLab]
4 %Temp%\saystam.exe
24,064 bytes MD5: 0x49F2CE1326A99327FB4834EE51871462
SHA-1: 0x0E0B5A9318E5C3D8217E5F1AF83C002B1AC63FC6
(not available)
5 %Temp%\TheHunter.vbs 98,782 bytes MD5: 0xCDAF0EAD811A57DDF075A13027243396
SHA-1: 0x2C31865D214600EDABD9AB055E00C24692C72497
(not available)
6 %Temp%\tmp5023.tmp 8 bytes MD5: 0x0D536A56DF2CA61AC3D0F9A74171339A
SHA-1: 0x5E122A4256E40667D850C40EAF672075F8813AD1
(not available)
7 %Windir%\directx.sys 33 bytes MD5: 0xCF4C20A90A31F5E8DC1B9183788E5E23
SHA-1: 0x3BD3FB2BD932745ACC7E1A6E46E8672E49551A6A
(not available)
8 %Windir%\ 41,472 bytes MD5: 0xAD995DEB44048424A2882047E63F36ED
SHA-1: 0x8B6870E8A67CB09C7373B8301DBE5F0046154B64
W32.Neshuta [Symantec]
Virus.Win32.Neshta.a [Kaspersky Lab]
W32/Generic.Delphi.c [McAfee]
PE_NESHTA.A-O [Trend Micro]
W32/Bloat-A [Sophos]
Virus:Win32/Neshta.A [Microsoft]
Virus.Win32.Neshta [Ikarus]
Win32/Neshta [AhnLab]
9 [file and pathname of the sample #1] 1,324,832 bytes MD5: 0xFB365498A1C73C1E0A5C146D8B0135C9
SHA-1: 0xFB272C8484241FB7CA1328C24B3F9F54B118E063
W32.Neshuta [Symantec]
Virus.Win32.Neshta.a [Kaspersky Lab]
Virus.Win32.Neshta [Ikarus]


Memory Modifications

Process NameProcess FilenameMain Module Size
list manager.exe%Temp%\list manager.exe176,128 bytes\svchost.com176,128 bytes
[filename of the sample #1][file and pathname of the sample #1]233,472 bytes
VMEB23~1.EXEC:\PROGRA~1\VMware\VMWARE~1\VMEB23~1.EXE90,112 bytes


Registry Modifications


Other details

Russian Federation

Server NameServer PortConnect as UserConnection Password


Outbound traffic (potentially malicious)



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2018 ThreatExpert. All rights reserved.