F58e4ab00f9d82c5376c2555038cd693

From aldeid
Jump to: navigation, search

Global information

  • SHA256: fe93192d61cdf35a0e433ee0190714d76a08f2a6f3dfa3fd416a17c28be315a0
  • SHA1: f4d4c1c13ebd496221aa8ff7eb0bba04c02f7144
  • MD5: f58e4ab00f9d82c5376c2555038cd693
  • File size: 180.5 KB ( 184842 bytes )
  • File name: system.exe
  • File type: Win32 EXE
  • Tags: peexe
  • Location: C:\recycler\S-1-5-21-5311846712-4121495154-682003330-5111\system.exe

Detection

Detection ratio: 42 / 46 (2012-12-03 07:39:37 UTC)

Antivirus Result Update
Agnitum Trojan.VBInject.Gen.7 20121202
AhnLab-V3 Trojan/Win32.Xema 20121203
AntiVir BDS/VB.AD 20121203
Antiy-AVL Trojan/Win32.VB.gen 20121202
Avast Win32:VB-PPJ [Drp] 20121203
AVG Injector.BGP 20121203
BitDefender Trojan.Generic.2505913 20121203
ByteHero Virus.Win32.Heur.p 20121130
ClamAV Trojan.VB-5042 20121202
Commtouch W32/Trojan2.IGSZ 20121203
Comodo Backdoor.Win32.Delf.~DF 20121203
DrWeb Trojan.Inject.549 20121203
Emsisoft Trojan.Generic.2505913 (B) 20121203
ESET-NOD32 a variant of Win32/Injector.ACQ 20121202
F-Prot W32/Trojan2.IGSZ 20121202
F-Secure Trojan.Generic.2505913 20121203
Fortinet W32/VBInjector.fam!tr 20121203
GData Trojan.Generic.2505913 20121203
Ikarus Trojan.Win32.VB 20121203
Jiangmin Trojan/VB.msp 20121203
K7AntiVirus Trojan 20121130
Kaspersky Packed.Win32.CPEX-based.ht 20121203
Kingsoft Win32.Troj.Generic_01.k 20121119
Malwarebytes Trojan.VB 20121202
McAfee W32/Hamweq.worm.aw 20121203
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-BAY.K 20121203
Microsoft Worm:Win32/Hamweq.BE 20121203
MicroWorld-eScan Trojan.Generic.2505913 20121203
NANO-Antivirus Trojan.Win32.VB.pjib 20121203
Norman W32/Obfuscated.A!genr 20121203
nProtect Trojan.Generic.2505913 20121203
Panda Generic Trojan 20121202
Rising Worm.Win32.VobfusEx.d 20121203
Sophos Mal/VB-AB 20121203
SUPERAntiSpyware Trojan.Agent/Gen-Injector 20121202
TheHacker Trojan/VB.gtw 20121202
TotalDefense Win32/VBInject.Stub 20121202
TrendMicro TROJ_VB.GSD 20121203
TrendMicro-HouseCall TROJ_VB.GSD 20121203
VBA32 SScope.Trojan.VBRA.18641 20121130
VIPRE Trojan.Win32.Buzus (v) 20121203
ViRobot Trojan.Win32.A.VB.107018 20121203

Behavior

Boot survival / Persistence

  • Creates or modifies windows services
    • Source: C:\system.exe; Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • Creates an undocumented autostart registry key
    • Source: C:\WINDOWS\explorer.exe; Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{99RST9C2-4FCB-12CF-AAX5-62CB1C636512} StubPath
  • Drops PE files
    • Source: C:\WINDOWS\explorer.exe;File created: C:\RECYCLER\S-1-5-21-5311846712-4121495154-682003330-5111\system.exe

Obfuscation / Evasion

  • Data obfuscation
    • Binary may include packed or crypted data
    • PE file contains sections with non-standard names
    • PE sections with suspicious entropy found
  • HIPS / PFW / Operating System Protection Evasion:
    • Allocates memory in foreign processes
    • Benign windows process drops PE files
    • Changes memory attributes in foreign processes to executable or writable
    • Creates a thread in another existing process (thread injection)
    • Modifies the context of a thread in another process (thread injection)
    • Writes to foreign memory regions
  • Anti Debugging:
    • Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
    • Creates guard pages, often used to prevent reverse engineering and debugging
    • Enables debug privileges
    • Found dropped PE file which has not been started or loaded
  • Virtual Machine Detection:
    • Queries a list of all running processes
  • Hooking and other Techniques for Stealthness and Protection:
    • Creates files in the recycle bin to hide itself
  • Lowering of HIPS / PFW / Operating System Security Settings:
    • Modifies the windows firewall Show sources

Language, Device and Operating System Detection

  • Queries the cryptographic machine GUID

System Summary

  • Creates files inside the user directory
  • Executable uses VB runtime library 6.0 (Probably coded in Visual Basic)
  • Spawns processes
  • Writes ini files
  • Creates mutexes: Mutant created: \BaseNamedObjects\uya-1+841RST__

Network behavior

  • 195.186.4.121:53/udp
  • DNS queries for: microdot.laweb.es

Links


Comments

blog comments powered by Disqus