ArcadeFAQSearchLogin
Register
It is currently Mon Dec 28, 2009 2:27 am

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: poramor85.t35.com/Mensagem23.exe
PostPosted: Sat Apr 12, 2008 7:02 pm 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
Download Link: hxxp://poramor85.t35.com/Mensagem23.exe

File Name: Mensagem23.exe

VirusTotal Result: 17/32 (53.13%)
AntiVir 7.6.0.85 2008.04.11 TR/Spy.Banker.CIL
Avast 4.8.1169.0 2008.04.12 Win32:Trojan-gen {Other}
CAT-QuickHeal 9.50 2008.04.12 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.04.12 PUA.Packed.UPack-2
eSafe 7.0.15.0 2008.04.09 Suspicious File
F-Prot 4.4.2.54 2008.04.11 W32/Heuristic-CSU!Eldorado
F-Secure 6.70.13260.0 2008.04.11 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.04.12 Spy/VBBanc
Kaspersky 7.0.0.125 2008.04.12 Heur.Trojan.Generic
McAfee 5272 2008.04.11 New Malware.aj
Norman 5.80.02 2008.04.12 W32/Banker.BYNZ
Rising 20.39.52.00 2008.04.12 Trojan.Spy.Bancos.fuj
Sophos 4.28.0 2008.04.12 Mal/Behav-103
Sunbelt 3.0.1041.0 2008.04.12 VIPRE.Suspicious
TheHacker 6.2.92.275 2008.04.12 W32/Behav-Heuristic-060
VirusBuster 4.3.26:9 2008.04.11 Packed/Upack
Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Spy.Banker.CIL

File Info:
File size: 227480 bytes
MD5...: 82bb23d71a91b2a85c719a6a095bc139
SHA1..: 65ac0099cc2dbb8c59c6b693bea596f40fbbcf8b
SHA256: fc36909d8aa2e88d63a33b31123e42d22795f92039a501a921adfd146537bb34
SHA512: e8252578222d43e269cd492c85b75989797bd72d972ccbd5bea40572230b4a9a
7634bc9a07d646411498f364042f0192d3a6a3434e0a7b28362336ab683a879e
PEiD..: Upack V0.37 -> Dwing

PE Details:
Entry Point Address.: 0x401018
Time Date Stamp.....: 0x4011b0be (Fri Jan 23 23:39:42 2004)
Machine Type.......: 0x14c (I386)

PE Sections
name viradd virsiz rawdsiz ntrpy md5
PS 0x1000 0xa5e000 0x1f0 5.29 b3c401cf8682dc4811f1744ff650cf38
@ 0xa5f000 0x75000 0x6d2e0 8.00 e0f7fefae09cb6af6df14276c4262e8e
@ 0xad4000 0x1000 0x1f0 5.29 b3c401cf8682dc4811f1744ff650cf38

Process Details:
Process ID 1172
Filename C:\Mensagem23.exe
Filesize 227480 bytes
MD5 82bb23d71a91b2a85c719a6a095bc139
Start Reason AnalysisTarget

File System Activity:
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\drwtsn32.exe ()
Find File: drwtsn32.exe

Registry Reads:
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "DoReport"
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "ShowUI"
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "AllOrNone"
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeMicrosoftApps"
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeWindowsApps"
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "DoTextLog"
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeKernelFaults"
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeShutdownErrs"
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "NumberOfFaultPipes"
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "NumberOfHangPipes"
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "MaxUserQueueSize"
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "ForceQueueMode"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"

Exception Encountered and Dumping System Memory
Process ID 1244
Filename C:\WINDOWS\system32\drwtsn32 -p 1172 -e 1208 -g
Filesize 45568 bytes
MD5 c9f5e1de6da983e89e714ed80c11f000
Start Reason CreateProcess

New Files Created:
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

Opened Files:
\\.\PIPE\lsarpc
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
C:\WINDOWS\system32\ntdll.pdb
C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb
C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb\dll\ntdll.pdb
C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb\dll\ntdll.pdb\ntdll.pdb
ntdll.pdb
symbols\dll\ntdll.dbg
dll\ntdll.dbg
ntdll.dbg
C:\\WINDOWS\system32\ntdll.dbg
C:\WINDOWS\system32\kernel32.pdb
C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb
C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb\dll\kernel32.pdb
C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb\dll\kernel32.pdb\kernel32.pdb
kernel32.pdb
symbols\dll\kernel32.dbg
dll\kernel32.dbg
kernel32.dbg
C:\\WINDOWS\system32\kernel32.dbg

Deleted Files:
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
Chronological order
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log (OPEN_EXISTING)
Create File: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
Open File: C:\WINDOWS\system32\ntdll.pdb (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb\dll\ntdll.pdb (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb\dll\ntdll.pdb\ntdll.pdb (OPEN_EXISTING)
Open File: ntdll.pdb (OPEN_EXISTING)
Open File: symbols\dll\ntdll.dbg (OPEN_EXISTING)
Open File: dll\ntdll.dbg (OPEN_EXISTING)
Open File: ntdll.dbg (OPEN_EXISTING)
Open File: C:\\WINDOWS\system32\ntdll.dbg (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\kernel32.pdb (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb\dll\kernel32.pdb (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb\dll\kernel32.pdb\kernel32.pdb (OPEN_EXISTING)
Open File: kernel32.pdb (OPEN_EXISTING)
Open File: symbols\dll\kernel32.dbg (OPEN_EXISTING)
Open File: dll\kernel32.dbg (OPEN_EXISTING)
Open File: kernel32.dbg (OPEN_EXISTING)
Open File: C:\\WINDOWS\system32\kernel32.dbg (OPEN_EXISTING)
Create File: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
Delete File: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

Registry Changes:
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "NumberOfCrashes" = [REG_DWORD, value: 00000001]

Registry Reads:
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "LogFilePath"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "WaveFile"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "CrashDumpFile"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "DumpSymbols"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "DumpAllThreads"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "AppendToLogFile"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "VisualNotification"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "SoundNotification"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "CreateCrashDump"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "Instructions"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "MaximumCrashes"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "CrashDumpType"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion "CurrentType"
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 "Identifier"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows "CSDVersion"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "CurrentBuildNumber"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "CurrentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOrganization"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOwner"
HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "NumberOfCrashes"

Process Management:
Kill Process - Filename () CommandLine: () Target PID: (1172) As User: () Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (1244) As User: () Creation Flags: ()

Enum Processes:
Enum Modules - Target PID: (1172)
Open Process - Filename (C:\Mensagem23.exe) Target PID: (1172)
Open Process - Filename (C:\Mensagem23.exe) Target PID: (1172)
Open Process - Filename () Target PID: (4)
Open Process - Filename () Target PID: (568)
Open Process - Filename () Target PID: (616)
Open Process - Filename () Target PID: (640)
Open Process - Filename () Target PID: (720)
Open Process - Filename () Target PID: (736)
Open Process - Filename () Target PID: (748)
Open Process - Filename () Target PID: (944)
Open Process - Filename () Target PID: (1012)
Open Process - Filename () Target PID: (1104)
Open Process - Filename () Target PID: (1160)
Open Process - Filename () Target PID: (1204)
Open Process - Filename (C:\WINDOWS\system32\userinit.exe) Target PID: (1536)
Open Process - Filename (C:\WINDOWS\Explorer.exe) Target PID: (1552)
Open Process - Filename () Target PID: (1692)
Open Process - Filename () Target PID: (276)
Open Process - Filename (C:\WINDOWS\system32\wscntfy.exe) Target PID: (924)
Open Process - Filename (C:\ClickInstall.exe) Target PID: (724)
Open Process - Filename (C:\WINDOWS\system32\cmd.exe) Target PID: (220)
Open Process - Filename (C:\Mensagem23.exe) Target PID: (1172)

drwtsn32.log details:

Application exception occurred:
App: E:\Infected\Mensagem23.exe (pid=212)
When: 4/13/2008 @ 11:23:40.864
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: SANDBOX
User Name: Administrator
Terminal Session Id: 0
Number of Processors: 1
Processor Type: x86 Family 15 Model 6 Stepping 5
Windows Version: 5.1
Current Build: 2600
Service Pack: 2
Current Type: Uniprocessor Free
Registered Organization: Malware Analysis
Registered Owner: SandBox

*----> Task List <----*
0 System Process
4 System
320 smss.exe
452 csrss.exe
476 winlogon.exe
536 services.exe
548 lsass.exe
732 svchost.exe
796 svchost.exe
864 svchost.exe
904 svchost.exe
960 svchost.exe
1216 Explorer.EXE
1284 vmusrvc.exe
1336 vmsrvc.exe
1432 SbieSvc.exe
1592 vpcmap.exe
1976 svchost.exe
572 firefox.exe
1504 Regmon.exe
212 Mensagem23.exe
160 drwtsn32.exe

*----> Module List <----*
(0000000000400000 - 0000000000ed5000: E:\Infected\Mensagem23.exe
(0000000077dd0000 - 0000000077e6b000: C:\WINDOWS\system32\ADVAPI32.DLL
(0000000077e70000 - 0000000077f01000: C:\WINDOWS\system32\RPCRT4.dll
(000000007c800000 - 000000007c8f4000: C:\WINDOWS\system32\kernel32.dll
(000000007c900000 - 000000007c9b0000: C:\WINDOWS\system32\ntdll.dll

*----> State Dump for Thread Id 0x55c <----*

eax=00000400 ebx=00ecc37c ecx=00000000 edx=ffffffff esi=00ed418c edi=00401000
eip=00ecc1cb esp=0012ffa8 ebp=0012fff0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

*** WARNING: Unable to verify checksum for E:\Infected\Mensagem23.exe
*** ERROR: Module load completed but symbols could not be loaded for E:\Infected\Mensagem23.exe
function: Mensagem23
00ecc1b7 0000 add [eax],al
00ecc1b9 0000 add [eax],al
00ecc1bb 0000 add [eax],al
00ecc1bd 0000 add [eax],al
00ecc1bf 0000 add [eax],al
00ecc1c1 0000 add [eax],al
00ecc1c3 0000 add [eax],al
00ecc1c5 0000 add [eax],al
00ecc1c7 0000 add [eax],al
00ecc1c9 0000 add [eax],al
FAULT ->00ecc1cb 0000 add [eax],al ds:0023:00000400=??
00ecc1cd 0000 add [eax],al
00ecc1cf 0000 add [eax],al
00ecc1d1 0000 add [eax],al
00ecc1d3 0000 add [eax],al
00ecc1d5 0000 add [eax],al
00ecc1d7 0000 add [eax],al
00ecc1d9 0000 add [eax],al
00ecc1db 0000 add [eax],al
00ecc1dd 0000 add [eax],al
00ecc1df 0000 add [eax],al

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
ChildEBP RetAddr Args to Child
0012fff0 00000000 00401018 00000000 78746341 Mensagem23+0xacc1cb

Module Details:
start end module name
00400000 00ed5000 Mensagem23 C (no symbols)
Loaded symbol image file: Mensagem23.exe
Mapped memory image file: E:\Infected\Mensagem23.exe
Image path: E:\Infected\Mensagem23.exe
Image name: Mensagem23.exe
Timestamp: Sat Jan 24 05:09:42 2004 (4011B0BE)
CheckSum: 00000000
ImageSize: 00AD5000
File version: 9.1.0.2
Product version: 9.1.0.2
File flags: 0 (Mask 0)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

Stored Exception Information:
eax=00000400 ebx=00ecc37c ecx=00000000 edx=ffffffff esi=00ed418c edi=00401000
eip=00ecc1cb esp=0012ffa8 ebp=0012fff0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
Mensagem23+0xacc1cb:
00ecc1cb 0000 add byte ptr [eax],al ds:0023:00000400=??

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by FreeForums.org | Create a free forum