|
|
|
|
It is currently Mon Dec 28, 2009 2:28 am
|
View unanswered posts | View active topics
| Welcome |
|
|
Welcome to <strong>Malware Analysis Forum</strong>.
You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>! |
  |
Page 1 of 1
|
[ 1 post ] |
|
| Author |
Message |
|
maliciousbrains
|
Post subject: vertrag.exe  Posted: Sun Apr 13, 2008 2:11 am |
|
 |
| Site Admin |
 |
Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
|
|
File received through mail -
File Name: vertrag.exe
VirusTotal Result: 17/32 (53.12%)
AntiVir 7.6.0.85 2008.04.11 TR/Spy.ZBot.DI
Authentium 4.93.8 2008.04.11 W32/Downldr2.BLMW
AVG 7.5.0.516 2008.04.12 Dropper.Delf.AQP
BitDefender 7.2 2008.04.12 Trojan.Dropper.RTY
CAT-QuickHeal 9.50 2008.04.12 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.04.12 Trojan.Dropper-5907
eSafe 7.0.15.0 2008.04.09 Suspicious File
F-Prot 4.4.2.54 2008.04.11 W32/Downldr2.BLMW
F-Secure 6.70.13260.0 2008.04.11 Trojan-Spy.Win32.Zbot.awx
Fortinet 3.14.0.0 2008.04.12 W32/Agent.S!tr
Ikarus T3.1.1.26.0 2008.04.12 Packer.Malware.FriCryptor.B
Kaspersky 7.0.0.125 2008.04.12 Trojan-Spy.Win32.Zbot.awx
Microsoft 1.3408 2008.04.12 VirTool:Win32/Fcrypter.gen!A
Norman 5.80.02 2008.04.12 W32/Agent.FEYT
Sophos 4.28.0 2008.04.12 Mal/Dropper-G
Symantec 10 2008.04.12 Infostealer.Banker.C
Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Spy.ZBot.DI
File Info:
File size: 64122 bytes
MD5...: 88c6f4706e5d4a5467cfff38a2624b7b
SHA1..: 2b6b0e81f3fba9ac4f5c207e59c526e8f4fe9337
SHA256: 806546f8fd86461c761033ffc592c71d4e0ea32e191a3f3b6b84fcd467d0420f
SHA512: 9513057232924069b0c0c355c2c940f707b7ec9c3d09cd1c73d8cf7a380c9646
2ff084f9aa7178516501fd24d997af92a5a176ce947eab1a92d7026bb4081b1e
PE Structure information
Base Data
Entry Point Address.: 0x403f54
Time Date Stamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
Machine Type.......: 0x14c (I386)
PE Header
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 000C
Time/Date stamp: 2A425E19
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 818E
Magic: 010B
Linker version (major): 02
Linker version (minor): 19
Size of code: 000030FC
Size of initialized data: 0000C000
Size of uninitialized data: 00000000
Address of entry point: 00003F54
Base of code: 00001000
Base of data: 00004000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 0001A000
Size of headers: 00000400
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00004000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010
PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
CENSORED 00002F70 00001000 00003000 00000400 E0000020
CENSORED 000000C0 00004000 00000200 00003400 C0000040
CENSORED 00000681 00005000 00000000 00003600 C0000000
CENSORED 0000052A 00006000 00000600 000036FF C0000040
CENSORED 00000008 00007000 00000000 00003C00 C0000000
CENSORED 00000018 00008000 00000200 00003C00 D0000040
CENSORED 00000370 00009000 00000400 00003E00 D0000040
CENSORED 0000B088 0000A000 0000B200 00004200 50000040
CENSORED 00001000 00016000 00000200 0000F400 E0000020
CENSORED 00001000 00017000 00000052 0000F600 E0000020
CENSORED 00001000 00018000 FF000066 0000F800 E0000020
CENSORED 00001000 00019000 0000007A 0000FA00 60000020
Process Details:
Filename: vertrag.exe
MD5: 88c6f4706e5d4a5467cfff38a2624b7b
SHA-1: 2b6b0e81f3fba9ac4f5c207e59c526e8f4fe9337
File Size: 64122 Bytes
Command Line: C:\vertrag.exe
Load Time DLL:
Module Name Base Address Size
C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000
C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000
C:\WINDOWS\system32\user32.dll 0x7E410000 0x00090000
C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000
C:\WINDOWS\system32\advapi32.dll 0x77DD0000 0x0009B000
C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000
C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000
C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000
Run Time DLL:
Module Name Base Address Size
C:\WINDOWS\system32\Normaliz.dll 0x00890000 0x00009000
C:\WINDOWS\system32\iertutil.dll 0x42990000 0x00045000
C:\WINDOWS\system32\wininet.dll 0x42C10000 0x000CF000
C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000
C:\WINDOWS\system32\psapi.dll 0x76BF0000 0x0000B000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 0x773D0000 0x00103000
C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000
C:\WINDOWS\system32\crypt32.dll 0x77A80000 0x00094000
C:\WINDOWS\system32\MSASN1.dll 0x77B20000 0x00012000
C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000
C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000
C:\WINDOWS\system32\shell32.dll 0x7C9C0000 0x00815000
Registry Values Modified:
Key Name New Value
HKLM\software\microsoft\windows nt\currentversion\winlogon userinit C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
Registry Reads:
Key Name Value Times
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 1
HKLM\software\microsoft\windows nt\currentversion\winlogon userinit C:\WINDOWS\system32\userinit.exe, 2
Files Created:
C:\WINDOWS\system32\ntos.exe
Files Read:
PIPE\lsarpc
Files Modified:
PIPE\lsarpc
Affected Process:
C:\WINDOWS\system32\winlogon.exe
Foreign Memory Accessed:
Process: C:\WINDOWS\system32\winlogon.exe
------------------------------------------------------------------------------
Process Started:
Analysis Reason: vertrag.exe injected a remote thread into this process
Filename: winlogon.exe
Command Line: winlogon.exe
Files Created:
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
pipe\__SYSTEM__64AD0625__
Files Read & Modified:
PIPE\lsarpc
Directory Monitored:
Directory Watch subtree Notify Filter Count
C:\WINDOWS\system32 0 File Name Change,Directory Name Change,Name Change,Size Change,Last Write Change,Creation Change,Stream Size Change,Stream Write Change 1
Process Thread Created:
Affected Process
C:\WINDOWS\system32\svchost.exe
------------------------------------------------------------------------------
Process Started:
Analysis Reason: winlogon.exe injected a remote thread into this process
Filename: svchost.exe
MD5: 8f078ae4ed187aaabc0a305146de6716
SHA-1: da0ff4006859a7580aba81f486f692dead2014fe
File Size: 14336 Bytes
Command Line: C:\WINDOWS\system32\svchost -k DcomLaunch
Registry Changed:
Key Name New Value
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\WINDOWS\system32\config\systemprofile\Cookies
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\WINDOWS\system32\config\systemprofile\Local Settings\History
Registry Read:
Key Name Value Times
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile EnableFirewall 0 1
HKLM\Software\Classes\\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32 C:\WINDOWS\system32\hnetcfg.dll 1
HKLM\Software\Classes\\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32 ThreadingModel Both 1
HKLM\Software\Microsoft\COM3 Com+Enabled 1 2
HKLM\Software\Microsoft\COM3 REGDBVersion 0x0f00000000000000 2
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EnableNegotiate 1 1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cache %USERPROFILE%\Local Settings\Temporary Internet Files 1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cookies %USERPROFILE%\Cookies 1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders History %USERPROFILE%\Local Settings\History 1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache Signature Client UrlCache MMF Ver 5.2 2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CacheLimit 163410 1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CachePrefix 2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content PerUserItem 1 1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CacheLimit 8192 1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CachePrefix Cookie: 2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies PerUserItem 1 1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History CacheLimit 8192 1
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History CachePrefix Visited: 2
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History PerUserItem 1 1
Monitored Registry Key:
Key Name Watch subtree Notify Filter Count
HKLM\Software\Classes 1 Key Change,Value Change 3
HKLM\Software\Classes\CLSID 1 Key Change,Value Change 2
HKLM\Software\Microsoft\COM3 1 Key Change,Value Change 6
HKU 1 Key Change,Value Change 3
File Read & Modified:
PIPE\lsarpc
------------------------------------------------------------------------------
NETWORK ACTIVITY:
TCP Connection Attempts:
From SandBox:1884 to 207.159.41.205:139
IP Information - 207.159.41.205
IP address: 207.159.41.205
Reverse DNS: [No reverse DNS entry per b.ns.verio.net.]
Reverse DNS authenticity: [Unknown]
ASN: 2914
ASN Name: NTTA-2914
IP range connectivity: 4
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
WHOIS - 207.159.41.205
Location: United States [City: ]
OrgName: NTT America, Inc.
OrgID: NTTAM-1
Address: 8005 South Chester Street
Address: Suite 200
City: Centennial
StateProv: CO
PostalCode: 80112
Country: US
NetRange: 207.159.0.0 - 207.159.63.255
CIDR: 207.159.0.0/18
NetName: NTTA-207-159
NetHandle: NET-207-159-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: AUTH21.NS.GIN.NTT.NET
NameServer: AUTH22.NS.GIN.NTT.NET
NameServer: AUTH23.NS.GIN.NTT.NET
NameServer: AUTH24.NS.GIN.NTT.NET
NameServer: AUTH25.NS.GIN.NTT.NET
------------------------------------------------------------------------------
_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org
There are no patches or service packs for IGNORANCE!!
|
|
| Top |
|
 |
|
|
Page 1 of 1
|
[ 1 post ] |
|
Who is online |
Users browsing this forum: No registered users and 0 guests |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
|
|
