(cache) Antivirus scan for dbe45c0e9b2412cc17116c667809895e at 2013-02-05 00:04:52 UTC

Antivirus	Result	Update
MicroWorld-eScan	Trojan.Agent.AYJT	20130205
nProtect	-	20130204
CAT-QuickHeal	(Suspicious) - DNAScan	20130204
McAfee	RDN/Generic.bfr!d	20130205
Malwarebytes	Trojan.Ransom.ED	20130204
K7AntiVirus	-	20130204
TheHacker	-	20130205
Agnitum	-	20130204
F-Prot	-	20130201
Symantec	Trojan.Zbot	20130205
Norman	Injector.DDPE	20130204
TotalDefense	-	20130204
TrendMicro-HouseCall	TROJ_GEN.R47H1B4	20130204
Avast	-	20130205
eSafe	-	20130204
ClamAV	-	20130205
Kaspersky	Trojan-Spy.Win32.Zbot.isgd	20130204
BitDefender	Trojan.Agent.AYJT	20130205
NANO-Antivirus	-	20130204
ViRobot	-	20130204
ByteHero	-	20130204
Emsisoft	PWS.Win32.Zbot.AMN (A)	20130205
Comodo	-	20130204
F-Secure	-	20130204
DrWeb	Trojan.Winlock.6412	20130205
VIPRE	Win32.Malware!Drop	20130204
AntiVir	-	20130204
TrendMicro	-	20130205
McAfee-GW-Edition	Artemis!DBE45C0E9B24	20130204
Sophos	-	20130204
Jiangmin	-	20121221
Antiy-AVL	-	20130204
Kingsoft	Win32.Troj.Zbot.is.(kcloud)	20130204
Microsoft	PWS:Win32/Zbot.gen!Y	20130204
SUPERAntiSpyware	-	20130204
GData	Trojan.Agent.AYJT	20130205
Commtouch	-	20130204
AhnLab-V3	-	20130204
VBA32	-	20130204
PCTools	Trojan.Zbot	20130204
ESET-NOD32	Win32/Spy.Zbot.YW	20130204
Rising	-	20130204
Ikarus	Trojan-PWS.Win32.Zbot	20130204
Fortinet	W32/Zbot.ANQ!tr	20130205
AVG	-	20130204
Panda	Suspicious file	20130204

You have not signed in. Only registered users can leave comments, sign in and have a voice!

ssdeep

3072:Y1KB13fQa57HR8fCJvgH3cIqBuh50+toivBjGjFil/rQkvM:Y1KX3P57mfCJvgPqUvRoISjFil/rzk

TrID

Win32 Dynamic Link Library (generic) (65.4%)
Generic Win/DOS Executable (17.2%)
DOS Executable Generic (17.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

ExifTool

MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2012:08:07 07:08:52+01:00
FileType.................: Win32 EXE
PEType...................: PE32
CodeSize.................: 32768
LinkerVersion............: 11.1
EntryPoint...............: 0x8bc5
InitializedDataSize......: 119296
SubsystemVersion.........: 5.1
ImageVersion.............: 0.0
OSVersion................: 5.1
UninitializedDataSize....: 0

Sigcheck

verified.................:

Portable Executable structural information

Compilation timedatestamp.....: 2012-08-07 06:08:52
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00008BC5

PE Sections...................:

Name        Virtual Address  Virtual Size  Raw Size  Entropy  MD5
.text                  4096         32438     32768     7.27  d76cc2d229bbb68de4afd88dda0d0c49
.crt                  36864         80189     80384     6.77  d499e4d4de87a00ad373fa4b4d54ddb5
.dlgi                118784            64       512     0.72  71ab7b529df2d31bb0ea17cca3e80018
.data                122880        154624     31744     6.79  aa159f768146fe5c39e503eb404b35a5
.rsrc                278528          3308      3584     4.26  e7c3c8ba1c43f3b02ddc5f93365555c8
.reloc               282624          2786      3072     6.34  970eb740fa6d3ed136381269eccff17d

PE Imports....................:

[[KERNEL32.dll]]
GetWindowsDirectoryW

[[SHLWAPI.dll]]
PathIsSameRootW, PathIsURLA

[[USER32.dll]]
UnhookWindowsHookEx, GetMessagePos, IsWindowVisible, RegisterWindowMessageA


PE Exports....................:

TimersContacE, ?NervanGonesty@@YG_JEPAXUfurrone2897320391401938091831@@WE, ?NervanLogicalA@@YG_JEPAXUfurrone2897320391401938091831@@WE, ?NervanLogicalW@@YG_JEPAXUfurrone2897320391401938091831@@WE, ?NervanMathOP@@YG_JEPAXUfurrone2897320391401938091831@@WE

PE Resources..................:

Resource type            Number of resources
RT_BITMAP                2
RT_CURSOR                2
RT_GROUP_CURSOR          1

Resource language        Number of resources
ENGLISH US               5

Symantec Reputation

Suspicious.Insight

F-Secure Deepguard

Suspicious:W32/Malware!Online

First seen by VirusTotal

2013-02-04 12:28:03 UTC ( 13 時間, 38 分 ago )

Last seen by VirusTotal

2013-02-05 00:35:17 UTC ( 1 時間, 30 分 ago )

File names (max. 25)

about.exe
invoiceTHGDH13RTJ24MXSGE1.JPG.exe
file-5104217_exe
test29876430457089.bin
hi.exe
javaupdate.exe
readme.exe
JavaJREInstaller.exe-pPWcXv
9342646
9342645
9342644
9342643
calc.exe
output.9342646.txt

The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

File system activity

Opened files...

\\.\PIPE\lsarpc (successful)
C:\WINDOWS\ (successful)
\\.\MountPointManager (successful)
C:\bd425e2fe69b29bf4480112ce0480760a75ecf25dfab0539cbab83d76fbe857a (successful)
C:\Documents and Settings\<USER>\Application Data\Ryro\lybiyp.exe (successful)
C:\Documents and Settings\<USER>\Application Data\Gynohui\ruhyqi.asl (successful)
C:\Documents and Settings\<USER>\Application Data (successful)
C:\Documents and Settings\<USER>\Application Data\Ryro (failed)
C:\Documents and Settings\<USER>\Application Data\Gynohui (failed)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp3ffaebcd.bat (successful)
C:\WINDOWS\system32\cmd.exe (successful)
c:\autoexec.bat (successful)
C:\WINDOWS\WindowsShell.Manifest (successful)
C:\Documents and Settings\<USER>\Application Data\Microsoft\Address Book\<USER>.wab (successful)
C:\Documents and Settings\<USER>\Local Settings\Application Data\Identities\{B0BB3B42-3666-47AA-8D85-B94B99DB4C9B}\Microsoft\Outlook Express\Folders.dbx (successful)
C:\Documents and Settings\<USER>\Local Settings\Application Data\Identities\{B0BB3B42-3666-47AA-8D85-B94B99DB4C9B}\Microsoft\Outlook Express\Inbox.dbx (successful)
C:\WINDOWS\WindowsShell.manifest (successful)
C:\Documents and Settings\<USER>\Local Settings\Application Data\Identities\{B0BB3B42-3666-47AA-8D85-B94B99DB4C9B}\Microsoft\Outlook Express\Offline.dbx (successful)
C:\WINDOWS\system32\mlang.dat (successful)
C:\Documents and Settings\<USER>\Local Settings\Application Data\Identities\{B0BB3B42-3666-47AA-8D85-B94B99DB4C9B}\Microsoft\Outlook Express\Sent Items.dbx (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\MPS1.tmp (successful)
C:\Documents and Settings\<USER>\Application Data\Gynohui\ruhyqi.tmp (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp5b9879be\Psupdate.exe (successful)

Read files...

C:\bd425e2fe69b29bf4480112ce0480760a75ecf25dfab0539cbab83d76fbe857a (successful)
C:\Documents and Settings\<USER>\Application Data\Ryro\lybiyp.exe (successful)
c:\autoexec.bat (successful)
C:\Documents and Settings\<USER>\Application Data\Microsoft\Address Book\<USER>.wab (successful)
C:\Documents and Settings\<USER>\Application Data\Gynohui\ruhyqi.tmp (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp5b9879be\Psupdate.exe (successful)

Written files...

C:\Documents and Settings\<USER>\Application Data\Ryro\lybiyp.exe (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp3ffaebcd.bat (successful)
C:\Documents and Settings\<USER>\Application Data\Microsoft\Address Book\<USER>.wab (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\MPS1.tmp (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp5b9879be\Psupdate.exe (successful)

Copied files...

SRC: C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\MPS1.tmp
DST: C:\Documents and Settings\<USER>\Application Data\Microsoft\Address Book\<USER>.wab~ (successful)

Deleted files...

C:\Documents and Settings\<USER>\Local Settings\Application Data\Identities\{B0BB3B42-3666-47AA-8D85-B94B99DB4C9B}\Microsoft\Outlook Express\Inbox.dbx (successful)
C:\Documents and Settings\<USER>\Local Settings\Application Data\Identities\{B0BB3B42-3666-47AA-8D85-B94B99DB4C9B}\Microsoft\Outlook Express\Sent Items.dbx (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\MPS1.tmp (successful)
C:\Documents and Settings\<USER>\Application Data\Gynohui\ruhyqi.tmp (successful)

Registry activity

Set keys...

KEY:   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\explorer.exe
TYPE:  REG_SZ
VALUE: %windir%\explorer.exe (successful)

KEY:   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\explorer.exe
TYPE:  REG_SZ
VALUE: %windir%\explorer.exe (successful)

Process activity

Created processes...

C:\Documents and Settings\<USER>\Application Data\Ryro\lybiyp.exe"" (successful)
C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp3ffaebcd.bat"" (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp5b9879be\Psupdate.exe C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp5b9879be\Psupdate.exe" " (failed)

Shell commands...

((null)) C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp5b9879be\Psupdate.exe(null) [(null)] (successful)

Code injections in the following processes...

explorer.exe (successful)
VBoxTray.exe (successful)
python.exe (successful)
Psupdate.exe (successful)
lybiyp.exe (successful)

Mutex activity

Created mutexes...

Global\{40A337F4-2BB8-2CD5-CB58-0DCBD23068AD} (successful)
Local\{5EA1449A-58D6-32D7-CB58-0DCBD23068AD} (successful)
Global\{7C046D28-7164-1072-41C2-DC5A58AAB93C} (successful)
Global\{7C046D28-7164-1072-35C3-DC5A2CABB93C} (successful)
Global\{7C046D28-7164-1072-0DC0-DC5A14A8B93C} (successful)
Global\{7C046D28-7164-1072-25C0-DC5A3CA8B93C} (successful)
Global\{7C046D28-7164-1072-C9C0-DC5AD0A8B93C} (successful)
Global\{7C046D28-7164-1072-DDC0-DC5AC4A8B93C} (successful)
Global\{7C046D28-7164-1072-71C1-DC5A68A9B93C} (successful)
Global\{7C046D28-7164-1072-25C1-DC5A3CA9B93C} (successful)
Global\{7C046D28-7164-1072-FDC1-DC5AE4A9B93C} (successful)
Global\{7C046D28-7164-1072-5DC6-DC5A44AEB93C} (successful)
Global\{7C046D28-7164-1072-01C6-DC5A18AEB93C} (successful)
Global\{7C046D28-7164-1072-2DC6-DC5A34AEB93C} (successful)
Global\{7C046D28-7164-1072-F1C7-DC5AE8AFB93C} (successful)
Global\{7C046D28-7164-1072-75C4-DC5A6CACB93C} (successful)
Global\{7C046D28-7164-1072-21C4-DC5A38ACB93C} (successful)
Global\{7C046D28-7164-1072-B9C5-DC5AA0ADB93C} (successful)
Global\{7C046D28-7164-1072-A9C1-DC5AB0A9B93C} (successful)
Global\{7C046D28-7164-1072-ADC6-DC5AB4AEB93C} (successful)
Global\{7C046D28-7164-1072-E1C4-DC5AF8ACB93C} (successful)
Global\{7C046D28-7164-1072-31C5-DC5A28ADB93C} (successful)
RasPbFile (failed)
MPSWabDataAccessMutex (successful)
MPSWABOlkStoreNotifyMutex (successful)
MSIdent Logon (successful)
OutlookExpress_InstanceMutex_101897 (successful)
microsoft_thor_folder_notifyinfo_mutex (successful)
c:_documents and settings_<USER>_local settings_application data_identities_{b0bb3b42-3666-47aa-8d85-b94b99db4c9b}_microsoft_outlook express_folders.dbx_directdbmutex (successful)
c:_documents and settings_<USER>_local settings_application data_identities_{b0bb3b42-3666-47aa-8d85-b94b99db4c9b}_microsoft_outlook express_inbox.dbx_directdbmutex (successful)
c:_documents and settings_<USER>_local settings_application data_identities_{b0bb3b42-3666-47aa-8d85-b94b99db4c9b}_microsoft_outlook express_offline.dbx_directdbmutex (successful)
c:_documents and settings_<USER>_local settings_application data_identities_{b0bb3b42-3666-47aa-8d85-b94b99db4c9b}_microsoft_outlook express_sent items.dbx_directdbmutex (successful)
Global\{5B965B6B-4727-37E0-CB58-0DCBD23068AD} (successful)
Global\{21ED5495-48D9-4D9B-CB58-0DCBD23068AD} (successful)
Global\{7C046D28-7164-1072-91C7-DC5A88AFB93C} (successful)

Opened mutexes...

Local\{29817068-6C24-45F7-CB58-0DCBD23068AD} (failed)
ShimCacheMutex (successful)
RasPbFile (successful)

Application windows activity

Searched windows...

CLASS: Shell_TrayWnd
NAME:  (null)

CLASS: MS_AutodialMonitor
NAME:  (null)

CLASS: MS_WebcheckMonitor
NAME:  (null)

Windows service activity

Opened service managers...

MACHINE:  localhost
DATABASE: SERVICES_ACTIVE_DATABASE (successful)

Opened services...

RASMAN (successful)
ProtectedStorage (successful)

Runtime DLLs

shlwapi (successful)
high_level-code3984 (failed)
segment+level398092 (failed)
kernel32.dll (successful)
user32.dll (successful)
advapi32.dll (successful)
shlwapi.dll (successful)
shell32.dll (successful)
secur32.dll (successful)
ole32.dll (successful)
gdi32.dll (successful)
ws2_32.dll (successful)
crypt32.dll (successful)
wininet.dll (successful)
oleaut32.dll (successful)
netapi32.dll (successful)
rpcrt4.dll (successful)
version.dll (successful)
comctl32.dll (successful)
rasapi32.dll (successful)
rtutils.dll (successful)
userenv.dll (successful)
sensapi.dll (successful)
c:\windows\system32\acctres.dll (successful)
c:\program files\common files\system\wab32res.dll (successful)
c:\program files\common files\system\wab32.dll (successful)
ntdll.dll (successful)
urlmon.dll (successful)
c:\windows\system32\mswsock.dll (successful)
dnsapi.dll (successful)
c:\windows\system32\msidntld.dll (successful)
c:\windows\explorer.exe (successful)
pstorec.dll (successful)
c:\windows\system32\inetres.dll (successful)
c:\program files\outlook express\msoeres.dll (successful)
shdocvw.dll (successful)
rasadhlp.dll (successful)
c:\windows\system32\msoeacct.dll (successful)
mlang.dll (successful)
c:\windows\system32\winrnr.dll (successful)
iphlpapi.dll (successful)

Additional details

The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.

Network activity

HTTP requests...

URL:  http://web.wwwdnsup.com/web/newsfeeds.php
TYPE: POST
UA:   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

URL:  http://web.wwwdnsup.com/web/xmlfeed.php
TYPE: POST
UA:   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

URL:  http://track.www-myups.net/WebTracking/Psupdate.exe
TYPE: GET
UA:   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

DNS requests...

web.wwwdnsup.com (46.17.97.54)
track.www-myups.net (122.155.13.130)

TCP connections...

46.17.97.54:80
122.155.13.130:80

UDP communications...

<MACHINE_DNS_SERVER>:53

SHA256:	bd425e2fe69b29bf4480112ce0480760a75ecf25dfab0539cbab83d76fbe857a
SHA1:	ebeb85e6cb7319fe5aebc4b8a3e8a33f21d43fcb
MD5:	dbe45c0e9b2412cc17116c667809895e
File size:	149.5 KB ( 153088 bytes )
File name:	invoiceTHGDH13RTJ24MXSGE1.JPG.exe
File type:	Win32 EXE
Tags:	peexe
Detection ratio:	21 / 46
Analysis date:	2013-02-05 00:04:52 UTC ( 2 時間, 1 分 ago ) View latest

Leave your comment...