F58e4ab00f9d82c5376c2555038cd693
Jump to navigation
Jump to search
Global information
- SHA256: fe93192d61cdf35a0e433ee0190714d76a08f2a6f3dfa3fd416a17c28be315a0
- SHA1: f4d4c1c13ebd496221aa8ff7eb0bba04c02f7144
- MD5: f58e4ab00f9d82c5376c2555038cd693
- File size: 180.5 KB ( 184842 bytes )
- File name: system.exe
- File type: Win32 EXE
- Tags: peexe
- Location: C:\recycler\S-1-5-21-5311846712-4121495154-682003330-5111\system.exe
Detection
Detection ratio: 42 / 46 (2012-12-03 07:39:37 UTC)
| Antivirus | Result | Update |
|---|---|---|
| Agnitum | Trojan.VBInject.Gen.7 | 20121202 |
| AhnLab-V3 | Trojan/Win32.Xema | 20121203 |
| AntiVir | BDS/VB.AD | 20121203 |
| Antiy-AVL | Trojan/Win32.VB.gen | 20121202 |
| Avast | Win32:VB-PPJ [Drp] | 20121203 |
| AVG | Injector.BGP | 20121203 |
| BitDefender | Trojan.Generic.2505913 | 20121203 |
| ByteHero | Virus.Win32.Heur.p | 20121130 |
| ClamAV | Trojan.VB-5042 | 20121202 |
| Commtouch | W32/Trojan2.IGSZ | 20121203 |
| Comodo | Backdoor.Win32.Delf.~DF | 20121203 |
| DrWeb | Trojan.Inject.549 | 20121203 |
| Emsisoft | Trojan.Generic.2505913 (B) | 20121203 |
| ESET-NOD32 | a variant of Win32/Injector.ACQ | 20121202 |
| F-Prot | W32/Trojan2.IGSZ | 20121202 |
| F-Secure | Trojan.Generic.2505913 | 20121203 |
| Fortinet | W32/VBInjector.fam!tr | 20121203 |
| GData | Trojan.Generic.2505913 | 20121203 |
| Ikarus | Trojan.Win32.VB | 20121203 |
| Jiangmin | Trojan/VB.msp | 20121203 |
| K7AntiVirus | Trojan | 20121130 |
| Kaspersky | Packed.Win32.CPEX-based.ht | 20121203 |
| Kingsoft | Win32.Troj.Generic_01.k | 20121119 |
| Malwarebytes | Trojan.VB | 20121202 |
| McAfee | W32/Hamweq.worm.aw | 20121203 |
| McAfee-GW-Edition | Heuristic.BehavesLike.Win32.Suspicious-BAY.K | 20121203 |
| Microsoft | Worm:Win32/Hamweq.BE | 20121203 |
| MicroWorld-eScan | Trojan.Generic.2505913 | 20121203 |
| NANO-Antivirus | Trojan.Win32.VB.pjib | 20121203 |
| Norman | W32/Obfuscated.A!genr | 20121203 |
| nProtect | Trojan.Generic.2505913 | 20121203 |
| Panda | Generic Trojan | 20121202 |
| Rising | Worm.Win32.VobfusEx.d | 20121203 |
| Sophos | Mal/VB-AB | 20121203 |
| SUPERAntiSpyware | Trojan.Agent/Gen-Injector | 20121202 |
| TheHacker | Trojan/VB.gtw | 20121202 |
| TotalDefense | Win32/VBInject.Stub | 20121202 |
| TrendMicro | TROJ_VB.GSD | 20121203 |
| TrendMicro-HouseCall | TROJ_VB.GSD | 20121203 |
| VBA32 | SScope.Trojan.VBRA.18641 | 20121130 |
| VIPRE | Trojan.Win32.Buzus (v) | 20121203 |
| ViRobot | Trojan.Win32.A.VB.107018 | 20121203 |
Behavior
Boot survival / Persistence
- Creates or modifies windows services
- Source: C:\system.exe; Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- Creates an undocumented autostart registry key
- Source: C:\WINDOWS\explorer.exe; Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{99RST9C2-4FCB-12CF-AAX5-62CB1C636512} StubPath
- Drops PE files
- Source: C:\WINDOWS\explorer.exe;File created: C:\RECYCLER\S-1-5-21-5311846712-4121495154-682003330-5111\system.exe
Obfuscation / Evasion
- Data obfuscation
- Binary may include packed or crypted data
- PE file contains sections with non-standard names
- PE sections with suspicious entropy found
- HIPS / PFW / Operating System Protection Evasion:
- Allocates memory in foreign processes
- Benign windows process drops PE files
- Changes memory attributes in foreign processes to executable or writable
- Creates a thread in another existing process (thread injection)
- Modifies the context of a thread in another process (thread injection)
- Writes to foreign memory regions
- Anti Debugging:
- Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
- Creates guard pages, often used to prevent reverse engineering and debugging
- Enables debug privileges
- Found dropped PE file which has not been started or loaded
- Virtual Machine Detection:
- Queries a list of all running processes
- Hooking and other Techniques for Stealthness and Protection:
- Creates files in the recycle bin to hide itself
- Lowering of HIPS / PFW / Operating System Security Settings:
- Modifies the windows firewall Show sources
Language, Device and Operating System Detection
- Queries the cryptographic machine GUID
System Summary
- Creates files inside the user directory
- Executable uses VB runtime library 6.0 (Probably coded in Visual Basic)
- Spawns processes
- Writes ini files
- Creates mutexes: Mutant created: \BaseNamedObjects\uya-1+841RST__
Network behavior
- 195.186.4.121:53/udp
- DNS queries for: microdot.laweb.es
Links
- Virustotal: https://www.virustotal.com/en/file/fe93192d61cdf35a0e433ee0190714d76a08f2a6f3dfa3fd416a17c28be315a0/analysis/
- Download: https://www.dropbox.com/s/6z6ahbno4kbywsi/f58e4ab00f9d82c5376c2555038cd693-system.exe.zip?dl=0 (pass: infected)
- ThreatExpert: http://www.threatexpert.com/report.aspx?md5=f58e4ab00f9d82c5376c2555038cd693