ThreatScope Analysis Report
For file scan.exe uploaded 2012-09-27 at 12:32:44 PM
Threat level: Malicious
Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.
| Threat | Assessment | |
|---|---|---|
|
Process events show characteristics of a userland rootkit |
|
|
Traffic shows characteristics of a malware family [Zeus] |
|
|
Drops and runs executable file(s) in a directory of the user profile often used by malware |
|
|
Injects and executes code in remote process(es) |
|
|
Drops executable file(s) |
|
|
Traffic to uncategorized server |
|
|
Writes to the filesystem in a directory of the user profile often used by malware |
|
|
Executes the Windows command shell program |
|
Screenshots: None
File details:
Hash MD5 |
d4c6d1c7573319f4cca7d41ddbe56421 |
File size |
1.33 MB |
|
Hash SHA-1 |
f077dc07e0fad973633eef187287c41000d7438e |
File uploaded |
2012-09-27 12:32:44 PM |
|
Hash SHA-256 |
2373c8cb97ba5bd2a9bd5451de02f872c4444c1689b8d4021a7fd3945835da7b |
Report created |
2012-09-27 12:34:31 PM |
|
Technical Details
Requested HTTP URLs
The analyzed file requests the following URLs.
URL |
IP Address |
Category |
May include user agent string, HTTP server, or encryption information. Details |
Method |
The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response. Status |
The first item is the server-declared content type. The second item is the true content type. MIME |
|
|---|---|---|---|---|---|---|---|
|
www.google.com/webhp |
United States |
|
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
gws |
GET |
200 |
text/html; charset=UTF-8 |
|
|
marytaylor.ca/zcp/admin/server |
United States |
|
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Request |
POST |
200 |
text/html |
|
|
marytaylor.ca/zcp/admin/server |
United States |
|
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Response |
GET |
200 |
application/octet-stream |
|
Resolved hostnames
The analyzed file used DNS to resolve the following hostnames.
Hostname |
Category |
IP address |
|
|---|---|---|---|
www.google.com |
|
173.194.79.106 |
|
www.google.com |
|
173.194.79.103 |
|
www.google.com |
|
173.194.79.105 |
|
www.google.com |
|
173.194.79.104 |
|
www.google.com |
|
173.194.79.147 |
|
www.google.com |
|
173.194.79.99 |
|
marytaylor.ca |
|
65.126.238.126 |
|
IP addresses
The analyzed file requests the following IP addresses.
IP Address |
ASN |
|
|---|---|---|
173.194.79.106 |
United States |
|
65.126.238.126 |
United States |
|
65.126.238.126 |
United States |
|
File system modifications
The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.
Event |
File path |
|
|---|---|---|
Creates file |
c:\Documents and Settings\Administrator\Application Data\Bulyhe\vage.exe |
|
Opens file |
c:\Documents and Settings\Administrator\Application Data\Bulyhe\vage.exe |
|
Writes file |
c:\Documents and Settings\Administrator\Application Data\Bulyhe\vage.exe |
|
Creates file |
c:\Documents and Settings\Administrator\Local Settings\Temp\tmp8d1a2b44.bat |
|
Opens file |
c:\Documents and Settings\Administrator\Local Settings\Temp\tmp8d1a2b44.bat |
|
Writes file |
c:\Documents and Settings\Administrator\Local Settings\Temp\tmp8d1a2b44.bat |
|
Process modifications
The analyzed file affected the following system processes.
Event |
File path |
|
|---|---|---|
Creates process |
Sample started |
|
Creates process |
C:\Documents and Settings\Administrator\Application Data\Bulyhe\vage.exe |
|
Creates process |
C:\WINDOWS\system32\cmd.exe |
|
Writes to remote process memory |
C:\WINDOWS\explorer.exe |
|
Creates thread in remote process |
C:\WINDOWS\explorer.exe |
|
Writes to remote process memory |
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe |
|
Creates thread in remote process |
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe |
|
Writes to remote process memory |
C:\Program Files\Norman\Npm\Bin\Zlh.exe |
|
Creates thread in remote process |
C:\Program Files\Norman\Npm\Bin\Zlh.exe |
|
Creates process |
C:\Program Files\Norman\Npm\Bin\customerinfo.exe |
|
Registry
No Windows Registry changes were made.
Global system events
The following global system events were detected.
Event |
Name |
|
|---|---|---|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}6421.exe |
|
Creates event |
||
Creates event |
Global\crypt32LogoffEvent |
|
Creates semaphore |
shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}6421.exe |
|
Creates mutex |
Global\{496A26CE-8AF4-D372-855D-59E84F908B95}421.exe |
|
Creates event |
Local\{DBA0418A-EDB0-41B8-855D-59E84F908B95}ication Data\Bulyhe\vage.exe |
|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}ication Data\Bulyhe\vage.exe |
|
Creates semaphore |
shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}ication Data\Bulyhe\vage.exe |
|
Creates mutex |
Local\{F3730385-AFBF-696B-855D-59E84F908B95}ication Data\Bulyhe\vage.exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-57C7-C7AD9D0A15D0}cation Data\Bulyhe\vage.exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-D7C6-C7AD1D0B15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-6BC5-C7ADA10815D0} |
|
Creates mutex |
SHIMLIB_LOG_MUTEX |
|
Creates mutex |
Global\{9E48622B-CE11-0450-07C5-C7ADCD0815D0} |
|
Creates event |
DINPUTWINMM |
|
Creates mutex |
Global\{9E48622B-CE11-0450-D7C4-C7AD1D0915D0} |
|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-C3C4-C7AD090915D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-63C3-C7ADA90E15D0} |
|
Creates event |
Global\userenv: User Profile setup event5D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-6FC3-C7ADA50E15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-2BC3-C7ADE10E15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-CBC3-C7AD010E15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-8FC3-C7AD450E15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-07C2-C7ADCD0F15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-C3C2-C7AD090F15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-57C1-C7AD9D0C15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-FFC1-C7AD350C15D0} |
|
Creates mutex |
Global\{B5DF079B-ABA1-2FC7-855D-59E84F908B95} |
|
Creates mutex |
Global\{D30B3382-9FB8-4913-855D-59E84F908B95} |
|
Creates mutex |
Global\{B5DF0794-ABAE-2FC7-855D-59E84F908B95} |
|
Creates mutex |
Global\{51730310-AF2A-CB6B-855D-59E84F908B95} |
|
Creates mutex |
Global\{B933D0A0-7C9A-232B-855D-59E84F908B95} |
|
Creates mutex |
c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
|
Creates mutex |
Global\{B933D0A1-7C9B-232B-855D-59E84F908B95} settings!temporary internet files!content.ie5! |
|
Creates mutex |
c:!documents and settings!administrator!cookies!ttings!temporary internet files!content.ie5! |
|
Creates mutex |
Global\{4670BC47-107D-DC68-855D-59E84F908B95}es!ttings!temporary internet files!content.ie5! |
|
Creates mutex |
Local\{D8D566B4-CA8E-42CD-855D-59E84F908B95}}es!ttings!temporary internet files!content.ie5! |
|
Creates mutex |
c:!documents and settings!administrator!local settings!history!history.ie5!iles!content.ie5! |
|
Creates mutex |
Local\{D8D566B7-CA8D-42CD-855D-59E84F908B95}l settings!history!history.ie5!iles!content.ie5! |
|
Creates mutex |
Global\{D30B3382-9FB8-4913-855D-59E84F908B95} settings!history!history.ie5!iles!content.ie5! |
|
Creates mutex |
WininetConnectionMutex |
|
Creates mutex |
Global\{4670BC47-107D-DC68-855D-59E84F908B95} settings!history!history.ie5!iles!content.ie5! |
|
Creates mutex |
RasPbFile |
|
Creates event |
WAB_Outlook_Event_Refresh_ContactsE84F908B95} settings!history!history.ie5!iles!content.ie5! |
|
Creates event |
WAB_Outlook_Event_Refresh_FolderssE84F908B95} settings!history!history.ie5!iles!content.ie5! |
|
Creates mutex |
MPSWabDataAccessMutex |
|
Creates mutex |
MPSWABOlkStoreNotifyMutex |
|
Creates mutex |
MSIdent Logon |
|
Creates semaphore |
shell._ie_sessioncount |
|
Creates mutex |
OutlookExpress_InstanceMutex_101897 |
|
Creates mutex |
microsoft_thor_folder_notifyinfo_mutex |
|
Creates mutex |
c:_documents and settings_administrator_local settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_folders.dbx_directdbmutex |
|
Creates mutex |
c:_documents and settings_administrator_local settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_inbox.dbx_directdbmutexex |
|
Creates event |
WAB_Outlook_Event_Refresh_Contactsrator_local settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_inbox.dbx_directdbmutexex |
|
Creates event |
WAB_Outlook_Event_Refresh_Folderssrator_local settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_inbox.dbx_directdbmutexex |
|
Creates mutex |
c:_documents and settings_administrator_local settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_offline.dbx_directdbmutex |
|
Creates mutex |
c:_documents and settings_administrator_local settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_sent items.dbx_directdbmutex |
|
Creates mutex |
Global\{9E48622B-CE11-0450-AFC1-C7AD650C15D0} settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_sent items.dbx_directdbmutex |
|
Creates mutex |
Global\{9E48622B-CE11-0450-77C0-C7ADBD0D15D0} settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_sent items.dbx_directdbmutex |
|
Creates mutex |
Global\{9E48622B-CE11-0450-AFC0-C7AD650D15D0} settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_sent items.dbx_directdbmutex |
|
Creates mutex |
Global\{9E48622B-CE11-0450-AFC7-C7AD650A15D0} settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_sent items.dbx_directdbmutex |
|
Creates mutex |
Global\{9E48622B-CE11-0450-C7C6-C7AD0D0B15D0} settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_sent items.dbx_directdbmutex |
|
Creates mutex |
Global\{9E48622B-CE11-0450-6FC2-C7ADA50F15D0} settings_application data_identities_{51b8d42a-1a95-4e99-98e3-0a647f875814}_microsoft_outlook express_sent items.dbx_directdbmutex |
|
Creates semaphore |
shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}der_sl.exe |
|
Creates mutex |
Global\{D30B3382-9FB8-4913-855D-59E84F908B95}er_sl.exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-17C2-C7ADDD0F15D0}er_sl.exe |
|
Creates semaphore |
shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-97C2-C7AD5D0F15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-D3C1-C7AD190C15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-F3C1-C7AD390C15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-7BC0-C7ADB10D15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-CBC0-C7AD010D15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-5BC6-C7AD910B15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-57C7-C7AD9D0A15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-AFC1-C7AD650C15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-77C0-C7ADBD0D15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-AFC0-C7AD650D15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-AFC7-C7AD650A15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-C7C6-C7AD0D0B15D0} |
|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}.exe |
|
Creates mutex |
Global\SEM32_GNUREDUTT_GLB |
|
Creates mutex |
SEM32_customerinfo-Submit customerinfo312E1}.exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-57C7-C7AD9D0A15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-D7C6-C7AD1D0B15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-6BC5-C7ADA10815D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-07C5-C7ADCD0815D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-D7C4-C7AD1D0915D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-C3C4-C7AD090915D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-63C3-C7ADA90E15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-6FC3-C7ADA50E15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-2BC3-C7ADE10E15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-CBC3-C7AD010E15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-8FC3-C7AD450E15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-07C2-C7ADCD0F15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-C3C2-C7AD090F15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-57C1-C7AD9D0C15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-AFC1-C7AD650C15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-77C0-C7ADBD0D15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-AFC0-C7AD650D15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-AFC7-C7AD650A15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-C7C6-C7AD0D0B15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-6FC2-C7ADA50F15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-17C2-C7ADDD0F15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-97C2-C7AD5D0F15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-D3C1-C7AD190C15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-F3C1-C7AD390C15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-7BC0-C7ADB10D15D0}exe |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_9_CADB10D15D0}exe |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_8_CADB10D15D0}exe |
|
Creates mutex |
Global\{9E48622B-CE11-0450-6FC2-C7ADA50F15D0} |
|
Creates mutex |
Global\{9E48622B-CE11-0450-17C2-C7ADDD0F15D0} |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_9_CADB10D15D0} |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_8_CADB10D15D0} |
|
Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result
Copyright © 2024 Forcepoint, Inc. All rights reserved
Uncategorized
Follow Forcepoint on Facebook, Twitter and Security Labs
Facebook Twitter Security Labs