ThreatScope Analysis Report
For file wpbt0.dll uploaded 2012-09-18 at 07:50:38 PM
Threat level: Malicious
Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.
| Threat | Assessment | |
|---|---|---|
|
Process events show characteristics of a userland rootkit |
|
|
Traffic shows characteristics of a malware family [Zeus] |
|
|
Drops and runs executable file(s) in a directory of the user profile often used by malware |
|
|
Injects and executes code in remote process(es) |
|
|
Traffic to server hosting malicious content |
|
|
Drops executable file(s) |
|
|
Traffic to uncategorized server |
|
|
Writes to the filesystem in a directory of the user profile often used by malware |
|
|
Executes the Windows command shell program |
|
Screenshots: None
File details:
Hash MD5 |
3408a52d91fe1b5587f45bdc64dd3dab |
File size |
84.00 KB |
|
Hash SHA-1 |
13f01e561b006eeb1d8db1454765d5e079df4611 |
File uploaded |
2012-09-18 07:50:38 PM |
|
Hash SHA-256 |
4a3829d90df0244d222a9805ed4bcdc0541a10cb5ddd6a6dec1ad8dfaf50e1b0 |
Report created |
2012-09-18 07:52:32 PM |
|
Technical Details
Requested HTTP URLs
The analyzed file requests the following URLs.
URL |
IP Address |
Category |
May include user agent string, HTTP server, or encryption information. Details |
Method |
The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response. Status |
The first item is the server-declared content type. The second item is the true content type. MIME |
|
|---|---|---|---|---|---|---|---|
|
59.90.221.6:8080/mx/5/A/in/ |
India |
|
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
nginx/1.0.10
Request |
POST |
200 |
text/html; charset=UTF-8 |
|
|
178.77.76.102:8080/mx/5/A/in/ |
Germany |
|
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
nginx/1.0.10
Request, Response |
POST |
200 |
text/html; charset=UTF-8 |
|
Resolved hostnames
DNS was not used to resolve any hostnames.
IP addresses
The analyzed file requests the following IP addresses.
IP Address |
ASN |
|
|---|---|---|
59.90.221.6 |
India |
|
178.77.76.102 |
Germany |
|
File system modifications
The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.
Event |
File path |
|
|---|---|---|
Creates file |
c:\Documents and Settings\Administrator\Application Data\KB01049188.exe |
|
Writes file |
c:\Documents and Settings\Administrator\Application Data\KB01049188.exe |
|
Creates file |
c:\Documents and Settings\Administrator\Local Settings\Temp\exp1.tmp.bat |
|
Writes file |
c:\Documents and Settings\Administrator\Local Settings\Temp\exp1.tmp.bat |
|
Opens file |
c:\Documents and Settings\Administrator\Application Data\KB01049188.exe |
|
Opens file |
c:\Documents and Settings\Administrator\Local Settings\Temp\exp1.tmp.bat |
|
Writes file |
c:\Documents and Settings\Administrator\Application Data\KB01049188.exe |
|
Creates file |
c:\Documents and Settings\Administrator\Local Settings\Temp\exp3.tmp.bat |
|
Writes file |
c:\Documents and Settings\Administrator\Local Settings\Temp\exp3.tmp.bat |
|
Opens file |
c:\Documents and Settings\Administrator\Local Settings\Temp\exp3.tmp.bat |
|
Process modifications
The analyzed file affected the following system processes.
Event |
File path |
|
|---|---|---|
Creates process |
Sample started |
|
Creates process |
C:\WINDOWS\system32\cmd.exe |
|
Creates process |
C:\Documents and Settings\Administrator\Application Data\KB01049188.exe |
|
Writes to remote process memory |
C:\WINDOWS\explorer.exe |
|
Creates thread in remote process |
C:\WINDOWS\explorer.exe |
|
Writes to remote process memory |
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe |
|
Creates thread in remote process |
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe |
|
Writes to remote process memory |
C:\Program Files\Norman\Npm\Bin\Zlh.exe |
|
Creates thread in remote process |
C:\Program Files\Norman\Npm\Bin\Zlh.exe |
|
Creates process |
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp2.tmp |
|
Registry
No Windows Registry changes were made.
Global system events
The following global system events were detected.
Event |
Name |
|
|---|---|---|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}3dab.exe |
|
Creates event |
Local\XME00000794 |
|
Creates mutex |
Local\XMM00000794 |
|
Creates mutex |
Local\XMI00000794 |
|
Creates semaphore |
shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}3dab.exe |
|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}ication Data\KB01049188.exe |
|
Creates mutex |
SHIMLIB_LOG_MUTEX |
|
Creates event |
DINPUTWINMM |
|
Creates event |
Global\userenv: User Profile setup eventE1}ication Data\KB01049188.exe |
|
Creates event |
Local\XME0000011C |
|
Creates mutex |
Local\XMM0000011C |
|
Creates mutex |
Local\XMI0000011C |
|
Creates semaphore |
shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}ication Data\KB01049188.exe |
|
Creates event |
Local\XME000006A8 |
|
Creates mutex |
Local\XMM000006A8 |
|
Creates mutex |
Local\XMI000006A8 |
|
Creates event |
Local\XME00000524 |
|
Creates mutex |
Local\XMM00000524 |
|
Creates mutex |
Local\XMI00000524 |
|
Creates event |
Local\XME0000053C |
|
Creates mutex |
Local\XMQC59064A4 |
|
Creates mutex |
Local\XMRC59064A4 |
|
Creates mutex |
Local\XMM0000053C |
|
Creates event |
Local\XMBC59064A4 |
|
Creates mutex |
Local\XMI0000053C |
|
Creates mutex |
Local\XMSC59064A4 |
|
Creates semaphore |
shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D} |
|
Creates mutex |
c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
|
Creates mutex |
c:!documents and settings!administrator!cookies! |
|
Creates semaphore |
shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}der_sl.exe |
|
Creates mutex |
c:!documents and settings!administrator!local settings!history!history.ie5! |
|
Creates mutex |
WininetConnectionMutex |
|
Creates mutex |
RasPbFile |
|
Creates event |
Local\XMFC59064A4 |
|
Creates semaphore |
shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1} |
|
Creates event |
Local\XME00000500 |
|
Creates mutex |
Local\XMM00000500 |
|
Creates mutex |
Local\XMI00000500 |
|
Creates event |
Local\XME00000688 |
|
Creates mutex |
Local\XMM00000688 |
|
Creates mutex |
Local\XMI00000688 |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_8_Cp eventE1}ication Data\KB01049188.exe |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_9_Cp eventE1}ication Data\KB01049188.exe |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_8_Crator\Application Data\KB01049188.exe |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_9_C0C90312E1}ication Data\KB01049188.exe |
|
Creates event |
Local\XME00000700 |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_8_C0C90312E1}ication Data\KB01049188.exe |
|
Creates mutex |
Local\XMM00000700 |
|
Creates mutex |
Local\XMI00000700 |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_9_Crator\Application Data\KB01049188.exe |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_8_C02B30309D}ication Data\KB01049188.exe |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_9_C02B30309D}ication Data\KB01049188.exe |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_8_C |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_9_C |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_8_CReader\reader_sl.exe |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_9_Ch.exe |
|
Creates event |
Global\SEM32_EVENT_NUPDEXPIAPI_8_Ch.exe |
|
Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result
Copyright © 2024 Forcepoint, Inc. All rights reserved
Malicious Web Sites
Uncategorized
Follow Forcepoint on Facebook, Twitter and Security Labs
Facebook Twitter Security Labs