csi.forcepoint.com - Report for "about.exe"

ThreatScope Analysis Report

For file about.exe uploaded 2012-10-10 at 11:20:08 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat		Assessment
		Process events show characteristics of a userland rootkit
		Traffic shows characteristics of a malware family [Zeus]
		Downloads malicious executable file(s)
		Drops and runs executable file(s) in a directory of the user profile often used by malware
		Injects and executes code in remote process(es)
		Traffic to server hosting malicious content
		Drops executable file(s)
		Traffic to uncategorized server
		Writes to the filesystem in a directory of the user profile often used by malware
		Executes the Windows command shell program

Screenshots: None

File details:

Hash MD5	9223b428b28c7b8033edbb588968eaea	File size	121.50 KB
Hash SHA-1	331477e3db87f1b4385cd0f51691c9446034869f	File uploaded	2012-10-10 11:20:08 AM
Hash SHA-256	12a9156f8b52474f373dc6fe69ddb369649ee06cc5dd939cce57bc33a559bae8	Report created	2012-10-10 11:22:08 AM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL	IP Address	Category	Details May include user agent string, HTTP server, or encryption information. Details	Method	Status The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response. Status	MIME The first item is the server-declared content type. The second item is the true content type. MIME
inox-neo.es/hJYMm0.exe	89.248.110.53 Spain	Malicious Web Sites	User agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) HTTP Server: Microsoft-IIS/6.0	GET	200 321.50 KB	application/octet-stream
3.azwap.de/forum/viewtopic.php	69.194.194.229 United States	Uncategorized	User agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) HTTP Server: nginx/0.7.67 Encrypted: Request	POST	200 16 B	text/html
sportinfinance.com/3J0.exe	193.34.130.57 France	Uncategorized	User agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) HTTP Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14	GET	200 321.50 KB	application/x-msdownload
websiteexperts.com/HmE.exe	64.29.145.9 United States	Information Technology	User agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) HTTP Server: Apache	GET	200 321.50 KB	application/x-msdownload

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname	Category	IP address
3.azwap.de	Uncategorized	69.194.194.229
sportinfinance.com	Uncategorized	193.34.130.57
websiteexperts.com	Information Technology	64.29.145.9
inox-neo.es	Malicious Web Sites	89.248.110.53

IP addresses

The analyzed file requests the following IP addresses.

IP Address		ASN
89.248.110.53		AS42237 Grupo Interdominios S.A. Spain
69.194.194.229		AS14670 Solar VPS United States
193.34.130.57		AS31555 Groupe MIT S.A.R.L France
64.29.145.9		AS30447 InternetNamesForBusiness.com United States

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event		File path
Creates file		c:\Documents and Settings\Administrator\Local Settings\Temp\212856.exe
Writes file		c:\Documents and Settings\Administrator\Local Settings\Temp\212856.exe
Opens file		c:\Documents and Settings\Administrator\Local Settings\Temp\212856.exe
Creates file		c:\Documents and Settings\Administrator\Application Data\Fuxyh\zuge.exe
Opens file		c:\Documents and Settings\Administrator\Application Data\Fuxyh\zuge.exe
Writes file		c:\Documents and Settings\Administrator\Application Data\Fuxyh\zuge.exe
Creates file		c:\Documents and Settings\Administrator\Local Settings\Temp\tmp8118ce08.bat
Opens file		c:\Documents and Settings\Administrator\Local Settings\Temp\tmp8118ce08.bat
Writes file		c:\Documents and Settings\Administrator\Local Settings\Temp\tmp8118ce08.bat
Creates file		c:\Documents and Settings\Administrator\Local Settings\Temp\215720.exe
Writes file		c:\Documents and Settings\Administrator\Local Settings\Temp\215720.exe
Opens file		c:\Documents and Settings\Administrator\Local Settings\Temp\215720.exe
Creates file		c:\Documents and Settings\Administrator\Local Settings\Temp\tmp18654810.bat
Opens file		c:\Documents and Settings\Administrator\Local Settings\Temp\tmp18654810.bat
Writes file		c:\Documents and Settings\Administrator\Local Settings\Temp\tmp18654810.bat
Creates file		c:\Documents and Settings\Administrator\Local Settings\Temp\217532.exe
Writes file		c:\Documents and Settings\Administrator\Local Settings\Temp\217532.exe
Opens file		c:\Documents and Settings\Administrator\Local Settings\Temp\217532.exe
Creates file		c:\Documents and Settings\Administrator\Local Settings\Temp\tmp3d0c3798.bat
Opens file		c:\Documents and Settings\Administrator\Local Settings\Temp\tmp3d0c3798.bat
Writes file		c:\Documents and Settings\Administrator\Local Settings\Temp\tmp3d0c3798.bat
Creates file		c:\Documents and Settings\Administrator\Local Settings\Temp\abcd.bat
Writes file		c:\Documents and Settings\Administrator\Local Settings\Temp\abcd.bat
Opens file		c:\Documents and Settings\Administrator\Local Settings\Temp\abcd.bat

Process modifications

The analyzed file affected the following system processes.

Event		File path
Creates process		Sample started
Creates process		C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\212856.exe
Creates process		C:\Documents and Settings\Administrator\Application Data\Fuxyh\zuge.exe
Creates process		C:\WINDOWS\system32\cmd.exe
Writes to remote process memory		C:\WINDOWS\explorer.exe
Creates thread in remote process		C:\WINDOWS\explorer.exe
Writes to remote process memory		C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Creates thread in remote process		C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Writes to remote process memory		C:\Program Files\Norman\Npm\Bin\Zlh.exe
Creates thread in remote process		C:\Program Files\Norman\Npm\Bin\Zlh.exe
Writes to remote process memory		C:\WINDOWS\Temp\9223b428b28c7b8033edbb588968eaea.exe
Creates thread in remote process		C:\WINDOWS\Temp\9223b428b28c7b8033edbb588968eaea.exe
Creates process		C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\215720.exe
Creates process		C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\217532.exe

Registry

No Windows Registry changes were made.

Global system events

The following global system events were detected.

Event		Name
Creates semaphore		shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}eaea.exe
Creates event		Global\crypt32LogoffEvent
Creates event		Global\userenv: User Profile setup eventE1}eaea.exe
Creates semaphore		shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}eaea.exe
Creates mutex		c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates mutex		c:!documents and settings!administrator!cookies!ttings!temporary internet files!content.ie5!
Creates mutex		c:!documents and settings!administrator!local settings!history!history.ie5!iles!content.ie5!
Creates mutex		WininetConnectionMutex
Creates semaphore		shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}l settings!history!history.ie5!iles!content.ie5!
Creates semaphore		shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}l settings!history!history.ie5!iles!content.ie5!
Creates mutex		ZonesCounterMutex
Creates mutex		ZonesCacheCounterMutex
Creates mutex		ZonesLockedCacheCounterMutex
Creates semaphore		shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}e
Creates semaphore		shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}e
Creates mutex		Global\{5746E516-B5A1-D5EB-CCEE-2E28E28C0D3A}
Creates event		Local\{FA8C8252-D2E5-7821-CCEE-2E28E28C0D3A}ication Data\Fuxyh\zuge.exe
Creates semaphore		shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}ication Data\Fuxyh\zuge.exe
Creates semaphore		shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}ication Data\Fuxyh\zuge.exe
Creates mutex		Local\{E85FC05D-90EA-6AF2-CCEE-2E28E28C0D3A}
Creates mutex		Global\{2A9E30C8-607F-A833-1E74-B06D3016937F}
Creates mutex		Global\{2A9E30C8-607F-A833-9E75-B06DB017937F}
Creates mutex		SHIMLIB_LOG_MUTEX
Creates mutex		Global\{2A9E30C8-607F-A833-5A77-B06D7415937F}
Creates event		DINPUTWINMM
Creates mutex		Global\{2A9E30C8-607F-A833-4277-B06D6C15937F}
Creates semaphore		shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}}
Creates mutex		Global\{2A9E30C8-607F-A833-9E77-B06DB015937F}
Creates event		Global\userenv: User Profile setup event37F}
Creates mutex		Global\{2A9E30C8-607F-A833-8A77-B06DA415937F}
Creates mutex		Global\{2A9E30C8-607F-A833-2A70-B06D0412937F}
Creates mutex		Global\{2A9E30C8-607F-A833-2670-B06D0812937F}
Creates mutex		Global\{2A9E30C8-607F-A833-6270-B06D4C12937F}
Creates mutex		Global\{2A9E30C8-607F-A833-8270-B06DAC12937F}
Creates mutex		Global\{2A9E30C8-607F-A833-C670-B06DE812937F}
Creates mutex		Global\{2A9E30C8-607F-A833-4E71-B06D6013937F}
Creates mutex		Global\{2A9E30C8-607F-A833-BA71-B06D9413937F}
Creates mutex		Global\{2A9E30C8-607F-A833-C671-B06DE813937F}
Creates mutex		Global\{2A9E30C8-607F-A833-B272-B06D9C10937F}
Creates mutex		Global\{72F5F27F-A2C8-F058-CCEE-2E28E28C0D3A}
Creates mutex		Global\{A4F3C44C-94FB-265E-CCEE-2E28E28C0D3A}
Creates mutex		Global\{A81F137E-43C9-2AB2-CCEE-2E28E28C0D3A}
Creates mutex		Global\{A81F1379-43CE-2AB2-CCEE-2E28E28C0D3A}
Creates mutex		Local\{C9F9A56D-F5DA-4B54-CCEE-2E28E28C0D3A}
Creates mutex		Local\{C9F9A56C-F5DB-4B54-CCEE-2E28E28C0D3A}
Creates mutex		Global\{C227F054-A0E3-408A-CCEE-2E28E28C0D3A}
Creates mutex		Global\{2A9E30C8-607F-A833-E672-B06DC810937F}
Creates mutex		Global\{2A9E30C8-607F-A833-0A73-B06D2411937F}
Creates mutex		Global\{2A9E30C8-607F-A833-6674-B06D4816937F}
Creates mutex		Global\{2A9E30C8-607F-A833-F674-B06DD816937F}
Creates mutex		Global\{2A9E30C8-607F-A833-7A75-B06D5417937F}
Creates mutex		Global\{2A9E30C8-607F-A833-6E74-B06D4016937F}
Creates semaphore		shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}der_sl.exe
Creates mutex		Global\{C227F054-A0E3-408A-CCEE-2E28E28C0D3A}er_sl.exe
Creates event		Global\userenv: User Profile setup eventD3A}er_sl.exe
Creates mutex		Global\{2A9E30C8-607F-A833-B270-B06D9C12937F}er_sl.exe
Creates semaphore		shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Creates event		WAB_Outlook_Event_Refresh_Contacts28E28C0D3A}
Creates event		WAB_Outlook_Event_Refresh_Folderss28E28C0D3A}
Creates mutex		MPSWabDataAccessMutex
Creates mutex		MPSWABOlkStoreNotifyMutex
Creates mutex		MSIdent Logon
Creates mutex		Global\{2A9E30C8-607F-A833-2E71-B06D0013937F}
Creates mutex		Global\{2A9E30C8-607F-A833-DA71-B06DF413937F}
Creates mutex		Global\{2A9E30C8-607F-A833-2672-B06D0810937F}
Creates mutex		Global\{2A9E30C8-607F-A833-5A72-B06D7410937F}
Creates mutex		Global\{2A9E30C8-607F-A833-4275-B06D6C17937F}
Creates mutex		Global\{C227F054-A0E3-408A-CCEE-2E28E28C0D3A}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-5276-B06D7C14937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-5670-B06D7812937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-1E74-B06D3016937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-9E75-B06DB017937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-5A77-B06D7415937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-4277-B06D6C15937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-9E77-B06DB015937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-8A77-B06DA415937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-2A70-B06D0412937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-2670-B06D0812937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-6270-B06D4C12937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-8270-B06DAC12937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-C670-B06DE812937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-4E71-B06D6013937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-BA71-B06D9413937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-C671-B06DE813937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-E672-B06DC810937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-0A73-B06D2411937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-6674-B06D4816937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-F674-B06DD816937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-7A75-B06D5417937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-2E71-B06D0013937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-DA71-B06DF413937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-2672-B06D0810937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-5A72-B06D7410937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-CA77-B06DE415937F}aea.exe
Creates mutex		Global\{2A9E30C8-607F-A833-0270-B06D2C12937F}
Creates semaphore		shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Creates event		Global\userenv: User Profile setup eventE1}
Creates mutex		Global\{2A9E30C8-607F-A833-4E76-B06D6014937F}
Creates mutex		Global\{2A9E30C8-607F-A833-0E71-B06D2013937F}
Creates mutex		Global\{2A9E30C8-607F-A833-2A71-B06D0413937F}aea.exe
Creates event		Global\SEM32_EVENT_NUPDEXPIAPI_8_C28E28C0D3A}
Creates event		Global\SEM32_EVENT_NUPDEXPIAPI_9_C28E28C0D3A}
Creates mutex		Global\{2A9E30C8-607F-A833-B270-B06D9C12937F}
Creates event		Global\SEM32_EVENT_NUPDEXPIAPI_9_C6D7410937F}
Creates event		Global\SEM32_EVENT_NUPDEXPIAPI_8_C6D7410937F}

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result