Remote Host Port Number
fusiiion.info 51987

NICK [USA-161730]
USER 4197 “” “lol” :4197
JOIN #Asper
NICK [USA-551703]
USER 8351 “” “lol” :8351

Other details

* To mark the presence in the system, the following Mutex object was created:

* The following ports were open in the system:

Port Protocol Process
1033 TCP svchost.exe (%Windir%svchost.exe)
1035 TCP svchost.exe (%Windir%svchost.exe)
1039 TCP crypted.exe (%Temp%crypted.exe)

* The following Host Name was requested from a host database:
o fusiiion.info

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{08B0E5C0-4FCB-11CF-AAX5-00401C608512}

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{08B0E5C0-4FCB-11CF-AAX5-00401C608512}]
+ StubPath = “%Windir%svchost.exe”
+ StubPath = “%Temp%crypted.exe”

so that svchost.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
svchost.exe %Windir%svchost.exe 49 152 bytes
Crypted.exe %Temp%crypted.exe 49 152 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Temp%Crypted.exe
%Windir%svchost.exe 34 304 bytes MD5: 0xC2BF9EDF0E98523BDC216B770206EF4C
SHA-1: 0x853297E4CE1FF61F06357041B3827A2843062D91 New Malware.b [McAfee]
Mal/Emogen-Y, Mal/IRCBot-B [Sophos]
Trojan:Win32/Malex.gen!E [Microsoft]
2 [file and pathname of the sample #1] 535 060 bytes MD5: 0x300839B8A8555DA27D25EAEF78AC34A9
SHA-1: 0xB0A602BFF04D9B2259F510CAB955026154F3F587 (not available)

Categories: Uncategorized