Remote Host Port Number
omgredrum.no-ip.biz 51987
Resolved : [omgredrum.no-ip.biz] To [69.65.19.117]
Resolved : [omgredrum.no-ip.biz] To [69.65.19.116]
PASS Virus
NICK VirUs-aruhtp
USER sntmwl “” “pup” :sntmwl
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{28ABC5C0-4FCB-33CF-AAX5-35GX1C642122}
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{28ABC5C0-4FCB-33CF-AAX5-35GX1C642122}]
+ StubPath = “c:RESTORES-1-5-21-1482476501-1644491937-682003330-1013RedruMx.exe”
so that RedruMx.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 53 248 bytes
redrumx.exe c:restores-1-5-21-1482476501-1644491937-682003330-1013redrumx.exe 53 248 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 c:RESTORES-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 (not available)
2 c:RESTORES-1-5-21-1482476501-1644491937-682003330-1013RedruMx.exe
[file and pathname of the sample #1] 18 430 bytes MD5: 0x44920CD87E9A39B13ED42C6F74F69C7B
SHA-1: 0xB4592099BCB0A6E1472292199C4AFB178C25CE93 Generic Dropper.hs [McAfee]
Worm:Win32/Hamweq.A [Microsoft]
Trojan-Dropper.SSS [Ikarus]
Win32/IRCBot.worm.variant [AhnLab]