p34s3.hmarhelo.com

Resolved : [p34s3.hmarhelo.com] To [209.90.137.223]
Resolved : [p34s3.hmarhelo.com] To [209.90.137.224]
Resolved : [p34s3.hmarhelo.com] To [209.90.137.222]
Resolved : [p34s3.hmarhelo.com] To [209.90.137.221]

Remote Host Port Number
p34s3.hmarhelo.com 1199

Registry Modifications

* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ 12CFG214-K641-12SF-N85P = “C:RECYCLERS-1-5-21-0243936033-3052116371-381863308-1811vsbntlo.exe”

so that vsbntlo.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 24 576 bytes
vsbntlo.exe C:RECYCLERS-1-5-21-0243936033-3052116371-381863308-1811vsbntlo.exe 24 576 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 c:RECYCLERS-1-5-21-0243936033-3052116371-381863308-1811Desktop.ini 63 bytes MD5: 0xE783BDD20A976EAEAAE1FF4624487420
SHA-1: 0xC2A44FAB9DF00B3E11582546B16612333C2F9286 (not available)
2 c:RECYCLERS-1-5-21-0243936033-3052116371-381863308-1811vsbntlo.exe
[file and pathname of the sample #1] 24 576 bytes MD5: 0xBFEC4095340A4E986E0F41103A60DBDF
SHA-1: 0x8ED6425C4A59DE0857BE9E7AC34148ABE7050B48 P2P-Worm.Win32.Palevo.avjv [Kaspersky Lab]
TrojanDropper:Win32/Injector.I [Microsoft]
Win-Trojan/Injector.24576.AK [AhnLab]

Categories: Uncategorized
Previous post