PDF

Print

ThreatScope Analysis Report

For file RaportUpdate_19072013.exe uploaded 2013-07-19 at 10:52:46 AM

Threat level: Malicious

Recommendation: Do not allow this file to be run in your network. Perform remediation on machines on which the file may have run.

Threat Assessment

Traffic to server hosting malicious content

Drops and runs executable file(s) in a directory of the user profile often used by malware

Drops executable file(s)

Possibly injects code into remote process(es)

Writes to the filesystem in a directory of the user profile often used by malware

Executes the Windows command shell program

Screenshots: None

File details:

Hash MD5

fe728544001b7571af4ac2bf0230bd4c

File size

120.50 KB

Hash SHA-1

aadae89eaee9d58ee306f699fa6d3f744cfa63d4

File uploaded

2013-07-19 10:52:46 AM

Hash SHA-256

67d4e6be50e5c5f4ecc7789d27f9c0b5a3fdbcfd8b895ad5f6a5bc82f2756eaf

Report created

2013-07-19 10:54:22 AM

Technical Details

Requested HTTP URLs

The analyzed file requests the following URLs.

URL

IP Address

Category

Details

May include user agent string, HTTP server, or encryption information.

Details

Method

Status

The first item is the response type (e.g. 200, meaning OK). The second item is the size of the response.

Status

MIME

The first item is the server-declared content type. The second item is the true content type.

MIME

http://nursenextdoor.com/ponyb
/gate.php

209.15.210.130

Canada

Malicious Web Sites

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

nginx/1.0.14

POST

200
0 B

text/html

http://acimg.anphis.pt/usHuoew
.exe

178.33.153.83

France

Uncategorized

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Microsoft-IIS/7.5

GET

200
309.00 KB

application/octet-stream

http://go4color.com/RyicPb.exe

198.66.167.187

United States

Uncategorized

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Microsoft-IIS/6.0

GET

200
309.00 KB

application/octet-stream

http://salsaconfuego.com/RCY.e
xe

50.22.11.27

United States

Malicious Web Sites

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Apache

GET

403
395 B

text/html; charset=iso-8859-1

http://positivepurchasingsandb
ox.positivedev.co.uk/sK4V.exe

74.200.225.6

United States

Malicious Web Sites

User agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

HTTP Server:

Microsoft-IIS/8.0

GET

200
309.00 KB

application/octet-stream

Resolved hostnames

The analyzed file used DNS to resolve the following hostnames.

Hostname

Category

IP address

go4color.com

Uncategorized

198.66.167.187

acimg.anphis.pt

Uncategorized

178.33.153.83

positivepurchasingsandbox.positivedev.co.uk

Malicious Web Sites

74.200.225.6

nursenextdoor.com

Malicious Web Sites

209.15.210.130

salsaconfuego.com

Malicious Web Sites

50.22.11.27

IP addresses

The analyzed file requests the following IP addresses.

IP Address

ASN

209.15.210.130

AS13768 Peer 1 Network Inc.

Canada

178.33.153.83

AS16276 OVH Systems

France

198.66.167.187

AS2914 NTT America, Inc.

United States

50.22.11.27

AS36351 SoftLayer Technologies Inc.

United States

74.200.225.6

AS22576 Layered Technologies, Inc.

United States

File system modifications

The analyzed file changes the following items in the file system. This type of change can be performed by both malicious and benign files.

Event

File path

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\36111.bat

Writes file

C:\Documents and Settings\victimo\NTUSER.DAT.LOG

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\32336.exe

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\27018.exe

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\MKBC8CB.bat

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\KQFFF50.bat

Writes file

C:\Documents and Settings\victimo\Application Data\Vyez\lobi.exe

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\35370.exe

Writes file

C:\Documents and Settings\victimo\NTUSER.DAT

Writes file

C:\Documents and Settings\victimo\Local Settings\Temp\CQK162F.bat

Process modifications

The analyzed file affected the following system processes.

Event

File path

Creates Process

C:\WINDOWS\system32\cmd.exe

Registry


No Windows Registry changes were made.

Global system events


No global system events were detected.

Forcepoint has made an effort to determine if your submission is malicious however, Forcepoint cannot guarantee the accuracy of the result