Home > malware > Malware Report: 6c5df403ea695f6e021596dcc4b3d0922e1ce50e

Malware Report: 6c5df403ea695f6e021596dcc4b3d0922e1ce50e

November 9th, 2009 xandora Leave a comment Go to comments

File SHA1: 6c5df403ea695f6e021596dcc4b3d0922e1ce50e
File MD5 : 94822dcae3531c32c74cc22e48188482
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Date: Mon Nov 9 18:35:55 MYT 2009
Possible Malware: YES
Panda Says: W32/Sality.AO

#– Files Created: –

/Documents and Settings/Administrator/Local Settings/Temp/286.exe
/Documents and Settings/Administrator/Local Settings/Temp/Cookies
/Documents and Settings/Administrator/Local Settings/Temp/History
/Documents and Settings/Administrator/Local Settings/Temp/Temporary Internet Files
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/0X6VKLAB/abb[1].txt
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/ADR46XYH/lo[1].txt
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/ADR46XYH/part[1].txt
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/TN0LPWP3/bot[1].txt
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/WDANS5QR/2[1].exe
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/WDANS5QR/bde[1].txt
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/WDANS5QR/lgate[1].htm
/Documents and Settings/Administrator/reader_s.exe
/Documents and Settings/Administrator/restorer32_a.exe
/RECYCLER/S-1-5-21-0243556031-888888379-781863308-1455
/RECYCLER/S-1-5-21-0243636035-3055115376-381863306-1556
/RECYCLER/S-1-5-21-7999029282-7210759101-978482095-7792
/WINDOWS/Prefetch/286.EXE-133AA68F.pf
/WINDOWS/Prefetch/ACDVN.EXE-22264950.pf
/WINDOWS/Prefetch/CCVYWO.EXE-093AA251.pf
/WINDOWS/Prefetch/CSRS.EXE-368A04E2.pf
/WINDOWS/Prefetch/NETSH.EXE-085CFFDE.pf
/WINDOWS/Prefetch/SERVICES.EXE-2B0DDD57.pf
/WINDOWS/Prefetch/SYJC.EXE-07C139FB.pf
/WINDOWS/services.exe
/WINDOWS/system32/2.tmp
/WINDOWS/system32/3.tmp
/WINDOWS/system32/4.tmp
/WINDOWS/system32/5.tmp
/WINDOWS/system32/7.tmp
/WINDOWS/system32/acdvn.exe
/WINDOWS/system32/ccvywo.exe
/WINDOWS/system32/csrs.exe
/WINDOWS/system32/dllcache/ndis.sys
/WINDOWS/system32/reader_s.exe
/WINDOWS/system32/restorer32_a.exe
/WINDOWS/system32/spooIsv.exe

#– Registry Created: –

[SOFTWARE]
+ [software\Microsoft\DownloadManager]
+ [software\Microsoft\Tracing\FWCFG]
+ [software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
+ [software\Microsoft\Windows\CurrentVersion\services]
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP]
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
+ [software\Policies\Microsoft\WindowsFirewall]
+ [software\Policies\Microsoft\WindowsFirewall\DomainProfile]
+ [software\Policies\Microsoft\WindowsFirewall\StandardProfile]
[SYSTEM]
+ [system\ControlSet001\Services\napagent\LocalConfig\Enroll]
+ [system\ControlSet001\Services\napagent\LocalConfig\Enroll\HcsGroups]
+ [system\ControlSet001\Services\napagent\LocalConfig\UI]
[SECURITIES]
[DEFAULT]
+ [default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
[NTUSER]

#– Malware Traffic – DNS: –

38.234.82.124.in-addr.arpa
MX02.NICMAIL.ru
a2calvary.org
alltel.net
alt4.gmail-smtp-in.l.google.com
andrej.andreev12.pochta.ru
aol.com
auburn.edu
aumail.duc.auburn.edu
bmx.burg-gmbh.de
bnetnew.helohmar.com
bo.rozaug.ru
btinternet.com
cignabehavioral.com
clownz.com
colopin.cn
com
datawise.net
de
dkcphmx50.softcom.dk
dreamwiz.com
e.mx.mail.yahoo.com
eforwardct2.name-services.com
gametmfg.com
gmail-smtp-in.l.google.com
gmail.com
gmx.de
gwil.net
hanafos.com
hawaii.edu
home.nl
hotmail.com
idfc.info
imail2.mcdonagh.com
in1.smtp.messagingengine.com
inbound.xiaoni.com.netsolmail.net
irc.zief.pl
ismtp.sitestar.everyone.net
komojoke.cn
live.com
live.hk
lon4.xodeportal.net
mail-gw01.fsdata.se
mail.datawise.net
mail.global.sprint.com
mail.power-doms.de
mail.rostovmuseum.ru
mail.rostovregiongaz.ru
mail.rotanagroup.net
mail.rotary-district1790.com
mail.rothsay.com.au
mail.rothsoft.de
mail.roughremarks.de
mail.rowe.de
mail.roystonlabels.co.uk
mail.xjksyc.com
mail.xy-machine.com
mail.yagecw.com
mail2.cignabehavioral.com
mail2.interhanse.com
mail4.canaletto.net
mail7.digitalwaves.co.nz
mailin-03.mx.aol.com
mailserver.royal-garden.co.uk
mailserver1.nanovit.ru
mailwash4.pair.com
mindspring.com
mk-inboundfilter-2-a-1.b2b.uk.tiscali.com
mx-ha01.web.de
mx-ha02.web.de
mx-ra.dreamwiz.com
mx.dumnpre.scm
mx.freenet.de
mx.hanafos.com
mx.ocsnet.net
mx.relay.orange-business.com
mx.roundabouts.net
mx.usc.edu
mx.ziggo.nl
mx01.managed-mx.eu
mx1.bt.mail.yahoo.com
mx1.business.mindspring.com
mx1.gmx.net
mx1.hawaii.edu
mx1.maildefender.net
mx1.messagedefence.net
mx1.nextmediagroup.com
mx1.pangia.biz
mx191.emailfiltering.com
mx2.daemonmail.net
mx2.hotmail.com
mx2.turbodns.co.uk
mx3.hotmail.com
mx3.hrnoc.net
mx3.mindspring.com
mx4.hotmail.com
mxmta.sympatico.ca
mxs.mail.ru
mxs.majordomo.ru
ns27918.ovh.net
ocsnet.net
oppedahl.com
org
orts.alwaysproxy4.info
pdc.rotationalmouldings.co.uk
pop.routerdam.nl
pw.utc.com.s8a1.psmtp.com
pweh.com
relay.gt66.ru
relay1.peterlink.ru
relay1.relcom.ru
rossko.ru
rossner-hausverwaltung.de
rosso-m.ru
rossoseguros.com
rostal.ru
rostovmuseum.ru
rostovregiongaz.ru
rosvpk.ru
rotafleur.de
rotanagroup.net
rotary-district1790.com
rotationalmouldings.co.uk
rotc.usc.edu
rotel.nl
rotex-profile.de
roth.com
rothermelassociates.com
rothoff.net
rothsay.com.au
rothsoft.de
rotolok.co.uk
rotonews.com
rotor-it.ru
roughremarks.de
round-table.com
roundaboutltd.org
roundaboutltd.org.s200a2.psmtp.com
roundabouts.net
roundbrand.co.uk
routerdam.nl
routes-lavande.com
routiere-perez.com
rowcliffe.co.uk
rowe.de
rowenstructures.co.uk
roxar.msk.ru
royal-garden.co.uk
royaldunkeld.co.uk
royalscotsman.co.uk
roydearmore.com
roystonlabels.co.uk
roz.ru
rozaug.ru
rp-relocation.de
rp.spb.ru
rp8.de
rpgandmore.de
rpging.com
rpmortgagecorp.com
rps-altvater.de
rps-altvater.de.s201a1.psmtp.com
rri.co.uk
sbcmail3.prodigy.net
securemail.namesecurehosting.com
sitemail.everyone.net
smtp.secureserver.net
smtp.wanadoo.fr
smtp1.msp.securence.com
smtpedge.waypointbsi.com
swbell.net
sympatico.ca
tes.stuckin.org
tx.nadersamar2.org
umail.ru
vnet.hu
wanadoo.fr
web.de
whale-mail.com
wt.net
x.mx.invitel.net
xenware.com
xiaoni.com
xjksyc.com
xtelinco.net
xtreme3s.net
xx.ka3ek.com
xx.nadnadzz.info
xy-machine.com
y1039.com
yabuy.de
yagecw.com
yahoo.com

#– Malware Traffic – Connections: –

112.203.116.17.3128
113.12.120.216.3128
115.22.140.228.3128
122.107.104.23.3128
124.216.59.246.3128
124.244.212.33.3128
174.139.244.18.4444
189.220.143.201.3128
190.107.112.110.3128
190.60.36.228.3128
190.77.54.71.3128
194.85.88.229.25
195.10.208.157.25
195.88.191.46.80
195.90.96.67.25
196.206.4.92.3128
196.217.188.227.3128
198.185.2.71.25
201.160.129.29.3128
201.166.13.87.3128
203.157.0.1.25
205.178.149.7.25
206.161.193.131.25
207.126.154.10.25
209.190.85.36.25
209.85.223.74.25
212.117.164.35.25
212.139.137.137.25
212.23.64.252.25
216.120.241.254.25
216.200.145.235.25
217.112.42.216.25
217.132.46.179.3128
217.145.242.122.25
218.93.205.30.80
219.153.19.70.25
24.244.162.207.3128
58.211.0.22.25
60.48.73.61.3128
61.158.167.52.80
62.205.252.92.3128
62.77.203.21.25
64.120.149.21.33254
65.55.92.184.25
67.215.1.206.80
67.43.232.37.1863
67.43.236.66.8080
67.43.236.67.10324
69.162.127.90.80
69.162.64.122.80
69.162.90.170.80
69.65.41.92.25
72.10.172.211.8080
72.14.221.114.25
74.222.80.58.3128
74.57.178.63.3128
75.157.109.224.3128
77.221.159.154.25
78.225.217.73.3128
78.47.14.42.25
79.112.22.155.3128
79.114.144.226.3128
79.117.128.60.3128
79.119.62.78.3128
80.54.82.140.3128
83.149.98.166.25
84.252.44.81.3128
84.32.102.2.3128
85.223.253.194.3128
85.92.86.75.25
87.237.141.146.25
87.237.62.11.25
87.60.3.151.3128
88.166.66.77.3128
88.214.216.6.25
89.173.88.199.3128
89.209.84.26.3128
89.28.110.250.3128
89.43.59.175.3128
89.47.44.4.3128
91.192.116.26.25
91.206.201.39.80
91.207.4.106.80
92.114.192.88.3128
92.241.128.200.3128
92.249.112.70.3128
93.123.11.83.3128
93.174.92.220.80
94.100.176.20.25
94.158.100.237.3128
95.104.6.139.3128
99.226.87.61.3128

#– Malware Traffic – www: –

colopin.cn/oc/box.txt
colopin.cn/op/lgate.php?n=E15210BDE81AC24D
komojoke.cn/sv/bde.txt
komojoke.cn/ag/lo.txt
colopin.cn/lib/bot.txt
colopin.cn/lib/abb.txt
195.88.191.46/2.exe
colopin.cn/licen/part.txt
91.207.4.106/spm/get_id.php
91.207.4.106/spm/page.php?id=91625&tick=91625&ver=400&smtp=ok&task=0
sgs62hq846a.com/40E800144D513030303020312020202020202020202020206C0000002B66000000007600000642EB000530360C3754
idfc.info/f4.exe
idfc.info/rr2.exe
idfc.info/bnew.exe
idfc.info/pqz2.exe

#– Screenshots: –

Screen After 90 Seconds

Screen After 120 Seconds

Categories: malware Tags:
  1. No comments yet.
  1. No trackbacks yet.