Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =5675f5fe409b89eb61136fc3dac675b5

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
5675f5fe409b89eb61136fc3dac675b5	d33e8c8ce1d2aea0f3df54033a4c6bcb458ec5fb	e49fbbf0bae408000b644e2cb44437c56d8e351cd70d57d3ab0cff8cff1b0f1b	1536:HGXwVWm5UuQlJd40/llDl8ZUF/elGLQqYXwHPzfRjG86jjDO:HGXwP5dQLe0/bl8ZLlGLZY64lD	171008

File Results

File Name
bkb.VirusRamnit%2DaJoSqNtL167.exe

SNORT Results

Snort Class	Snort Alert	Count
Misc Attack	ET RBN Known Russian Business Network IP TCP (316)	3
Misc Attack	ET RBN Known Russian Business Network IP TCP (66)	1
Misc Attack	ET RBN Known Russian Business Network IP TCP (187)	1
A Network Trojan was Detected	ET DROP Known Bot C&C Server Traffic TCP (group 90)	1
A Network Trojan was Detected	ET DROP Known Bot C&C Server Traffic TCP (group 176)	1

AV Results

AV Alert	AV Vendor
Packed.Protexor!gen1	Symantec
PWS-Zbot.gen.di	McAfee
Virus.Win32.Virut.ce	Kaspersky

Folders (Added) - ICC Results

Path	Folder Name

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Start Menu/Programs/Startup	pdlkjkis.exe
c:/Program Files/Internet Explorer	dmlconf.dat
c:/WINDOWS/Prefetch	IEXPLORE.EXE-27122324.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf
c:	netstat_post.txt
c:	taskv_post.txt

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144/Cookies	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/History/History.IE5	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	index.dat
modified	c:/Program Files/Internet Explorer	iexplore.exe
modified	c:/Program Files/OpenSSH/bin	sh.exe
modified	c:/Program Files/OpenSSH/bin	switch.exe
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	NETSTAT.EXE-2B2B4428.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SLEEP.EXE-094A3D2A.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/system32/config	default.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32	netstat.exe
modified	c:/WINDOWS/system32	tasklist.exe

Registry Keys (Added) - ICC Results

Action	Path

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	79 EC 33 20 B3 35 86 BE 79 F1 2A 83 1C B4 FF 70 A1 61 90 3A 7D 7F 7A 60 01 48 14	C4 D1 28 2D 11 4B 2A 42 9A 90 13 C6 F6 61 55 B3 63 7B 8B 89 4F D7 A1 AA B0 4B C
modified	HKLM/SYSTEM/ControlSet001/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000106
modified	HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Epoch	Epoch	0x00000104	0x00000106
modified	HKU/.DEFAULT/Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders	Cookies	C:Documents and SettingsDefault UserCookies	"C
modified	HKU/.DEFAULT/Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders	Cache	C:Documents and SettingsDefault UserLocal SettingsTemporary Internet Files	"C
modified	HKU/.DEFAULT/Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders	History	C:Documents and SettingsDefault UserLocal SettingsHistory	"C
modified	HKU/S-1-5-18/Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders	Cookies	C:Documents and SettingsDefault UserCookies	"C
modified	HKU/S-1-5-18/Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders	Cache	C:Documents and SettingsDefault UserLocal SettingsTemporary Internet Files	"C
modified	HKU/S-1-5-18/Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders	History	C:Documents and SettingsDefault UserLocal SettingsHistory	"C

DNS Results

DNS	DNS Response
google.com	Standard query response A 74.125.93.105 A 74.125.93.106 A 74.125.93.147 A 74.125.93.99 A 74.125.93.103 A 74.125.93.104
zahlung.name	Standard query response A 193.23.126.55
ilo.brenz.pl	Standard query response A 83.133.119.197
tybdtyutjfyvetscev.com	Standard query response A 66.228.49.83
ervwetyrbuyouiylkdhrbt.com	Standard query response A 64.158.56.57 A 63.251.179.57
buhpop.com	Standard query response A 64.158.56.57 A 63.251.179.57
wervynuuyjhnbvfservdy.com	Standard query response A 208.73.210.29
tmtadt.com	Standard query response A 63.251.179.57 A 64.158.56.57
tybsyiutnrtvtybdrser.com	Standard query response A 63.251.179.57 A 64.158.56.57
denjou.com	Standard query response A 63.251.179.57 A 64.158.56.57
vlixta.com	Standard query response A 63.251.179.57 A 64.158.56.57
bzluxo.com	Standard query response A 63.251.179.57 A 64.158.56.57
dobcpe.com	Standard query response A 63.251.179.57 A 64.158.56.57
fjjvok.com	Standard query response A 63.251.179.57 A 64.158.56.57
ilo.brenz.pl	Standard query response A 60.190.222.139
emcegn.com	Standard query response A 64.158.56.57 A 63.251.179.57
zkdbza.com	Standard query response A 63.251.179.57 A 64.158.56.57

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL
239.255.255.250	239.255.255.250:1900	*	--blank--	0x11

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	351	327	21853	41793
17	2	0	350	0

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
80	6	122	111	7730	28795
443	6	229	216	14123	12998
1900	17	2	0	350	0

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
15:19:26	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	225	80	11	1756
15:19:26	2011-06-25	6	10.10.10.7	193.23.126.55	->	e	226	443	15	904
15:19:26	2011-06-25	6	10.10.10.7	83.133.119.197	->	e	227	80	15	2052
15:19:31	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	225	80	10	1965
15:19:31	2011-06-25	6	10.10.10.7	193.23.126.55	->	e	226	443	6	360
15:19:31	2011-06-25	6	10.10.10.7	83.133.119.197	->	e	227	80	8	1572
15:19:32	2011-06-25	6	10.10.10.7	193.23.126.55	->	e	439	443	15	973
15:19:36	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	225	80	4	513
15:19:37	2011-06-25	6	10.10.10.7	193.23.126.55	->	e	439	443	6	360
15:19:48	2011-06-25	6	10.10.10.7	66.228.49.83	->	e	511	443	15	904
15:19:53	2011-06-25	6	10.10.10.7	66.228.49.83	->	e	511	443	6	360
15:19:54	2011-06-25	6	10.10.10.7	66.228.49.83	->	e	142	443	15	973
15:19:59	2011-06-25	6	10.10.10.7	66.228.49.83	->	e	142	443	6	360
15:20:04	2011-06-25	6	10.10.10.7	83.133.119.197	->	e	344	80	15	2052
15:20:09	2011-06-25	6	10.10.10.7	83.133.119.197	->	e	344	80	10	1965
15:20:10	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	530	443	16	964
15:20:15	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	530	443	5	300
15:20:16	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	192	443	16	1033
15:20:21	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	192	443	5	300
15:20:25	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	531	443	11	664
15:20:30	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	531	443	10	600
15:20:32	2011-06-25	6	10.10.10.7	208.73.210.29	->	e	568	443	15	904
15:20:35	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	531	443	4	240
15:20:36	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	569	80	11	1756
15:20:38	2011-06-25	6	10.10.10.7	208.73.210.29	->	e	568	443	6	360
15:20:38	2011-06-25	6	10.10.10.7	208.73.210.29	->	e	570	443	15	973
15:20:41	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	569	80	11	2298
15:20:43	2011-06-25	6	10.10.10.7	83.133.119.197	->	e	571	80	15	2052
15:20:44	2011-06-25	6	10.10.10.7	208.73.210.29	->	e	570	443	6	360
15:20:45	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	531	443	2	120
15:20:45	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	572	443	12	724
15:20:46	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	569	80	3	180
15:20:48	2011-06-25	6	10.10.10.7	83.133.119.197	->	e	571	80	4	786
15:20:50	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	572	443	10	600
15:20:55	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	573	443	15	904
15:20:55	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	572	443	3	180
15:21:00	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	573	443	6	360
15:21:01	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	607	443	16	1033
15:21:05	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	608	443	11	664
15:21:05	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	572	443	2	120
15:21:06	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	607	443	5	300
15:21:10	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	608	443	10	600
15:21:15	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	608	443	4	240
15:21:19	2011-06-25	6	10.10.10.7	83.133.119.197	->	e	22	80	17	2445
15:21:25	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	626	443	11	664
15:21:25	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	608	443	2	120
15:21:30	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	626	443	10	600
15:21:35	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	626	443	4	240
15:21:45	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	627	443	11	664
15:21:45	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	626	443	2	120
15:21:47	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	325	80	11	1756
15:21:50	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	627	443	11	660
15:21:52	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	325	80	10	1965
15:21:55	2011-06-25	6	10.10.10.7	83.133.119.197	->	e	640	80	17	2168
15:21:55	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	627	443	3	180
15:21:57	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	325	80	4	513
15:22:00	2011-06-25	6	10.10.10.7	83.133.119.197	->	e	640	80	2	393
15:22:05	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	627	443	2	120
15:22:05	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	726	443	12	724
15:22:11	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	726	443	10	600
15:22:16	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	726	443	3	180
15:22:25	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	726	443	2	120
15:22:25	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	772	443	12	724
15:22:30	2011-06-25	6	10.10.10.7	60.190.222.139	->	e	773	80	13	1659
15:22:31	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	772	443	10	600
15:22:36	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	772	443	3	180
15:22:46	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	820	443	11	664
15:22:45	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	772	443	2	120
15:22:51	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	820	443	11	660
15:22:56	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	820	443	3	180
15:22:57	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	821	80	11	1756
15:23:02	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	821	80	11	2298
15:23:03	2011-06-25	6	10.10.10.7	60.190.222.139	->	e	822	80	15	2052
15:23:06	2011-06-25	6	10.10.10.7	64.158.56.57	->	e	820	443	2	120
15:23:06	2011-06-25	6	10.10.10.7	63.251.179.57	->	e	823	443	12	724
15:23:07	2011-06-25	6	10.10.10.7	74.125.93.105	->	e	821	80	3	180
15:23:08	2011-06-25	6	10.10.10.7	60.190.222.139	->	e	822	80	2	393
15:23:11	2011-06-25	6	10.10.10.7	63.251.179.57	->	e d	823	443	5	300
15:23:17	2011-06-25	6	10.10.10.7	63.251.179.57	->	e d	823	443	2	120
15:24:44	2011-06-25	17	10.10.10.7	239.255.255.250	->	e	8	1900	2	350

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location