Malware Report

Malware Report - Results

This report shows all the different areas TAZER analyzes for the sample: Host, Network Activity, and Detection.

Malware Search Criteria:

MD5 =a51770f9581ac7f6c65af774bf1a7450

Malware Report - Results

File MD5Sum	SHA1SUM	SHA256SUM	FUZZY HASH	File Size
a51770f9581ac7f6c65af774bf1a7450	8e5786a8a51cb42a728e392cdf87da26b4290532	6e13f6ada04d0cb6e63ed2c911e656005434801fcd48e790011961bb78002602	3072:124/wTotfpE4mCYT/6i5HSfiyY4x/3g0B8yf/WwG3VTiXa4aLC/lQ6qAkKcE:1sVHTii5HSfrx/	237773

File Results

File Name
explorer.exe

SNORT Results

Snort Class	Snort Alert	Count
N/A	No snort alerts generated	0

AV Results

AV Alert	AV Vendor
Backdoor.Trojan	Symantec
N/A	McAfee
Trojan.Win32.Scar.edlv	Kaspersky

Folders (Added) - ICC Results

Path	Folder Name
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	ITB2CJ0C
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	WO4JPI86

Files (Added) - ICC Results

Path	File Name
c:/Documents and Settings/dmc73144/Application Data/Mozilla/Firefox/Profiles/ektregxy.default	signons.sqlite
c:/Documents and Settings/dmc73144/Application Data	FILE_10452.exe
c:/Documents and Settings/dmc73144/Application Data	lovely.ini
c:/Documents and Settings/dmc73144/Application Data	net.bat
c:/Documents and Settings/dmc73144/Application Data	net.vbs
c:/Documents and Settings/dmc73144/Application Data	rsbot.exe.exe
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	desktop.ini
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/ITB2CJ0C	rsbot[1].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/WO4JPI86	desktop.ini
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/WO4JPI86	profile[1].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/WO4JPI86	profile[2].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/WO4JPI86	profile[3].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/WO4JPI86	profile[4].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/WO4JPI86	profile[5].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/WO4JPI86	profile[6].htm
c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5/WO4JPI86	profile[7].htm
c:/WINDOWS/Prefetch	AUTOIT3.EXE-32361418.pf
c:/WINDOWS/Prefetch	NTVDM.EXE-1A10A423.pf
c:/WINDOWS/Prefetch	REGSHOT.EXE-010A5EE6.pf
c:/WINDOWS/Prefetch	SANDNET.EXE-2012C478.pf

Files (Deleted) - ICC Results

Action	Path	File Name

Files (Changed) - ICC Results

Action	Path	File Name
modified	c:/Documents and Settings/dmc73144/Cookies	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/History/History.IE5	index.dat
modified	c:/Documents and Settings/dmc73144/Local Settings/Temporary Internet Files/Content.IE5	index.dat
modified	c:/Documents and Settings/dmc73144	NTUSER.DAT
modified	c:/Documents and Settings/dmc73144	ntuser.dat.LOG
modified	c:/WINDOWS/Prefetch	CMD.EXE-087B4001.pf
modified	c:/WINDOWS/Prefetch	HSTART.EXE-221D72BF.pf
modified	c:/WINDOWS/Prefetch	SH.EXE-00254D2B.pf
modified	c:/WINDOWS/Prefetch	SSHD.EXE-298CA236.pf
modified	c:/WINDOWS/Prefetch	SWITCH.EXE-0496EC21.pf
modified	c:/WINDOWS/system32/config	software.LOG
modified	c:/WINDOWS/system32/drivers/etc	hosts
modified	c:/WINDOWS/system32/wbem/Logs	wmiprov.log

Registry Keys (Added) - ICC Results

Action	Path
added	HKLM/SOFTWARE/Microsoft/DownloadManager
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_FASTFAT/0000/Control
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_FASTFAT/0000/Control
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere

Registry Values (Added) - ICC Results

Action	Path	Val_Name	Val_Data
added	HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run	minecraft2	"C:/Documents and Settings/dmc73144/Application Data/rsbot.exe.exe"
added	HKLM/SYSTEM/ControlSet001/Enum/Root/LEGACY_FASTFAT/0000/Control	ActiveService	"Fastfat"
added	HKLM/SYSTEM/CurrentControlSet/Enum/Root/LEGACY_FASTFAT/0000/Control	ActiveService	"Fastfat"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Identities/{32BF15D6-D919-458D-8A1A-AC3F3B3F3027}	Identity Ordinal	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Run	minecraft2	"C:/Documents and Settings/dmc73144/Application Data/rsbot.exe.exe"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/RunOnce	FILE_10452	"C:/Documents and Settings/dmc73144/Application Data/FILE_10452.exe"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/ShellNoRoam/MUICache	C://Documents and Settings//dmc73144//Application Data//FILE_10452.exe	"FILE_10452"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/ShellNoRoam/MUICache	C://WINDOWS//system32//ntvdm.exe	"NTVDM.EXE"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Server ID	0x00000003
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	Account Name	"WhoWhere Internet Directory Service"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Server	"ldap.whowhere.com"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP URL	"http
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Authentication	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Simple Search	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/WhoWhere	LDAP Logo	"%ProgramFiles%Common FilesServiceswhowhere.bmp"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Server ID	0x00000002
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	Account Name	"VeriSign Internet Directory Service"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Server	"directory.verisign.com"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP URL	"http
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Authentication	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Search Base	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Simple Search	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/VeriSign	LDAP Logo	"%ProgramFiles%Common FilesServicesverisign.bmp"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Server ID	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	Account Name	"Bigfoot Internet Directory Service"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Server	"ldap.bigfoot.com"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP URL	"http
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Authentication	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Simple Search	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Bigfoot	LDAP Logo	"%ProgramFiles%Common FilesServicesbigfoot.bmp"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Server ID	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	Account Name	"Active Directory"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Server	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Search Return	0x00000064
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Timeout	0x0000003C
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Authentication	0x00000002
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Simple Search	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Bind DN	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Port	0x00000CC4
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Resolve Flag	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Secure Connection	0x00000000
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP User Name	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts/Active Directory GC	LDAP Search Base	"NULL"
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts	AssociatedID	D6 15 BF 32 19 D9 8D 45 8A 1A AC 3F 3B 3F 30 27
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts	PreConfigVer	0x00000004
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager/Accounts	PreConfigVerNTDS	0x00000001
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager	Server ID	0x00000004
added	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Internet Account Manager	Default LDAP Account	"Active Directory GC"

Registry Values (Deleted) - ICC Results

Action	Path	Val_Name	Val_Type	Mod_Val_Type	Val_Data	Mod_Val_Data

Registry Values (Changed) - ICC Results

Action	Path	Val_Name	Val_Data	Mod_Val_Data
modified	HKLM/SOFTWARE/Microsoft/Cryptography/RNG	Seed	DC 3D 4A DC 08 36 5C 1B 6F B2 A0 3B 59 F9 6E A6 6B DC B9 87 2A 08 BA 52 13 76 8A	9E 0E 3A 34 57 6E 93 77 C8 42 F4 B0 35 18 C1 2F AF 7D 9B C3 91 A7 1E 21 A2 68 92
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Identities	Identity Ordinal	0x00000001	0x00000002
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Connections	SavedLegacySettings	3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00	3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00
modified	HKU/S-1-5-21-1844237615-562591055-839522115-1004/SessionInformation	ProgramCount	0x00000002	0x00000003

DNS Results

DNS	DNS Response
dl.dropbox.com	Standard query response CNAME dl-balancer3-985632286.us-east-1.elb.amazonaws.com A 107.22.250.232
www.facebook.com	Standard query response A 69.171.224.12

URL Results

DstIP	HTTP_HOST	HTTP_REQUEST_URI	HTTP_USER_AGENT	PROTOCOL
107.22.250.232	dl.dropbox.com	/u/36324022/rsbot.exe	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)	0x06
69.171.224.12	www.facebook.com	/profile.php?id=411455934648626&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.224.12	www.facebook.com	/profile.php?id=52539515487804&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.224.12	www.facebook.com	/profile.php?id=310105395852289&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.224.12	www.facebook.com	/profile.php?id=74675941738356&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.224.12	www.facebook.com	/profile.php?id=829409895918295&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.224.12	www.facebook.com	/profile.php?id=17473150399194&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.224.12	www.facebook.com	/profile.php?id=132485936477809&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.224.12	www.facebook.com	/profile.php?id=512573729158732&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06
69.171.224.12	www.facebook.com	/profile.php?id=497004096959042&sk=info	Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre	0x06

ARGUS PROTOCOL Results

PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
6	50	40	4883	5150

ARGUS DPORT Results

DPORT	PROTOCOL	SRC_PKTS	DST_PKTS	SRC_BYTES	DST_BYTES
80	6	50	40	4883	5150

ARGUS DATA Results

Time	Date	Protocol	SrcIP	DstIP	Dir	Flags	Sport	Dport	Pkts	Bytes
17:50:42	2011-10-18	6	10.10.10.7	107.22.250.232	->	e	517	80	9	1009
17:50:58	2011-10-18	6	10.10.10.7	69.171.224.12	->	e	547	80	9	1003
17:51:14	2011-10-18	6	10.10.10.7	69.171.224.12	->	e	587	80	9	1002
17:51:30	2011-10-18	6	10.10.10.7	69.171.224.12	->	e	382	80	9	1003
17:51:46	2011-10-18	6	10.10.10.7	69.171.224.12	->	e	49	80	9	1002
17:52:02	2011-10-18	6	10.10.10.7	69.171.224.12	->	e	177	80	9	1003
17:52:18	2011-10-18	6	10.10.10.7	69.171.224.12	->	e	215	80	9	1002
17:52:34	2011-10-18	6	10.10.10.7	69.171.224.12	->	e	680	80	9	1003
17:52:50	2011-10-18	6	10.10.10.7	69.171.224.12	->	e	723	80	9	1003
17:53:06	2011-10-18	6	10.10.10.7	69.171.224.12	->	e	767	80	9	1003

Packer Results

Packer Name

HoneyTrap Results

Honey Trap Log File Location

PTFB Results

PTFB Log File Location