September 18, 2021

Malware Protection

Dedicated Forum to help removing adware, malware, spyware, ransomware, trojans, viruses and more!

FedEx Phishing Campaign (Zbot)

FedEx Phishing Campaign (Zbot)
FedEx Phishing Campaign 

At the time I pulled this sample it was 8 hours old on VirusTotal.  It did not appear to be specific to any industry and minimal changes had been changed to the PE to evade detection.  



Details are as follows: 







118.21.162.237 (i118-21-162-237.s30.a048.ap.plala.or.jp)
Tokyo 40 Japan
Delivery: SMTP
exe
37.0 KB
61740 -> 25 (SMTP)
TCP Client to TCP Server
Trojan.Win32.Agent.acqpl TROJWARE (zbot)
Agent acqpl


Other Country Sources: 
http://pastebin.com/RJi9XqX5

Email:
mime(Order history page.zip.b64) base64(Order history page.zip) zip(Order history page.pdf.exe)
i118-21-162-237.s30.a048.ap.plala.or.jp mail.company.com BODY=7BIT BODY=7BIT
Subject: Your Rewards Order Has Shipped
Body
ontent-Type: text/plain; charset=windows-1250.
Content-Transfer-Encoding: 7bit.
This is to confirm that one or more items in your order has been shipped. ..Note that multiple items in an order may be shipped separately…..
You can review complete details of your order on the ..Order History page ……….
hanks for choosing FedEx…..
Order Confirmation Number: ..3899836….
Order Date: ..11/03/2013….
Redemption Item…Quantity…Tracking Number….
Paper, Document16.
fedex.com…
Follow FedEx
You may receive separate e-mails with tracking ..information for reward ord ered…
My FedEx Rewards may be modified or terminated at any time ..without notice . Rewards points available for qualifying purchases and certain exclusions apply . For details and ..a complete listing of eligible products and services please read ..My FedEx Rewards Terms and Conditions………
2012 FedEx. The content of this message is ..protected by copyright and tr

Malwr

Forensic Data (Text)
MZ ÿÿ @ @
$ PE L 1⁄2[cB à
Z 0 @ à.code a
`.data $E 0 F !Àá èÓ É&ÉF&l2BÉF&
o  ́Í! ̧LÍ!This program cannot be run in DOS mode. : ä;
.text <
Ð ùÄ @à.idata:
R @À.rsrc ä; < X
@@
2BÉF&
ÉF&ÉF&ÉF&ÉF&ÂÉF&”ÉF&&£2BF&*ÉF&.Bî2ÂvqÉ&2BÉF&ÉF&
ÉF&BîútDwÓllja2B4B¥T2Bjq2B7T2Bê©j2BÒîÉ&2BBîíË£
2B&âBWçîÉGþGþêËÅRÉÀa2BqBKuB3R@AIHHHR¬aZäõ3+Òîl72BòB+ÄTlljR2Bj22BB+ÄÅ3ÂÅ
êiqêhqêSqêJqWçUXYîj#2B7X2BêÕ¥4BGúvX?v RZ?ví 2Bí2B?2BvíêDG
&GF&GF&
GF&BÆíÉ&¢BÆ3ÂÆa`]ËÄ?2BwK7qB7qBjÚB7qBl
RÞB¥2B£2Bê 2BÉëèÄÔRÅWçî
hAOwgüY>h

GúB”G
Gþ3ËWú=L<_ div="">

wUê2úvCíàGúB&G
3ÝhJGúBG
G
í3Âî_Ä
UF&
^&vF&F&
íæoío]Ä
vvRBVBZB^BÅ~BlBlBl¦Ba@ ÿ¬@ j ÿ°@ ÿ ́@ ÿ ̧@ ÿ1⁄4@ j ÿÀ@ ÿÄ@ ÿ@ ÿ`@ j ÿd@ ÿh@ ÿl@ j ÿp@ ÿt@ j ÿx@ ÿ@ ÿ@ j ÿ@ ÿ@ j Ã1ÿWjhP0@ h00@ ÿ@ = tÃ3⁄4 @ ÷j[d 0 Qj 1@ (ØaFâøD$Á@Ã@Ë @£V0@ ÄÃ
ì4j j ÿÈ@ h 1ÀPÌ@ ÿÒ£0@ »0@ Ç0@ @ ì ̧ Pj ÿÈ@ ì£0@ SÿÐ@ ìè¦ïÿÿë¤ÀUå
LoadLibraryExA record recsound c:\ereereaaaa c FTPR user32.dll CLSS TranslateMessage @ j0@ éà áà ýà ûà ûà áà 4à Ià @à «à à 1à Þà ;à «à äà :à à ûà ûà ûà ûà #à ûà ûà {à à ûà ûà Pà à àà à pà à à @à à ,à Íà ,à Öà ®à ÿà òà îà à 1⁄4à Là à Hà à à @à à à Pà à $à Ëà Ýà ÷à Tà à à ,à 1⁄2à à Xà à $à Õà $à 3⁄4à 1⁄4à Ãà à à @à à à Xà à à à ~à Áà ÿà Ýà àà Äà 1⁄2à à ûà Pà à àà à pà à à xà à à Hà à ,à Íà à à à à à

— CUT—-
DFIR: 
MAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_READ
c13cf0af350fd6dfb8380d0968c23 0b1.exe
filename: slide1.exe
Callbacks:
103[.]6[.]196[.]152
80
TCP
GET hxxp://asfitness[.]com:80/wp-content/uploads/2013/04/ourgoals.exe
request (dropper)
x-pingback
hxxp://www[.]asfitness.com/xmlrpc[.]php
x-powered-by PHP/5.3.27
location hxxp://www[.]asfitness[.]com/wp-content/uploads/2013/04/ourgoals.exe
content-length 0
server Apache
69[.]64[.]39[.]215
80 TCP
GET hxxp://dominionthe[.]com:80/images/slide1.exe
dominionthe[.]com
user-agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)
content-length 441856
server Apache
99[.]35[.]113[.]22 8610
70[.]52[.]185[.]81 1044
109[.]152[.]163[.]147 9819
86[.]46[.]238[.]128 8274
178[.]131[.]179[.]64 6295
71[.]35[.]90[.]194 7606
59[.]99[.]73[.]77 9084
79[.]23[.]23[.]228 7377
141[.]0[.]97[.]49 5609
82[.]107[.]157[.]227 2186
150[.]212[.]189[.]200 1685
99[.]123[.]8[.]127 4870
139[.]195[.]227.57
2./228/.19./149 6356
84./140/.161/.152 4019
176/.73/.200/.140 5014
213/.123./216./113 8730
70/.246/.10./226 2276
2./135./143/.98 2696
108./237/.184/.77
80./11/.166/.26 1172
82./89./225./96 8310
70./30./53./56 8204
176./73/.230/.38 1153
201/.174/.194/.198 5552
58./97./166./89 2466
2./229./105./13 8381
217/.27./102/.96 6308
80./141./251./252 8581
190/.201/.1./139 9466
217./92./114/.216 1981
95./104./86./31 8251
78./15./147./55
75./146./121./185 3413
77./107./154./122 4450
79./19./139./88 6301
46./44./133./57 5717
Process activity after target sample started. lsass.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32lsass.exe
Mon Nov 04 2013 10:22:41 UTC C:WINDOWSsystem32
C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32lsass.exe
Processes Name: lsass.exe
lsass
Page 21
Name: svchost.exe
PID: Child Count: File Actions: Registry Actions: Analysis Reason: Process Name: Image Filename: Command Line: Children: New: Started At: Current Directory: Image Base Address: Window Title: Shell Info: Desktop Info:
748
0
2
37
Process activity after target sample started. svchost.exe C:WINDOWSSystem32svchost.exe C:WINDOWSSystem32svchost.exe -k netsvcs
Mon Nov 04 2013 10:22:42 UTC C:WINDOWSsystem32
C:WINDOWSSystem32svchost.exe
Artifacts
ID Path
16 748-svchost.exe
File Activity  Action  Path  Modified
ROUTER
Modified
WINDOWSPrefetchCMD.EXE-087B4001.pf
Registry Activity: Created Registry Keys
Created Key
Access List
Option List
REGISTRYUSERS-1-5-21-1202660629-583907252- 1801674531- 1003SOFTWAREMICROSOFTMULTIMEDIAAUDIO COMPRESSION MANAGERMSACM
CREATE_SUB_KEY,ENUMERATE_SUB_KEYS,QUERY_ VALUE,READ_CONTROL,NOTIFY,SET_VALUE
REG_OPTION_N ON_VOLATILE
REGISTRYUSERS-1-5-21-1202660629-583907252- 1801674531- 1003SOFTWAREMicrosoftWindowsCurrentVersionInte rnet Settings
CREATE_SUB_KEY,ENUMERATE_SUB_KEYS,QUERY_ VALUE,READ_CONTROL,NOTIFY,SET_VALUE
REG_OPTION_N ON_VOLATILE
Registry Activity: Modified Registry Keys
Modified Key
Value Name
Data Type
Data
REGISTRYMACHINESOFTWAREMICROSOFTWINDO WS NTCURRENTVERSIONPREFETCHER
TracesProces sed
DWORD_LIT TLE_ENDIAN
17
REGISTRYMACHINESOFTWAREMICROSOFTWINDO WS NTCURRENTVERSIONPREFETCHER
TracesSucce ssful
DWORD_LIT TLE_ENDIAN
5
REGISTRYMACHINESOFTWAREMICROSOFTWINDO WS NTCURRENTVERSIONPREFETCHER
LastTraceFail ure
DWORD_LIT TLE_ENDIAN
4
REGISTRYMACHINESOFTWAREMICROSOFTWINDO WS NTCURRENTVERSIONPREFETCHER
TracesProces sed
DWORD_LIT TLE_ENDIAN
18
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
DhcpRetrySta tus
DWORD_LIT TLE_ENDIAN
2
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
DhcpDefaultG ateway
MULTI_SZ
172.16.1.1
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CES{C20FDDB0-BD90-4E06-8D7A- 87767A382393}PARAMETERSTCPIP
DhcpDefaultG ateway
MULTI_SZ
172.16.1.1
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERS
DhcpNameSe rver
SZ
172.16.1.1
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
DhcpNameSe rver
SZ
172.16.1.1
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
DhcpSubnet MaskOpt
MULTI_SZ
255.255.0.0
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CES{C20FDDB0-BD90-4E06-8D7A- 87767A382393}PARAMETERSTCPIP
DhcpSubnet MaskOpt
MULTI_SZ
255.255.0.0 Page 22
Details for Alert ID 67540517
{C20FDDB0- BD90-4E06- 8D7A- 87767A38239 3}
BINARY
DhcpIPAddre ss
SZ
DhcpIPAddre ss
SZ
DhcpSubnet Mask
SZ
DhcpSubnet Mask
SZ
DhcpServer
SZ
DhcpServer
SZ
Lease
DWORD_LIT TLE_ENDIAN
Lease
DWORD_LIT TLE_ENDIAN
LeaseObtaine dTime
DWORD_LIT TLE_ENDIAN
LeaseObtaine dTime
DWORD_LIT TLE_ENDIAN
T1
DWORD_LIT TLE_ENDIAN
T1
DWORD_LIT TLE_ENDIAN
T2
DWORD_LIT TLE_ENDIAN
T2
DWORD_LIT TLE_ENDIAN
LeaseTermin atesTime
DWORD_LIT TLE_ENDIAN
LeaseTermin atesTime
DWORD_LIT TLE_ENDIAN
IPAutoconfigu rationAddress
SZ
IPAutoconfigu rationMask
SZ
IPAutoconfigu rationSeed
DWORD_LIT TLE_ENDIAN
AddressType
DWORD_LIT TLE_ENDIAN
IsServerNapA ware
DWORD_LIT TLE_ENDIAN
DhcpRetrySta tus
DWORD_LIT TLE_ENDIAN
DhcpRetryTi me
DWORD_LIT TLE_ENDIAN
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESDHCPPARAMETERS
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CES{C20FDDB0-BD90-4E06-8D7A- 87767A382393}PARAMETERSTCPIP
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CES{C20FDDB0-BD90-4E06-8D7A- 87767A382393}PARAMETERSTCPIP
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CES{C20FDDB0-BD90-4E06-8D7A- 87767A382393}PARAMETERSTCPIP
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CES{C20FDDB0-BD90-4E06-8D7A- 87767A382393}PARAMETERSTCPIP
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CES{C20FDDB0-BD90-4E06-8D7A- 87767A382393}PARAMETERSTCPIP
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CES{C20FDDB0-BD90-4E06-8D7A- 87767A382393}PARAMETERSTCPIP
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CES{C20FDDB0-BD90-4E06-8D7A- 87767A382393}PARAMETERSTCPIP
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CES{C20FDDB0-BD90-4E06-8D7A- 87767A382393}PARAMETERSTCPIP
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
REGISTRYMACHINESYSTEMCONTROLSET001SERVI CESTCPIPPARAMETERSINTERFACES{C20FDDB0- BD90-4E06-8D7A-87767A382393}
AwAAAAAAAAAEAAAAAAAAAAqxd1KsEA EBUQAAAAAAAAASAAAAAAAAAAqxd1ID// 9qb2UtOGE4MWM3NmM5ZGYAAAYAAAA AAAAABAAAAAAAAAAKsXdSrBABARwAA AAAAAAABAAAAAAAAAAKsXdSrBD//wEA AAAAAAAABAAAAAAAAAAKsXdS//8AADs AAAAAAAAABAAAAAAAAAAKsXdSAAAB9 zoAAAAAAAAABAAAAAAAAAAKsXdSAAA BFjMAAAAAAAAABAAAAAAAAAAKsXdSA AACWDYAAAAAAAAABAAAAAAAAAAKsX dSrBABATUAAAAAAAAAAQAAAAAAAAAK sXdSBQAAAA==
600
600 1383575218 1383575218 1383575496 1383575496 1383575721 1383575721 1383575818 1383575818 0.0.0.0 255.255.0.0 0
MANAGERACCOUNTSVERISIGN
LDAP Search 
%ProgramFiles%Common FilesServicesbigfoot.bmp
VeriSign Internet Directory Service directory.verisign.com http://www.verisign.com
%ProgramFiles%Common FilesServicesverisign.bmp
WhoWhere Internet Directory Service ldap.whowhere.com http://www.whowhere.com
Registry Activity: Deleted Registry Key Values
ame: c13cf0af350fd6dfb8380d0968c230b1.exe
PID: Child Count: File Actions: Registry Actions: Analysis Reason: Process Name: Image Filename: Command Line: Children: New: Started At: Current Directory: Image Base Address: Window Title: Shell
File Activity: 
Path Created
??C:DOCUME~1Malware~1LOCALS~1Tempxsiretgashup.exe
Modified
DOCUME~1MalwareLOCALS~1Tempxsiretgashup.exe
Modified
ROUTER
Modified
Documents and SettingsMalwareLocal SettingsTemporary Internet FilesContent.IE5MRMBYDAXslide1[1].exe
Modified
Registry Activity: Created Registry Keys
REGISTRYUSERMalwareSoftwareMicrosoftMultimediaAudio Compression Manager
READ_CONTROL,CREATE_SUB_KEY,SET_VALUE
REG_OPTION_N ON_VOLATILE
REGISTRYMACHINESOFTWAREMICROSOFTCRYPTO GRAPHYRNG
Cookie Harvest
BINARY
futxhHWuQhIfkFA2NIDyL77fRlXHJxTDhr40k GMDYeX3u+W7g1I1wsr0lh7Ou9iDaqs+zpu 91H2N3Hg1G/WP5SwYjzegsPYZa3lrn5j1O GZ+O81+OI/p9OzcDyvGZJW2V5HbiG5gx1 FimFpAjcJr1czwe2I+G6qSBA+2BMMKTyT8j U/45wogwxFa8w3Y3po1AAgDmMpNm36Q+ vegCF6PXRJeQlJdD+oQDvVfakhIGUzSmh+ tfoGcvF09ecHeAdiCgvUL1rQa4csKmknl9XU gcZzWMwqhOTcZu6VMbrMblZYf+qfOwRBd Xa+6jIgKrI44BKC77i+guuY3X1rgiQG6MsoL dnklRdyK+q882JNEHWf2IMvGotnkBnRsWu ML2aGusDB0ol/lRQTjkinpz3tvKwisf7sCVKH 3umZ1v2u9wtDYQHx5wnpAOTwHbwYBl3cn QJBCVVN3XpoYpSFH5DHRJXwqrOT6e/cD zneaJaYairW6OAEbV1ELiC6uAWzczShIuY +iWx/jTHr08ZQtaJI1L4OYew5GUpfSu65Fe OZH8tfcliW/pDLwjYm+aQ1ZpMkaLgHLGMb K840tB5I+w0RONhq28eJySS3HfApNToiJlSr QuS4cQxovd1bHvQ==
REGISTRYUSERS-1-5-21-1202660629-583907252- 1801674531- 1003SOFTWAREMICROSOFTOVNEOCAQY
2f09bg73
SZ
futxhHWuQhIfkFA2NIDyL77fRlXHJxTDhr40k GMDYeX3u+W7g1I1wsr0lh7Ou9iDaqs+zpu 91H2N3Hg1G/WP5SwYjzegsPYZa3lrn5j1O GZ+O81+OI/p9OzcDyvGZJW2V5HbiG5gx1 FimFpAjcJr1czwe2I+G6qSBA+2BMMKTyT8j U/45wogwxFa8w3Y3po1AAgDmMpNm36Q+ vegCF6PXRJeQlJdD+oQDvVfakhIGUzSmh+ tfoGcvF09ecHeAdiCgvUL1rQa4csKmknl9XU gcZzWMwqhOTcZu6VMbrMblZYf+qfOwRBd Xa+6jIgKrI44BKC77i+guuY3X1rgiQG6MsoL dnklRdyK+q882JNEHWf2IMvGotnkBnRsWu ML2aGusDB0ol/lRQTjkinpz3tvKwisf7sCVKH 3umZ1v2u9wtDYQHx5wnpAOTwHbwYBl3cn QJBCVVN3XpoYpSFH5DHRJXwqrOT6e/cD zneaJaYairW6OAEbV1ELiC6uAWzczShIuY +iWx/jTHr08ZQtaJI1L4OYew5GUpfSu65Fe OZH8tfcliW/pDLwjYm+aQ1ZpMkaLgHLGMb K840tB5I+w0RONhq28eJySS3HfApNToiJlSr QuS4cQxovd1bHvQ==
REGISTRYUSERS-1-5-21-1202660629-583907252- 1801674531- 1003SOFTWAREMICROSOFTOVNEOCAQY
2f09bg73
SZ
futxhHWuQhIfkFA2NIDyL77fRlXHJxTDhr40k GMDYeX3u+W7g1I1wsr0lh7Ou9iDaqs+zpu 91H2N3Hg1G/WP5SwYjzegsPYZa3lrn5j1O GZ+O81+OI/p9OzcDyvGZJW2V5HbiG5gx1 FimFpAjcJr1czwe2I+G6qSBA+2BMMKTyT8j U/45wogwxFa8w3Y3po1AAgDmMpNm36Q+ vegCF6PXRJeQlJdD+oQDvVfakhIGUzSmh+ tfoGcvF09ecHeAdiCgvUL1rQa4csKmknl9XU gcZzWMwqhOTcZu6VMbrMblZYf+qfOwRBd Xa+6jIgKrI44BKC77i+guuY3X1rgiQG6MsoL dnklRdyK+q882JNEHWf2IMvGotnkBnRsWu ML2aGusDB0ol/lRQTjkinpz3tvKwisf7sCVKH 3umZ1v2u9wtDYQHx5wnpAOTwHbwYBl3cn QJBCVVN3XpoYpSFH5DHRJXwqrOT6e/cD zneaJaYairW6OAEbV1ELiC6uAWzczShIuY +iWx/jTHr08ZQtaJI1L4OYew5GUpfSu65Fe OZH8tfcliW/pDLwjYm+aQ1ZpMkaLgHLGMb K840tB5I+w0RONhq28eJySS3HfApNToiJlSr QuS4cQxovd1bHvQ==
BINARY
futxhK4DNUDRIlZxQfKkhf/ZXWdkOj9O5gZo 4Mf/VED1jOxz2GOCOd70lh7Ou9iDaqs+zpu 91H2N3Hg1wESyAoro2ZFKYkWsQdCRv3G soyA7xBGeXVAZ/vhYUo3O/oikqYdnmTcPN RE4WKn3hSeVhYoF7l1iFhKf0lpB2wHxIO4I W5Q5QbGy74ucwuG/WQwF8y+99aPOo8z RcOrB7cjAlRn9iTTdWuEQ
REGISTRYUSERS-1-5-21-1202660629-583907252- 1801674531- 1003SOFTWAREMICROSOFTOVNEOCAQY
7dg9e28
BINARY
futxhHWuQhIfoFE2NIDy6StwEtJr5sGtoUDT ZbG91otOoMl6
REGISTRYUSERMalwareSOFTWAREMICROSOFTOVNEOCAQY
20dcj2dj
SZ
futxhK4DNUDRIlZxQfKkhf/ZXWdkOj9O5gZo 4Mf/VED1jOxz2GOCOd70lh7Ou9iDaqs+zpu 91H2N3Hg1wESyAoro2ZFKYkWsQdCRv3G soyA7xBGeXVAZ/vhYUo3O/oikqYdnmTcPN RE4WKn3hSeVhYoF7l1iFhKf0lpB2wHxIO4I W5Q5QbGy74ucwuG/WQwF8y+99aPOo8z RcOrB7cjAlRn9iTTdWuEQayfz469Q3O03t6 TySw9I7Qt2I/hj7+c1+wqycD7aP+dnadqZvEr A9gDfNcbKNxlfvswInMU/J/g=
REGISTRYUSERMalwareSOFTWAREMICROSOFTOVNEOCAQY
2f09bg73
BINARY
futxhHWuQhIfkFA2NIDyS+6AFi0qCbIwpiC9 5tihkDVh2NZd6WEig9P0lh7Ou9iDaqs+zpu9 1H2N3HhlBoxu9/DNhPETINQQcKbBkG0GI QA/XyDufls3zyyh0LHS0sW98zglj7cTB90Tjh WNT+2poQsIBdCd8rGu2/qtli6NC1p04A/pIyx b0du6egt1DH9cC0ex7o4FSM8cAz82P+FWf 5ZHT1XI9z42ItIcYo0b+oYoru7DBcX7M7Ge ABMbhE8gEI0s/E343Vlxf+PltHnnHpUWE6u 9iwRtizvW0xnefide8bVHReqx8pnswnL9/Fyp 3yAhu18aNPFMyUznygwR9yZcOs1QppU1J 2ucuMhhA1eLCUTbznbyaHYKEOW8d5JjNj Dgkz2bA7CuTCbGnHleDb17P4cO5XtKFhX mv2u9wtDYQHx5wnpAOTwHbwYBl3cnQJB CVVN3XpoYpSFH5DHRJXwqrOT6e/cDznea JaYairW6OAEbV1ELiC6uAWzczShIuY+iWx/ jTHr08ZQtaJI1L4OYew5GUpfSu65FeOZH8tf cliW/pDLwjYm+aQ1ZpMkaLgHLGMbK840tB 5I+w0RONhq28eJySS3HfApNToiJlSrQuS4c Qxovd1bHvSPcoPJlJp6KMSN+WT4SX2P24 TPbbunIQn3RyJEP528CCpNk2AN1MduFiSt VJR2WYnP4mlJee1kZwvonXg+m5INbzx9yb isidYkwsxXZCozNISXtcmz3hCig+V2PoAn+4 OwF6tVnrNcyKo6Nyzn79k4ff4ZsApUItNdbU FekVoldiHpM4nTqOV10c1AaOSMJvgOQP5 LfmRSR9YbMtLpMrFFXVJlw9goiiaaKp/5UY YjPbCYVnq4AcbJfkqkZfrbfJQGsdZt/Ch4IgV bvkiuB5AoVD9A2OwlWbf1ATpa95BX+BFE5 JDE3SuxiqGpmjEZs4rk0TTrTu8QgYz347ed 2sbXMTEfvf7oTtRpF3FqnLNuUj5NCMp7W Wg7R+GY7fytFR4+kw3xwWXHLc/XS2FR98 PCh7ESrMZjQeUTHa6KUbR1PUyGP1zgX5 7tMVllA95WI6kfHedYdmi7LLsWEc94hX8xS uYkHQRZg+qRCstJTJS2CjyQzlT+UU0oTlJB Ov0C3Rn/X1M6KJAettZlu/tQRhWsyg1cgIv9 swrS3fy/UkenSSPfCNV8aGKMyH75ZnMeL PUc3DDR3B9vsVOiEd9LtQn8lBcKteLu+ICP qCA/ftL2byWyY/0E5WE+dZmE=
REGISTRYUSERMalwareSOFTWAREMICROSOFTOVNEOCAQY
20dcj2dj
SZ
futxhK4DNUDRIlZxQfKkhf/ZXWdkOj9O5gZo 4Mf/VED1jOxz2GOCOd70lh7Ou9iDaqs+zpu 91H2N3Hg1wESyAoro2ZFKYkWsQdCRv3G soyA7xBGeXVAZ/vhYUo3O/oikqYdnmTcPN RE4WKn3hSeVhYoF7l1iFhKf0lpB2wHxIO4I W5Q5QbGy74ucwuG/WQwF8y+99aPOo8z RcOrB7cjAlRn9iTTdWuEQayfz469Q3O03t6 TySw9I7Qt2I/hj7+c1+wqycD7aP+dnadqZvEr A9gDfNcbKNxlfvswInMU/J/gxNBtZjGLoD60 GaxdPlN5GC3rq8eNfOJ4Njpcait125Zjw7hxt BkPTwy4H+pG3uQcEqaiCt92yEA==
BINARY
2j0v6FWp4XQ/BYvb1xOBmStwBeHZJIk6WJ 7zonH9nmZIA2m5RMmo/nIsaFXZZi6om/4+ zpq91G1Z3ng11OPFUH31N8mutHqlNPTCu swabHCrYCV6UvJjYWb97AorLDQfNZgx7Q pnqB1vPNR4sADjp2CFJM7Z0FF+Go2n4VH vnIEC5XWgvUZWOl3pjXUoLipnZmYyLJ4sE mXbY/3vm4LEeTEhKswhxWt+FSAzuJW26 D0rhUeGOApOcsWBMMId483sLGyo31rLBz YEDMWP7pvaWNeUrD4hP6zAvRls98CluN4 CdPuxpyFV01iFFdejXGkdUdPyMfoStdLIp8 WMT1cDJZNnk8heIjAKDVYLe+qf/PMaE6zX FkFUtFtKp4VKHGU31moaYOLxd81jF9w/Me FM6LhWhHgeiekXi6JVDmVW8Xy5HSgZgvz 9nS94MKDRn37DUrAr7FERZK5UAzFyPrRf ObQTJVpj5Wk90rKgxD/d2NYW9BJNBKH2g RnivRY+WcqzaVBIPkT/6hxLb3ejhRiTof05Fx uwcIGpWWvt8W9yUNBoqqnbgAW3DTycgt UGUygwGh4zrfllYZR0Viq0airiVz/ViNZg9uTg bjzzVbZspQa0WzjSuFx9gkv4E9TJYiLyi946 WY8+pQoatNVROKmpd9uSzdaFIOC77G2N 3wtMdkmc77VS2fjuOePTv99b39tjUwyjmGT oK3U6RYfhdWCtGEfctxZm/a87wOibOZrM7 dXpQNA5xHaglZL6yxF5x1UU6I+yoLtTOKW BMOjCGTgBtJaXhejlctcgO4fLzcpSYnns9MR OHxHDL+uIBIH713Kn3nCeDuBPQ1wLbMjP hE0o0QAyuWWVeYlrfwy+QaBwmiZ8SFu7D iurZL2YeVEQbLcP31yScLm8y1dcJ3K0I7MN z8A5VU6kjI7WH617QRHU0VKDn25mfeVq WzJ4dGZcYNCy0F+aRKi6gfpcI0Z/BPwftAb ubOR/alUioYHujp5yrgRorrXWIY/aUhvObO0 ATqmoqashnAW9gI6EIfnGaOQzVMZkyC7F 4aKUbB1PQ3eM1ziO77tMEPj9j71HDJ5rZ3 WKwO3ghBrD7VLQIyQXJu/njti6PBd3k/xmUf 8z7kubvIlK/TLm0yc5FbuSDFCrzCN3ittJUXX sZeLa/AEguGdSLDTvIHNQmcNRuFjG8eoV CBd1i6qsW6Gew4r5hQ0Vzz62V5jGv8JCtbJ tDrL4hMA1U+V7VPpaJVlcn5/JB3IZZtoBx8A sbSBJ9LYOv5k23l7zU7UjxFxNUjGwUTzSp FCDA6MYgAHi26CGCI++T4L8YQXvuHQK1 ux/R3MOh0PEwAul3DDyUeBrdKZ5v3nNAa SXdbuaA57PTJ+wEnQXx7arScl/xFNAT+Pn GhxsJl+M5mH+a85lmJ7c3TRq6/INkLdyvdH HEigmVP3S+4cqhKmaFJnEIRZR05YO7Dh0 KyZXUPELoM5lVGn9cbx4YVxwa5QlYl6C5L lxfQUUTtADXHl85BzrHQghFQSYPSU7KBE Ar5yMgPGCo6wwWwdHWFfQnLfj3Jx8Zbm K00x4SjhjwKtDvWPM7BRXSi4rKOm9+mR9 /KRclYqWHmScQ1ab5+cndRd1YfZtCZFcN3 W/GfSjLFnV1Eiv2t+mZmUonFxAwuPPBih54 TETTbhq6Y2jHa6CzCGpIQNKj1icUcp6DD5 cYydoSdxkR41VVEa52dY0MA2nroBvytJ5Vd 3l+drtUHeXnSzJOkC5GNhU1ufOLQC520pJ nCtrizOJj0WGt1JX4zGNgjSdt/nqrU+RpWXw uFUuK9XK2aOmfhNYtg3HzA4UrO0/LuS4br BEP8VrAdpGnc7JIE0FQkaTcmQKT+Y5udQ bNtoYTC0SG0urnSSVbhLZ7N/QZ9H9LOqC RB25VuBdgVfSD4s44G4q8G5pQwRrKwSH C29PfjPfmkJHmWngtAmtpmzoEYCs3xsLyy LfkmUXXaCiMbJcZE7O/ga9Gq54p5y3Hhm OuE1qqM7PSwfavwU07H2Q8JsTTyyLN1wz Tlvm5fVL/hMVITEnA95KPo2x04EchiICZkY WP977G8yzx3TyU1Rn8Jb7NHxXR4EugOz AnDZsnb/bfLumxQgx3WzqkUOgKfXZGrxR m6nXhmZ5Uq0LnNxvwhZevA9y+GhEbg3K Q1euKcvIHG+yyAwYdf98iHtBK2nRfsE0KMk S0rsB99Jcwj52+zSSVkh414qgjTyOHS90gi5 UZEebA7wMiPRaQt4c4HHoUWAfwpcTUhH zwduxOk4ExOZcfT2bbxdtDjkTkmvPhRLeU6 y+1zLYxNQ2xL5sLs23D50XxWsynptmTPRn FEDTYY24Cztz+k0LnUczRTYJZ2fMoLX+p5 B4f3+xY50eZKKqXvIjZCT8T3leHVAJLUX10l leR+YUnV/cJ+uYgWNSj2Xx+O6otEuzfVa9xi 5ag33e+zYxW/1aS8xH71JHVCaCeoUUWs YvqYQ14FoJO1sJQQUl7l3hAdQ5EWSzK9t FoYuUQRkYIsLvkWikpQqnBKxObbmnk7Ve e+P/QTmpWJDEVyF9sIGnTxHYnycq8LoOE CCVfyhnCwRXvJHxnUf/MvWeHpy1cH+H/M 6TmPwzOMoNEp2jmTKvQE5Vf7V0FOwHq pfJrKhsqA/gwNnUOCAMneGDwi0IXrEHnC3 bxPVoNqXkGJo30YgtJtRlCAa6ai9f/7CDXf9v Wxi5UkdnkyH+rbnus3YZh+tGMCqbmNUDM yIlxF7UvORqQELIQPtWirTl6rZqZpVTeLZlW ArUvlRyn9eZGOkiTGfJOqtomRX7o1TTBdFj +A7iobP/eY5a/Z/OXMvUX67N3P6q5PYnyo HODjCUujhW1TYpv4OvN0HP7YdwoOcqhh xZ1ThvDOAseoqGQF9pChkmFT1xu8dQaX gj8Ao/k+FLMBb4x4tznI4xdByZiK4GlfT6x0W Ei8oSoEB4FwWenEQ6dsa8GXfeASOmqLH kvVy3GD2GlfXFUc789fkO2PuJH3h3itmbb1d cW69an8NvMR0qAi8UODJNPu1ot9u04oUZl IdY2pDeG1B/FmXsldqIk7vR87AiVCblDYbsZ JTdfGdBgE8FBec29kFHNtwxwL8MrIuoZsQ BQYsap4E0PuCm2qNNkX67nixRcTTuLiB67 N3J8GE0L4HLMFNmj6lXLMxgAt5hJoNiyJs Kyy4huKmybFoR2/kQ4Nr3G2cusjSqp63tX8 7Q8NIWdp8kccvWi9za+KN1wqn+W2J3x2Y 15zoG7m3fJMk2iLkfS7IiQh4uzMrSfugo5Ige OpHV/j6+QSGh6nDzAAsZ149T22LnkpBnB PDguuwJv8i9xaoHx73QJELzUAwuZnAUON
CuT====
1000 (cmd.exe) 1000 (cmd.exe)
1000 (cmd.exe)
1000 (cmd.exe)
1000 (cmd.exe)
748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe)
748 (svchost.exe) 748 (svchost.exe)
748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe)
748 (svchost.exe) 748 (svchost.exe)
748 (svchost.exe)
748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe) 748 (svchost.exe)
OlkContactRefresh OlkFolderRefresh
Action
DOCUME~1MalwareLOCALS~1TempVKO2BB.bat
1308 (xsiretgashup.exe)
Modified
Documents and SettingsMalwareApplication DataImdeajiqybox.exe
1308 (xsiretgashup.exe)
Modified
Documents and SettingsMalwareNTUSER.DAT.LOG
1308 (xsiretgashup.exe)
Modified
lsarpc
1308 (xsiretgashup.exe)
Modified
DOCUME~1MalwareLOCALS~1Tempxsiretgashup.exe
1188 (c13cf0af350fd6dfb8380 d0968c230b1.exe)
Modified
ROUTER
1188 (c13cf0af350fd6dfb8380 d0968c230b1.exe)
Modified
1188 (c13cf0af350fd6dfb8380 d0968c230b1.exe)
Modified
lsarpc
netNtControlPipe5
Documents and SettingsMalwareNTUSER.DAT.LOG
1188 (c13cf0af350fd6dfb8380 d0968c230b1.exe)
Modified
788 (svchost.exe)
Modified
Documents and SettingsMalwareNTUSER.DAT.LOG
1352 (Explorer.EXE)
Modified
1000 (cmd.exe)
Modified
Documents and SettingsMalwareApplication DataMicrosoftAddress BookJoe Maldive.wab
lsarpc
1000 (cmd.exe)
Modified
1000 (cmd.exe)
Modified
ROUTER
748 (svchost.exe)
Modified
WINDOWSPrefetchCMD.EXE-087B4001.pf
748 (svchost.exe)
Modified
Nov 4, 2013 16:03 EST Page 1658
Details for Alert ID 67540517
lsass
Documents and SettingsMalwareNTUSER.DAT.LOG
lsarpc
??C:Documents and SettingsMalwareApplication DataImdeajiqybox.exe ??C:Documents and SettingsJoe MaldiveApplication DataImdeaj ??C:Documents and SettingsJoe MaldiveLocal SettingsApplication Datadiyq.xij
??C:DOCUME~1MalwareLOCALS~1Tempxsiretgashup.exe
??C:Documents and SettingsMalwareApplication DataMicrosoftAddress BookJoe Maldive.wab
WINDOWSsystem32rsaenh.dll
AUTOEXEC.BAT DOCUME~1MalwareLOCALS~1Tempxsiretgashup.exe lsarpc
AUTOEXEC.BAT
Documents and SettingsAll UsersApplication DataMicrosoftNetworkConnectionsPbkrasphone.pbk
ROUTER
lsarpc
WINDOWSsystem32rsaenh.dll
WINDOWSsystem32driversetchosts
netNtControlPipe5
WINDOWSsystem32rsaenh.dll
DOCUME~1MalwareLOCALS~1TempVKO2BB.bat
Documents and SettingsMalwareApplication DataMicrosoftAddress BookJoe Maldive.wab
WINDOWSRegistrationR00000000000b.clb lsarpc WINDOWSPrefetchCMD.EXE-087B4001.pf ROUTER
lsass
Documents and SettingsMalwareApplication DataImdeajiqybox.exe lsarpc
492 (lsass.exe) Modified 900 (iqybox.exe) Modified 900 (iqybox.exe) Modified 1308 (xsiretgashup.exe) Created 1308 (xsiretgashup.exe) Created 1308 (xsiretgashup.exe) Created
1188
(c13cf0af350fd6dfb8380 Created d0968c230b1.exe)
1000 (cmd.exe) Created
1308 (xsiretgashup.exe) Read 1308 (xsiretgashup.exe) Read 1308 (xsiretgashup.exe) Read 1308 (xsiretgashup.exe) Read
1188
(c13cf0af350fd6dfb8380 Read d0968c230b1.exe)
1188
(c13cf0af350fd6dfb8380 Read d0968c230b1.exe)
1188
(c13cf0af350fd6dfb8380 Read d0968c230b1.exe)
1188
(c13cf0af350fd6dfb8380 Read d0968c230b1.exe)
788 (svchost.exe) Read 788 (svchost.exe) Read 788 (svchost.exe) Read 1352 (Explorer.EXE) Read 1000 (cmd.exe) Read 1000 (cmd.exe) Read 1000 (cmd.exe) Read 1000 (cmd.exe) Read 1000 (cmd.exe) Read 748 (svchost.exe) Read 492 (lsass.exe) Read 900 (iqybox.exe) Read 900 (iqybox.exe)