Skip navigation.
Home

New stration

Last night i decided to take a quick look at the recent malware in my inbox, and i saw a new Stration spam run, i've uploaded the files here, see below for all the MD5 sums.

It downloads the following files:

http://www4.vadesunjionderunhdae.com/chr/843/lt.exe
http://www5.vadesunjionderunhdae.com/chr/843/s.exe
http://www6.vadesunjionderunhdae.com/chr/843/nt.exe

nt.exe:
MD5SUM: e638ade43b02485e84c01294ccc6abcf
SHA1SUM: cdc12815beee2b9be519ecf83ef976393aabe7a1
SHA256SUM: 01c306254eaad64ae8d22f2478ff85cd6a50d1d7bc7371c648a22b64ad0d4234

[ Changes to filesystem ]
* Creates file C:\WINDOWS\msserrv32.exe.
* Creates file C:\WINDOWS\msserrv32.dat.
* Creates file C:\WINDOWS\SYSTEM32\e1.dll.

[ Changes to registry ]
* Creates value "msserrv32"="C:\WINDOWS\msserrv32.exe s" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Process/window information ]
* Enumerates running processes.
* Modifies other process memory.
* Creates a remote thread.

It saves all email adresses found on the system, in a file called: msserrv32.wax.

lt.exe:
MD5SUM: 613640b7155a3a6702f30e4e4cd995b2
SHA1SUM: 99ddbab189ec36c9ee84d8791b46d7a772988766
SHA256SUM: 862cdeda9027b347126d10f5671e77e7fb3f5d46692b6b63108be23a37571f61

[ Changes to filesystem ]
* Creates file C:\windows\system32\dpmoscrr.exe.
* Creates file C:\WINDOWS\SYSTEM32\slbrusrs.dll.
* Creates file C:\WINDOWS\SYSTEM32\rdochype.exe.
* Creates file C:\WINDOWS\SYSTEM32\dao3tsdd.dll.

[ Changes to system settings ]
* Creates WindowsHook monitoring cbt activity.

[ Process/window information ]
* Creates an event called ZAAllowEvent.
* Creates an event called SGAllowEvent.
* Creates an event called NISAllowEvent.
* Creates an event called OPAllowEvent.
* Creates an event called MAAllowEvent2.
* Attempts to access service "vsmon".
* Creates an event called ActiveZA.
* Attempts to access service "SmcService".
* Creates an event called ActiveSG.
* Attempts to access service "wscsvc".
* Attempts to access service "SharedAccess".
* Attempts to access service "Symantec Core LC".
* Creates an event called ActiveNIS.
* Attempts to access service "OutpostFirewall".
* Creates an event called ActiveOP.
* Attempts to access service "MpfService".
* Creates an event called ActiveMA.
* Attempts to access service "WinRoute".

s.exe:
MD5SUM: cfded3ba34715f81c296183b5d55b7ab
SHA1SUM: 9d32ec5cb59d8e7018efb32eecd504db361ff1bf
SHA256SUM: 49ee6f0ade31af0d6d0e8a017908444a544941622712d77614702eb4d153cb3f

Variants spottet:

MD5SUM: 80b850b8e6fb4b04c7d4a31d3f383874
SHA1SUM: 1e4bcc5b6fb92bfd88710e6890a825695f413035
SHA256SUM: bf4ab833ed09a2857bd91eccd634840e3dbec9a325fafddfb035c3ad04a69b08

MD5SUM: fa9f9eb766fdbd0c2a7c6845f98f9415
SHA1SUM: 2a18d76bac643bcfb70c8536be6e46d4d0ffc446
SHA256SUM: 5b437746af17a843f1b0599f813440cdff531738ff7ca53794395df7ac1409b9

MD5SUM: c11998484c650862925158b4387ccd85
SHA1SUM: 8849291efa8d4285d3b037a291fed01b2f2d00b4
SHA256SUM: 2568499916ce5154cfd3247627536b1dc20e022e44c9c995ab980dfdcd083b72

MD5SUM: c85b06d5b157e93b237623a4423f3078
SHA1SUM: 66beca27f879416c31b70601600a69f095fde253
SHA256SUM: 50a623f61a63862f483b4c37e0dad62c975f64ca68f772d6b0ea361710c69393

MD5SUM: a514dbc0921a25d5967418d3b4b42de9
SHA1SUM: 1664286103e8e11754ff0eb1aeb6fb148c2a621e
SHA256SUM: 86df41068a081dca979dd93196e8cdf193432fe9301beb58f6eb6c7bc664dce2

MD5SUM: 378d820bd8c2020a00347091aeeb4093
SHA1SUM: ea571286362ae36f0952a2b9175802cc3a7096c4
SHA256SUM: 8646b2e85b4364695f86eb1c263c59d40079d7a35d733b74b55e6280178d9d33

MD5SUM: 474f816ce65098b6b8d2db864953547c
SHA1SUM: d2e0e80aaaf5f9bc07e8a327a0561aef7d17114b
SHA256SUM: fbafb4f40cead79a1518f6f7f21bbb2e063a0153d6360556135ea4a33dd7f630

MD5SUM: a8dfb83117d75c0b3be163b0c0459cd5
SHA1SUM: 1a4d72cdedd716941ae4c922d333f93a9110bd3d
SHA256SUM: 8266d54a491741c2180d08f74bcd819322996f207390e67a43e46bb1fd219ee4

MD5SUM: d91129462bba23db509738b1f3caa585
SHA1SUM: 048d8f939d13ef3d92b653f94c493c7d65d85542
SHA256SUM: 81ef7c4f0b93712791243f2f999ba78f058f4635192953fec8c2b4a0eb5a0931

MD5SUM: 520f8b9c23c4e1ca8d8a4b683a447c1f
SHA1SUM: af54df8f2ab8ffe80ef7bbb34f06d71f98fed905
SHA256SUM: 6cbf8aa26522b96cfc2a1435d7bce9821126774786a008edeff3af8e32a73184

MD5SUM: 5d3bb614eedb08a5be4ddb0425366791
SHA1SUM: 55cf728b9195a720874d7ee72fb42ee4732795b3
SHA256SUM: e10003d9429c7a0e5d74d781c2a12ba4c42d9c8cbf143cda1f5071a6c06e3b16

MD5SUM: f46d27ba4a8823d8b4af01eb8a3b906e
SHA1SUM: 8096fe44e08806d1bef4e79bf07d770a523c9882
SHA256SUM: 7388979b6d268bea1a7d365eb23dd88ffc2df33961827fd731b749d5b3dfc6b8

MD5SUM: 530a70bcacf5e41a638c3a04c45c5782
SHA1SUM: 99372c3a746e7ed6927d98cb884d583ca7547f36
SHA256SUM: a00ac3789ea01916d8ec81f335c85a6208c52ef222e1d80bd63d497a267ffb6f

MD5SUM: 7006573bbd9d43a231b9f6a4a9071f5b
SHA1SUM: e20ed70656d06e039755a7450e26bda6eefd65ec
SHA256SUM: f48f04c726068a137f161a5f9834f99aed55e069b80712b9c6bdfa18d4dd8847

MD5SUM: 6b5ff38c9d9f68b97b621000b859e09c
SHA1SUM: 3431348a16269b377a689ec2211fe82d30f8d171
SHA256SUM: 0d5a672a5383d0f7e2cba6368de3166a30063bb0732fabfb8b334ea535be1bc6

MD5SUM: 0299a026546b30fdb5eaa280a7da9dcf
SHA1SUM: cb1c13bcd7da5ed9882326d6825c77874d6bd8b3
SHA256SUM: 8aa535b700645d0c18d50c402103a93f2f451038a8be625b88dbc0abdc308ca3

MD5SUM: 58519adaf949206a51db342a32254c06
SHA1SUM: fcea4364fcbb13aea30fbb38f23dd0a59ecb22fc
SHA256SUM: 6b40105ec6204710b782bac35b003d32ddb3a6b6b363e157d3e0fa6f23559166

MD5SUM: 712cdf0b536907a967337dbbd3f4e831
SHA1SUM: f5b55119f5dc6d278ded29ae16a52d4fef1b3b85
SHA256SUM: 822ba36b34372dbd52a1e1c0b673e57f31d801b4a3ade528a41560bfb74b774e

MD5SUM: f8de651c11645d8a427e9be24682c072
SHA1SUM: 448491b899f1fe55ae3d749a34d018fd976eec11
SHA256SUM: 68022ad527e324f97940f894313db2f42da988bd11668ca3228bdb0f672ed296

MD5SUM: 9d5725d269616ebcb15745b56c6d8f59
SHA1SUM: 5296b26025b6d9d5061e4ad4fbb011b29aa6415e
SHA256SUM: bafebb02fe2a2ead735ba990bf0a89b3442f12bdc88ee41f766c9d23780b8303

MD5SUM: ee3c3caa9dbb4e79ff90b1a0c8fa29ae
SHA1SUM: 9700c80aac8d8b709f4d3e44bea3369412054c0f
SHA256SUM: db70c7a912be9d02783147c779bbaf6445170122fcc191aa811fddeec691f9ef

MD5SUM: 329e1029b0907ef629d6160a5c491bf8
SHA1SUM: 9d9052d0124e185e8e14b90cb2a6623f7bdbe946
SHA256SUM: 39ac8fe971e986250d6d1ab86f9faee411cf86dcd071690c0cd13da7f2c3678d

MD5SUM: 3b7c949142866a1a113b71b4f6de85cb
SHA1SUM: fcd874514d733cb953694ff194e8ce3dcbe3fa9c
SHA256SUM: 66a22d2320da158d952d6ec1c98a73ce380ded16719f0b498845f490e2665751

MD5SUM: bf9f4d6e4a200b717e9ba8fc50299957
SHA1SUM: e6b9280d977c8a3d0526de21e39ca47c256a2b83
SHA256SUM: 693c9628a83c6c150ec5617aaebb2f6dd632c36c85fdeaf121816211c4d6fb29

MD5SUM: 1f117f875a7ecced6c29c00bf28efa27
SHA1SUM: f132d550c85b6b19ce818d953d436a03a4d04b50
SHA256SUM: f9b697632779b3db1bdfd052103069a581729b16d04f68308257ad5794036e35

MD5SUM: 58fa775000886c3ba55317c22d302dcd
SHA1SUM: b1663548994cefa0c1aefbb8b8c8db19851405a3
SHA256SUM: 300ec9549e3c2b0c6fa745957dbd3e32f40017d6079b06219b2a86c505885b58

MD5SUM: be12591eb50982f64b1f30ea0b613222
SHA1SUM: 4eb551f46e82e960548fe3982ca162f3d974cf62
SHA256SUM: 12e77d656f27ba7a1cce516be03700b3986939d31a919ad1f01fb6f17abcde3f

MD5SUM: 40a98f597a742aaa4c109df91f32534d
SHA1SUM: 13c2b1c80043f7855bd099cf84ceea2f2d8fa937
SHA256SUM: 327a8c078ab55b2572e6e828742c752ef705194cf1e3c53e6aef70eb78c85f1f

MD5SUM: 28a04f296f7b6d5f7b76de2ea74a128e
SHA1SUM: ae7c931f5b428538bb19b5aaa6cc86c5b36eb45c
SHA256SUM: f72b23cee317363409fa383ecc29e904819eaa4b7e3cda300ced0cd25a148598

MD5SUM: fb374d43bf9410d8cbd2bf08a3b62557
SHA1SUM: 862ce1c95be9bff69f4b80e907534018ca9dde71
SHA256SUM: 77719b4be2e4af8f229fd9f89812c89fefeb11c5009488a84c28e5c18cb25c53

MD5SUM: 97c52a5febb72fb5db82dad0366e8557
SHA1SUM: 5b4ce41eecf90c18ca299f59a25daf9420e2bd60
SHA256SUM: 3e8bebca702171517f815593b7ac786550410ab631c1d4c801330833c7665102

MD5SUM: b42733544ca7798122d12940888cc761
SHA1SUM: d211026dc7ce7821474a9e03511ac6faec6650db
SHA256SUM: 9eb07d6a525da3b9da2e743e5acfb3654be540020e6a6518e2b91783e28f6f8c

MD5SUM: 435747094ec1fdd169c8f8e3766e4d9b
SHA1SUM: 5b3240e1b16671b7af0fcc5bc4604f48f78c24e2
SHA256SUM: ff64a4d96c966565e7cc4b35eb93ad8e9419ba45eca3dbbcd31a08723c2e2067

MD5SUM: 9b922ad5beebe0983885764cde172666
SHA1SUM: c16e0adb6478cf24a560d7bd1fab4867d2852fb6
SHA256SUM: 56ecb20806c3083735592eee22c4435edb24c1452f6aa736c0b10c6f85313a81

Btw, we need an upload form, where we can upload a number of malware at the same time(in zip or something), it takes forever to do it one at the time :)

I like your detailed output

I like your detailed output post. Do you have a tool that you used to generate that?

detailed output

Some of it is from Norman sandbox (commercial software), but they have an online version of it: http://sandbox.norman.no/live_4.html

It most cases it give some general info about file creations, registry changes, outbound network connections...it is a nice place to start for a quick analysis of a file :)

Norman Sandbox

Some of it is from Norman sandbox (commercial software), but they have an online version of it: http://sandbox.norman.no/live_4.html

So the commercial Norman Sandbox produces output like this? Had I realized that it produced output similar to the online version, I would have strongly recommended on a recent malware analysis project (at least for triage). Unless I'm reading your post wrong, the PC software produced that output, right?

Yup

That's correct, their software produce that output.

The above output is from the Sandbox "module" in their antivirus Program. Their antivirus program only runs the program through the sandbox module if it matches certain signatures. However they also sell their sandbox as a separate product, so checks all files (just like the online version), but that's really really expensive :)