Download Link: hxxp://66.36.252.130/asas/glass215.exe Analysis Report: http://malwareinfo.freeforums.org/66-36-252-130-asas-glass215-exe-t19.html File Name: glass215.exe File size: 31744 bytes MD5: 792ec1a372372141739e004e7412762a SHA1: 13898a1d92d439369b3f8b2947e3b6c66409c866 PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser packers: UPX packers: UPX, embedded packers: PE_Patch.UPX, UPX Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=B5A12F8C002429A57C7E0019B1271200520E6079 VirusTotal Result: 20/32 (62.5%) AntiVir: TR/Crypt.XDR.Gen AVG: SHeur.BAEY BitDefender: Generic.Malware.Bdld!.A5FE4485 CAT-QuickHeal: TrojanSpy.Banker.kew ClamAV: Trojan.Bancos-9194 DrWeb: Trojan.MulDrop.origin eSafe: suspicious Trojan/Worm Ewido: Logger.Banker.kew F-Prot: W32/Goldun.A.gen!Eldorado Fortinet: W32/Bankban!tr Ikarus: Virus.Win32.Goldun.LR Kaspersky: Trojan-Spy.Win32.Banker.kew Norman: W32/Banker.CPGU Panda: Suspicious file Prevx1: TROJAN.SPY Sophos: Mal/Generic-A TheHacker: Trojan/Spy.Banker.kew VBA32: Trojan-Spy.Win32.Banker.kew Webwasher-Gateway: Trojan.Crypt.XDR.Gen File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818F Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 00008000 Size of initialized data: 00001000 Size of uninitialized data: 00016000 Address of entry point: 0001E080 Base of code: 00017000 Base of data: 0001F000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00020000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags UPX0 00016000 00001000 00000000 00000400 E0000080 UPX1 00008000 00017000 00007400 00000400 E0000040 .rsrc 00001000 0001F000 00000400 00007800 C0000040 Import table (libraries: 5) KERNEL32.DLL (imports: 4) LoadLibraryA GetProcAddress VirtualProtect ExitProcess advapi32.dll (imports: 1) RegOpenKeyExA ole32.dll (imports: 1) CoTaskMemFree oleaut32.dll (imports: 1) SysFreeString user32.dll (imports: 1) CharNextA Unpacking with UPX: File size Ratio Format Name -------------------- ------ ----------- ----------- 88576 <- 31744 35.84% win32/pe glass215.exe Unpacked 1 file. File Info: File Name: glass215.exe File size: 88576 bytes <-- Unpacked with UPX MD5: 3d93587f3bdfaf2296d48e5f5181ac9e SHA1: 68e3f857382da98e4fde1bf84ce1842b7ed65c62 PEiD: - packers: embedded VirusTotal Result: 10/32 (31.25%) BitDefender: BehavesLike:Trojan.AppInitDLL DrWeb: Trojan.MulDrop.origin Ewido: Logger.Banker.kew F-Prot: W32/Goldun.A.gen!Eldorado F-Secure: Trojan-Spy.Win32.Banker.kew Ikarus: Virus.Win32.Goldun.LR Kaspersky: Trojan-Spy.Win32.Banker.kew Norman: W32/DLoader.GEWZ.dropper Panda: Suspicious file VBA32: Trojan-Spy.Win32.Banker.kew PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0008 Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818F Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 00003200 Size of initialized data: 00012400 Size of uninitialized data: 00000000 Address of entry point: 0000404C Base of code: 00001000 Base of data: 00005000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0001D000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags CODE 000030F8 00001000 00003200 00000400 60000020 DATA 0001148C 00005000 00011600 00003600 C0000040 BSS 00000921 00017000 00000000 00014C00 C0000000 .idata 00000434 00018000 00000600 00014C00 C0000040 .tls 00000004 00019000 00000000 00015200 C0000000 .rdata 00000018 0001A000 00000200 00015200 50000040 .reloc 000002F0 0001B000 00000400 00015400 50000040 .rsrc 00000200 0001C000 00000200 00015800 50000040 Import table (libraries: 6) KERNEL32.DLL (imports: 5) LoadLibraryA GetSystemDirectoryA GetProcAddress FreeLibrary CreateProcessA KERNEL32.DLL (imports: 28) GetCurrentThreadId WideCharToMultiByte MultiByteToWideChar GetLastError ExitProcess WriteFile SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetSystemTime GetFileType CreateFileA CloseHandle GetCommandLineA TlsSetValue TlsGetValue LocalAlloc GetModuleHandleA GetModuleFileNameA FreeLibrary HeapFree HeapReAlloc HeapAlloc GetProcessHeap advapi32.dll (imports: 3) RegSetValueExA RegOpenKeyExA RegCreateKeyExA ole32.dll (imports: 1) CoTaskMemFree oleaut32.dll (imports: 3) SysFreeString SysReAllocStringLen SysAllocStringLen user32.dll (imports: 1) CharNextA When Executed: Process ID: 212 File Name: glass215.exe File System Activities: Create File: C:\WINDOWS\system32\sms22bvjbv.dll Create File: C:\WINDOWS\system32\winsms.dll Create File: preved.bat Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\preved.bat () Find File: preved.bat Registry Changes: HKEY_LOCAL_MACHINE\Software\DataAcces\BDE\171765171765574535131765574535 "pg" = 2.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs" = C:\WINDOWS\system32\sms22bvjbv.dll Registry Reads: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename () CommandLine: (preved.bat) As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (212) As User: () Creation Flags: () System Info Get System Directory Get System Time Process Stsrted: Process ID: 236 Filename: preved.bat Filesize: 388608 bytes MD5: eeb024f2c81f0d55936fb825d21a91d6 Start Reason: CreateProcess function call Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Find File: C:\ Get File Attributes: preved.bat Flags: (SECURITY_ANONYMOUS) Find File: C:\preved.bat Open File: C:\preved.bat (OPEN_EXISTING) Get File Attributes: C:\glass215.exe Flags: (SECURITY_ANONYMOUS) Find File: C:\glass215.exe Delete File: C:\glass215.exe Delete File: C:\preved.bat Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" Process Management: Kill Process - Filename () CommandLine: () Target PID: (236) As User: () Creation Flags: () File Name: sms22bvjbv.dll MD5: 0ae450d586ec45df9505cd5b4b7f405a SHA1: 4a8fe1a8368c0fe0b40b9199047b50c1cd8f66ae SHA256: f69c549ebd69ee58e9dbd64d732b46b4ad2f3050d47cab49397680aa37bf6e3d SHA512: 61239ff2ce7c8c879fec70d91beb743817df6c40f67547ab358a0ca8aac02aac 84f10a41eb5cfa069c10628ec6d42ec0dfa60743892820055aa9d2b67207fb4a VirusTotal Result: 15/32 (46.88%) AntiVir - - TR/Delphi.Downloader.Gen Authentium - - Possibly a new variant of W32/Threat-SysVenFak-based!Maximus Avast - - Win32:Goldun-KG DrWeb - - DLOADER.Trojan F-Prot - - W32/Goldun.A.gen!Eldorado F-Secure - - Trojan-Spy.Win32.Banker.kal Ikarus - - Trojan.Win32.Delf.nf Kaspersky - - Trojan-Spy.Win32.Banker.kal McAfee - - PWS-Banker.gen.i Microsoft - - TrojanSpy:Win32/Goldun.BX Norman - - W32/DLoader.GEWZ Prevx1 - - Heuristic: Suspicious Self Modifying File Sophos - - Sus/DelpDldr-A Symantec - - Infostealer Webwasher-Gateway - - Trojan.Delphi.Downloader.Gen