HPsus/Matsnu-B

Category: Suspicious Behavior and Files Protection available since:06 Sep 2012 16:01:47 (GMT)
Type: Suspicious file Last Updated:06 Sep 2012 16:01:47 (GMT)

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of HPsus/Matsnu-B include:

Example 1

File Information

Size
76K
SHA-1
0a0e4ceb7b003f9337d54d8ffeca1ceb4b04ad50
MD5
f006e2c76a4dfe750c08130826d0eb34
CRC-32
9d4964f1
File type
Windows executable
First seen
2011-06-28

Other vendor detection

Kaspersky
Trojan.Win32.Inject.efmi

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\Ihbnibnih\mwpkmwbvmu.exe
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    601F769F
    c:\Documents and Settings\test user\Application Data\Ihbnibnih\mwpkmwbvmu.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegedit
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
    Debugger
    P9KDMF.EXE
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    DisableRegedit
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
    Debugger
    P9KDMF.EXE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
    Debugger
    P9KDMF.EXE
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr
    0x00000001
Processes Created
  • c:\docume~1\support\locals~1\temp\dgrugvryyf.pre
  • c:\windows\explorer.exe
  • c:\windows\system32\ctfmon.exe
  • c:\windows\system32\reg.exe
HTTP Requests
  • http://lickes-shops.com/forum/a.php
DNS Requests
  • lickes-shops.com

Example 2

File Information

Size
59K
SHA-1
0b94641a022e3a0727cf9f8fbef433f245010379
MD5
2aa1c2bc888b098542ebd1dc673a41d6
CRC-32
da5959a4
File type
Windows executable
First seen
2012-07-28

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Kwplpallrzx\llrzlbvmu.exe
Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\601F769F000043500000.$$0
    Size
    881K
    SHA-1
    6a0cd3f6b3ef84da21f44c00abec64b2baee2f61
    MD5
    e03ff05baf1f12e686f75828f90abe06
    CRC-32
    0e11db89
    File type
    Unspecified binary - probably data
    First seen
    2012-07-11
  • c:\Documents and Settings\test user\Local Settings\Temp\601F769F0000435000007573
    Size
    1.1K
    SHA-1
    fc07eb10e39eb4cfe396f242fa47dead71e448d9
    MD5
    e94c2bb4c66771d842db6dbb0eb6b7a4
    CRC-32
    5432ba42
    File type
    Unspecified binary - probably data
    First seen
    2012-05-01
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
    Debugger
    P9KDMF.EXE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
    Debugger
    P9KDMF.EXE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
    Debugger
    P9KDMF.EXE
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegedit
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    DisableTaskMgr
    0x00000001
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    Startup
    c:\Documents and Settings\test user\Kwplpallrzx
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr
    0x00000001
Processes Created
  • c:\docume~1\support\locals~1\temp\rycyyplepr.pre
  • c:\windows\explorer.exe
  • c:\windows\system32\reg.exe
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://seneesamj.com/cgi-bin/a.php
DNS Requests
  • seneesamj.com

Example 3

File Information

Size
159K
SHA-1
1c95ece96bb5ba3c2e269582a1ec4cd6cb0f8bd1
MD5
0c2dc2b3c1a73e034181a5479dbeb318
CRC-32
b1119c8e
File type
Windows executable
First seen
2012-07-26

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\system32\3A3DA874601F769F71D4.exe
  • c:\Documents and Settings\test user\Application Data\Uffcffdzap\8CF37AE4601F769F8977.exe
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
    Debugger
    P9KDMF.EXE
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    601F769F
    c:\Documents and Settings\test user\Application Data\Uffcffdzap\8CF37AE4601F769F8977.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    DisableRegedit
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
    Debugger
    P9KDMF.EXE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
    Debugger
    P9KDMF.EXE
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegedit
    0x00000001
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegistryTools
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\3A3DA874601F769F71D4.exe,
Processes Created
  • c:\docume~1\support\locals~1\temp\munnnnmppz.pre
  • c:\windows\system32\reg.exe
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://maclinum.com/adm/lin/a.php
DNS Requests
  • maclinum.com

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information