Mal/Cleaman-B

Category: Viruses and Spyware Protection available since:03 Feb 2012 04:57:32 (GMT)
Type: Malicious behavior Last Updated:08 Aug 2014 02:07:49 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Mal/Cleaman-B include:

Example 1

File Information

Size
386K
SHA-1
0002be4663a5b597ec70a2b70a1040ab40147347
MD5
82a21bc286cf7d26c067856ecf66e51c
CRC-32
1a99059b
File type
Windows executable
First seen
2007-09-18

Other vendor detection

Avira
TR/Dropper.MSIL.43672

Runtime Analysis

Copies Itself To
  • C:\Program Files\UPNP Subsystem\upnpss.exe
  • c:\Documents and Settings\test user\Application Data\Tp\boxz.exe
Dropped Files
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Size
    53K
    SHA-1
    db88a832074cf222b498eef018e2b4a056456f93
    MD5
    f44363d23cd082c1a99eb91d33e1c927
    CRC-32
    1b37c2c8
    File type
    Microsoft CAB archive
    First seen
    2014-03-12
  • c:\Documents and Settings\test user\Application Data\Sample.lnk
    Size
    537
    SHA-1
    a8b13acbdfa2c568a73b9ec8b464a7ddf097f74b
    MD5
    8362ad50861c31b7347e7f4bdcd4e645
    CRC-32
    0a718b14
    File type
    application/octet-stream
    First seen
    2014-06-07
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Size
    216
    SHA-1
    bf4bdeae7a595ad180028e350c92f5010ac9a642
    MD5
    7004e08c44630b8e806ede3c87112965
    CRC-32
    b81546c5
    File type
    Unspecified binary - probably data
    First seen
    2014-06-07
  • c:\Documents and Settings\test user\Application Data\26C19984-2A01-45B5-A7B3-A568AF60C200\run.dat
    Size
    8
    SHA-1
    1c975e9ff815ec36fe2b6dcd2ecea5f2a7301552
    MD5
    cb486b192272065fd0a8cff5bc26b910
    CRC-32
    a935de1e
    File type
    Windows Codepage 1252
    First seen
    2014-06-07
Modified Files
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    sidebar
    c:\Documents and Settings\test user\Application Data\Sample.lnk
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    UPNP Subsystem
    C:\Program Files\UPNP Subsystem\upnpss.exe
Processes Created
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
  • http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
IP Connections
  • 213.208.152.200:4033
DNS Requests
  • www.download.windowsupdate.com

Example 2

File Information

Size
53K
SHA-1
0011ba8be8daf49f061819d2f594c4f7e4c2305f
MD5
c9460b78f3f344b5f1bbd427d3d19f7c
CRC-32
4d82cf65
File type
Windows executable
First seen
2012-07-05

Runtime Analysis

Processes Created
  • c:\windows\system32\svchost.exe

Example 3

File Information

Size
835K
SHA-1
001204843d7337b3c1de97718beb6b60aa64b7dc
MD5
df65de00524613dfccb76b07b7afaa10
CRC-32
1cdda44d
File type
Windows executable
First seen
2007-09-18

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Application Data\KNcxy\IMG_O431_INVOICE.scr
Dropped Files
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Size
    53K
    SHA-1
    db88a832074cf222b498eef018e2b4a056456f93
    MD5
    f44363d23cd082c1a99eb91d33e1c927
    CRC-32
    1b37c2c8
    File type
    Microsoft CAB archive
    First seen
    2014-03-12
  • c:\Documents and Settings\test user\Application Data\010112.txt
    Size
    9
    SHA-1
    2e508af101599c923aa2bebf1d0855564a8a991a
    MD5
    3293e47d8b852de8d7e8dd0ef41e9a62
    CRC-32
    18e20cc7
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2014-06-07
  • c:\Documents and Settings\test user\Application Data\pidloc.txt
  • c:\Documents and Settings\test user\Application Data\Sample.lnk
    Size
    611
    SHA-1
    ccd521d54f8fafb36b3afd876637667d92d8ddac
    MD5
    3a2ce3cc374ffeb3dc307df5908f8f66
    CRC-32
    9f060c91
    File type
    Windows Shortcut file (.LNK)
    First seen
    2014-06-07
  • c:\Documents and Settings\test user\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Size
    216
    SHA-1
    634698095a58b7fd62ab56716d54d70751d8e84d
    MD5
    8758020592c3300f38203fae2be0a668
    CRC-32
    f70fcc49
    File type
    Unspecified binary - probably data
    First seen
    2014-06-07
  • c:\Documents and Settings\test user\Application Data\pid.txt
Modified Files
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
  • %PROFILE%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG
    Trace Level
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    sidebar
    c:\Documents and Settings\test user\Application Data\Sample.lnk
Processes Created
  • c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://whatismyipaddress.com/
  • http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
  • http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
DNS Requests
  • smtp.mail.ru
  • whatismyipaddress.com
  • www.download.windowsupdate.com

download Try Sophos products for free
Download now