Trojan Horse Downloader Generic22.BGNZ | Joachim De Zutter
May 2011
Filenames: 0.28102417384866607.exe, 0.5518392596259506.exe, 
0.33582033967637204.exe, 0.9089551588392595.exe, 0.8550225356063098.exe
Filesize: 12928
MD5: 6a1b2a470ecf16acbbc6f39d9e3e5868
SHA1: 16b7b37080a83c3f4d8dc96f777afc3c99aae86a
SHA256: 2285592efdade5dc79039a691152f0726be665f41b3b078ca400a4b55d6709cb
A TCP SYN packet was sent to port 25 (SMTP) of 77.79.11.74

Data was received through a TCP connection established on port 8000 of 77.79.11.74

http://www.utrace.de/?query=77.79.11.74
Provider: SPLIUS, UAB
Organisation: Webhosting, collocation services


The files/processes _1.tmp and _2.tmp were created under %HOMEPATH%/Local Settings/Temp/
Filename: _1.tmp
Filesize: 39424
MD5: 75b2a72feff7a9b210929e46d29c0c8b
SHA1: 9b74ad686fc69090caf12e7b88292cb5edd67367 
SHA256: 34a43b1c99efba7c20ff1be1c4836b31de5af8abcfa81b759434c1b6cd93592a
Appears to be programmed in Delphi
An HTTP connection was established by _1.tmp on TCP port 80 of 178.18.243.211 to perform an HTTP POST to a PHP script named gate_goo.php sending a packet containing "CRYPTED0" and user agent string "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"

http://www.utrace.de/?query=178.18.243.211
Provider: Inline Internet Online Dienste Gmbh
Organisation: HUAN-JUN-NET

Filename: _2.tmp
Filesize: 370176
MD5: c924f2da01ba1cf96ad644cbec802789
SHA1: 959793dd545d9e365a65d7a4969e4559fb28961d
SHA256: 241495f932568bb431aa1b0e4ebefca467d64c8ad38a29141ebe7db558b885c3
Appears to be programmed in Delphi

Filenames: 0.8130867753820258.exe, 0.42393670086427104.exe
Filesize: 12928
MD5: b9d445d9748b5e291c3818d53195e4ed
SHA1: 3ee054084130ede881f8a8d88cffe6f91490d9ec
SHA256: dfcc1716ea93c2bafde92472cb887ddceaec47e10fdb54915b67ffc66a13f542
3 TCP SYN packets were sent to port 25 (SMTP) of 77.79.11.74

Data was received through a TCP connection established on port 8000 of 77.79.11.74

http://www.utrace.de/?query=77.79.11.74
Provider: SPLIUS, UAB
Organisation: Webhosting, collocation services


The files/processes _1.tmp and _2.tmp were created under %HOMEPATH%/Local Settings/Temp/
Filename: _1.tmp
Filesize: 370176
MD5: c924f2da01ba1cf96ad644cbec802789
SHA1: 959793dd545d9e365a65d7a4969e4559fb28961d
SHA256: 241495f932568bb431aa1b0e4ebefca467d64c8ad38a29141ebe7db558b885c3
Appears to be programmed in Delphi

Filename: _2.tmp
Filesize: 39424
MD5: 17e69a74662ee01c0a9898b6310c48bf
SHA1: f5b5640bc1775e0e034dd259e928f3c19239a7eb
SHA256: 8cf6fd0913a5bad45bb1268232eae6f62c1e9572f2ebc9c668d2283d3d252f7f
Appears to be programmed in Delphi
An HTTP connection was established by _2.tmp on TCP port 80 of 178.18.243.211 to perform an HTTP POST to a PHP script named gate_goo.php sending a packet containing "CRYPTED0" and user agent string "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"

http://www.utrace.de/?query=178.18.243.211
Provider: Inline Internet Online Dienste Gmbh
Organisation: HUAN-JUN-NET