LeaseWeb hosted malware | Joachim De Zutter
May 2012
Filename: 7970079Cd01.exe
Filesize: 389120
MD5: f9099fd427286c9273e82fbffc2de102
SHA1: 4df14ae717608d8c2dca106e0c715344ce864624
SHA256: c356e80b6e86f0215cfa20b27054d2f262935631cd4a853209a97fc66b175f3a
The executable creates a mutex object.

The executable file was moved to the %TEMP% directory (\Users\Username\AppData\Local\Temp\).

TCP SYN packets were sent to 173.244.196.7

An HTTP GET request was performed on 82.192.94.39

http://www.utrace.de/?query=82.192.94.39
Provider: LeaseWeb B.V.
Region: Amsterdam (The Netherlands)


A DNS request was performed for report.countdom.net, which resolved to 69.43.161.182

An HTTP GET request was performed on 69.43.161.182

http://www.utrace.de/?query=69.43.161.182
Provider: Castle Access
Organisation: Trellian Pty (Australia)


The following registry keys were created:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
BMP = "%C:\Users\Username\AppData\Local\Temp\7970079Cd01.exe /cs:1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
BMP = "C:\ProgramData\2578bc\BM257_328.exe" /s

Empty files named C:\ProgramData\2578bc\BestMP.exe and C:\ProgramData\2578bc\BM257_328.exe were created.