New Trojan Detected:Comprovante.exe. But Not By Avast! [SOLVED]

Dear Avast,

This is a report that virustotal.com has detected the Comprovante.exe Trojan at the following webpage:

hxxp://www.statelinefastpitch.com.

Here is the report:

http://www.virustotal.com/file-scan/report.html?id=bc8b9da1cec4dd77cfb4136698b0c06be7dfb06c75bb5963f90d75c4e531c0c3-1302200911

If the above link does not work, here are the Virus Total scan results for this malware:

File name: Comprovante.exe
Submission date: 2011-04-07 18:28:31 (UTC)
Current status: finished
Result: 13 /40 (32.5%)
VT Community

malware
Safety score: 0.0%
Compact Print results Antivirus Version Last Update Result

AhnLab-V3 2011.04.08.00 2011.04.07 -
AntiVir 7.11.6.4 2011.04.07 TR/Spy.Banker.LW.85
Antiy-AVL 2.0.3.7 2011.04.06 -
Avast 4.8.1351.0 2011.04.07 -
Avast5 5.0.677.0 2011.04.01 -
AVG 10.0.0.1190 2011.04.07 PSW.Generic8.BKFK
BitDefender 7.2 2011.04.07 Dropped:Trojan.Generic.5781220
CAT-QuickHeal 11.00 2011.04.07 -
ClamAV 0.97.0.0 2011.04.07 -
Commtouch 5.2.11.5 2011.04.06 -
Comodo 8256 2011.04.07 -
DrWeb 5.0.2.03300 2011.04.07 -
eSafe 7.0.17.0 2011.04.04 -
eTrust-Vet 36.1.8258 2011.04.07 -
F-Prot 4.6.2.117 2011.04.07 -
F-Secure 9.0.16440.0 2011.04.07 -
Fortinet 4.2.254.0 2011.04.07 -
GData 22 2011.04.07 -
Ikarus T3.1.1.103.0 2011.04.07 Trojan-Spy.Win32.Banker
Jiangmin 13.0.900 2011.04.07 -
K7AntiVirus 9.96.4320 2011.04.07 -
McAfee 5.400.0.1158 2011.04.07 Generic PWS.y!dab
McAfee-GW-Edition 2010.1C 2011.04.07 Generic PWS.y!dab
Microsoft 1.6702 2011.04.07 TrojanSpy:Win32/Banker.LW
NOD32 6023 2011.04.07 probably a variant of Win32/Spy.Delf.OJR

Norman 6.07.07 2011.04.07 -
Panda 10.0.3.5 2011.04.07 -
PCTools 7.0.3.5 2011.04.07 -
Prevx 3.0 2011.04.07 -
Rising 23.52.03.06 2011.04.07 -
Sophos 4.64.0 2011.04.07 -
SUPERAntiSpyware 4.40.0.1006 2011.04.06 Trojan.Agent/Gen-Banload
Symantec 20101.3.2.89 2011.04.07 -
TheHacker 6.7.0.1.168 2011.04.07 -
TrendMicro 9.200.0.1012 2011.04.07 TSPY_BANKER.SMAW
TrendMicro-HouseCall 9.200.0.1012 2011.04.07 TSPY_BANKER.SMAW

VBA32 3.12.14.3 2011.04.07 TrojanDownloader.Banload.bblx
VIPRE 8949 2011.04.07 Trojan.Win32.Generic!BT

ViRobot 2011.4.7.4398 2011.04.07 -
VirusBuster 13.6.293.1 2011.04.07 -


Additional informationShow all
MD5 : de6963a89ac914772e9badebc9519943
SHA1 : 3d0d2d27c9abca39491556b579072fcb09c7be8f
SHA256: bc8b9da1cec4dd77cfb4136698b0c06be7dfb06c75bb5963f90d75c4e531c0c3
ssdeep: 6144:mu2urzh9xu/Xkau/8V0RD1qdpMHQz3E399wls58FloyCr1tz5nnKG+:mutrzh9xOXkUV0V
QEtSlrXCzz5nc
File size : 300689 bytes
First seen: 2011-04-06 17:59:52
Last seen : 2011-04-07 18:28:31
Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
sigcheck:
publisher…: n/a
copyright…: n/a
product…: n/a
description…: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

PEiD: -
packers (F-Prot): RAR
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xA7B1
timedatestamp…: 0x4B9DD366 (Mon Mar 15 06:27:50 2010)
machinetype…: 0x14C (Intel I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1076E, 0x10800, 6.58, 8e6577c8c479f3e85e7fa573af92977e
.rdata, 0x12000, 0x1865, 0x1A00, 5.33, 4ec1c384a6c5f398ea7ca4031012f2d6
.data, 0x14000, 0xBFF4, 0x200, 3.55, 0ebca16960628061dcf3807fd384d9e9
.CRT, 0x20000, 0x10, 0x200, 0.21, a74a099866bd9750c2aa37309234732b
.rsrc, 0x21000, 0x3E60, 0x4000, 5.23, 8aabefb1e4cfa5dd14c4d7fe514d0403

[[ 9 import(s) ]]
advapi32.dll: LookupPrivilegeValueA, RegOpenKeyExA, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegCloseKey, SetFileSecurityW, SetFileSecurityA, OpenProcessToken, AdjustTokenPrivileges
comctl32.dll: -
comdlg32.dll: GetSaveFileNameA, CommDlgExtendedError, GetOpenFileNameA
gdi32.dll: GetDeviceCaps, GetObjectA, CreateCompatibleBitmap, SelectObject, StretchBlt, CreateCompatibleDC, DeleteObject, DeleteDC
kernel32.dll: DeleteFileA, DeleteFileW, CreateDirectoryA, CreateDirectoryW, FindClose, FindNextFileA, FindFirstFileA, FindNextFileW, FindFirstFileW, GetTickCount, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GlobalAlloc, lstrlenA, GetModuleFileNameA, FindResourceA, GetModuleHandleA, HeapAlloc, GetProcessHeap, HeapFree, HeapReAlloc, CompareStringA, ExitProcess, GetLocaleInfoA, GetNumberFormatA, lstrcmpiA, GetProcAddress, GetDateFormatA, GetTimeFormatA, FileTimeToSystemTime, FileTimeToLocalFileTime, ExpandEnvironmentStringsA, WaitForSingleObject, SetCurrentDirectoryA, Sleep, GetTempPathA, MoveFileExA, UnmapViewOfFile, GetCommandLineA, MapViewOfFile, CreateFileMappingA, GetModuleFileNameW, SetEnvironmentVariableA, OpenFileMappingA, LocalFileTimeToFileTime, SystemTimeToFileTime, GetSystemTime, IsDBCSLeadByte, GetCPInfo, FreeLibrary, LoadLibraryA, GetCurrentDirectoryA, GetFullPathNameA, SetFileAttributesW, SetFileAttributesA, GetFileAttributesW, GetFileAttributesA, WriteFile, SetLastError, GetStdHandle, ReadFile, CreateFileW, CreateFileA, GetFileType, SetEndOfFile, SetFilePointer, MoveFileA, SetFileTime, GetCurrentProcess, CloseHandle, GetLastError, DosDateTimeToFileTime
ole32.dll: CreateStreamOnHGlobal, OleInitialize, CoCreateInstance, OleUninitialize, CLSIDFromString
oleaut32.dll: -
shell32.dll: ShellExecuteExA, SHFileOperationA, SHGetFileInfoA, SHGetSpecialFolderLocation, SHGetMalloc, SHBrowseForFolderA, SHGetPathFromIDListA, SHChangeNotify
user32.dll: ReleaseDC, GetDC, SendMessageA, wsprintfA, SetDlgItemTextA, EndDialog, DestroyIcon, SendDlgItemMessageA, GetDlgItemTextA, DialogBoxParamA, IsWindowVisible, WaitForInputIdle, GetSysColor, PostMessageA, SetMenu, SetFocus, LoadBitmapA, LoadIconA, CharToOemA, OemToCharA, GetClassNameA, CharUpperA, GetWindowRect, GetParent, MapWindowPoints, CreateWindowExA, UpdateWindow, SetWindowTextA, LoadCursorA, RegisterClassExA, SetWindowLongA, GetWindowLongA, DefWindowProcA, PeekMessageA, GetMessageA, TranslateMessage, DispatchMessageA, GetClientRect, CopyRect, IsWindow, MessageBoxA, ShowWindow, GetDlgItem, EnableWindow, FindWindowExA, wvsprintfA, CharToOemBuffA, LoadStringA, SetWindowPos, GetWindowTextA, GetWindow, GetSystemMetrics, OemToCharBuffA, DestroyWindow

ExifTool:
file metadata
CodeSize: 67584
EntryPoint: 0xa7b1
FileSize: 294 kB
FileType: Win32 EXE
ImageVersion: 0.0
InitializedDataSize: 24064
LinkerVersion: 9.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.0
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2010:03:15 07:27:50+01:00
UninitializedDataSize: 0

Symantec reputation:Suspicious.Insight

VT Community

2
User:Letti.net.br

Reputation:534 credits

Comment date:2011-04-06 18:01:30 (UTC)
hxxp://www.statelinefastpitch.com/templates/system/css/comprovante.php
Tags: Malware, banker, tspy_banker, banload

Jack

Sample is sendt avast :wink:

Thanks!

Jack

Hummm. Still no detection by Avast according to URL Void. Note that I could not use Virus Total, because of heavy workload.

http://vscan.urlvoid.com/analysis/8d0ec0bb408cb5fba4083b91968243f4/c3RhdGVsaW5lZmFzdHBpdGNoLWNvbQ==/

Jack

PS. However, URLVoid.com does show a danger is still here:

Report 2011-04-08 21:23:57 (GMT 1)
Website statelinefastpitch.com
Domain Hash 77e9034067a534ec1adef4dba3bc6f6f
IP Address 173.236.39.210 [SCAN]
IP Hostname server.programpartnerhosting.com
IP Country – (–)
AS Number 32475
AS Name SINGLEHOP-INC - SingleHop
Detections 4 / 22 (18 %)
Status DANGEROUS

Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender UNRATED
Scanning site with: DNS-BH CLEAN
Scanning site with: DShield SDL CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts UNRATED
Scanning site with: joewein.de LLC CLEAN
Scanning site with: Malware Domain List CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MyWOT DETECTED
Scanning site with: Norton SafeWeb UNRATED
Scanning site with: ParetoLogic URL Clearing House DETECTED
Scanning site with: PhishTank CLEAN
Scanning site with: SCUMWARE CLEAN
Scanning site with: SpamhausDBL CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL DETECTED
Scanning site with: VSCAN DETECTED

Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN

Being discussed all around: http://www.mywot.com/en/forum/11036-virus
Avast flagged it properly here in 2009: http://virusscan.jotti.org/en/scanresult/7591600e1d926034147baff148bfa66afc0c9d9b
as Win32:Spyware-gen, so must be a new variant of the same Banload malware…
See: http://www.virustotal.com/file-scan/report.html?id=bc8b9da1cec4dd77cfb4136698b0c06be7dfb06c75bb5963f90d75c4e531c0c3-1302200911
jsunpack scanned: htxp://jsunpack.jeek.org/dec/go?report=39341b7e26c87b905e57061a5120ba2d7d032959
(only for the security aware, go there sandboxed and with ample script ptotection)
See: http://wepawet.iseclab.org/view.php?hash=852655f55924ff57f6ef719c1e0d2022&t=1302346013&type=js
Anubis report: http://anubis.iseclab.org/?action=result&task_id=181d66208cb309ce411a894330ca76baa

polonus

Thanks Polonus!

Maybe it might just be taking Avast longer to write a definition for the threat. That info shows they certainly know about it.

Jack

Avast has detection now as Win32:Spyware-gen, see:
http://www.virustotal.com/file-scan/report.html?id=bc8b9da1cec4dd77cfb4136698b0c06be7dfb06c75bb5963f90d75c4e531c0c3-1302276204
Jack 1000 You can put [SOLVED] to your initial posting, just like I did here, to mark avast now detects,
and our users are now being protected,

polonus

Hi Jack 1000,

Thanks, every time I see that [SOLVED] appear, it gives me a good proud feeling. So, thanks for reporting this malware and helping towards an even better avast detection. Re-scanning of virustotal results and follow up of new malware coming in via the known malware resource sites, and above all reporting these findings via “virus ATavast dot com” will greatly help towards this goal,

polonus