polonus
1
Pondus
2
Norman sandbox - -http://180.113.179.100/WIN32.EXE
WIN32.EXE : Not detected by Sandbox (Signature: NO_VIRUS)
[ DetectionInfo ]
* Filename: C:\analyzer\scan\WIN32.EXE.
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.
[ General information ]
* Decompressing UPX3.
* File length: 324522 bytes.
* MD5 hash: fc841cdc6d09e3638e40b9c32b7d0cec.
* SHA1 hash: f74de43c0988f160f1a310f308da631a0ad3ee60.
[ Changes to filesystem ]
* Creates directory C:.
* Creates directory C:\WINDOWS.
* Creates directory C:\WINDOWS\TEMP.
* Creates directory C:\WINDOWS\TEMP\RarSFX0.
* Creates file C:\WINDOWS\TEMP\RarSFX0__tmp_rar_sfx_access_check_55378667.
* Deletes file C:\WINDOWS\TEMP\RarSFX0__tmp_rar_sfx_access_check_55378667.
* Creates file C:\WINDOWS\TEMP\RarSFX0\UHARC.exe.
* Creates file C:\WINDOWS\TEMP\RarSFX0\file.uha.
[ Process/window information ]
* Creates a window with caption WinRAR \xea\xe3\x8b\x87\xf6 and classname #32770.
* Creates dialog control (static) with id 108 and caption .
* Creates dialog control (static) with id 101 and caption \xee\x07\x87\xf69(&D).
* Creates dialog control (combobox) with id 102 and caption .
* Creates dialog control (button) with id 103 and caption O\xc8(&W)…
* Pressing button with id 1.
* Attempts to (null) C:\WINDOWS\TE.
* Attempts to (null) uharc.exe e file.uha.
* Creates process “uharc.exe”.
[ Signature Scanning ]
* C:\WINDOWS\TEMP\RarSFX0\UHARC.exe (111104 bytes) : no signature detection.
* C:\WINDOWS\TEMP\RarSFX0\file.uha (118440 bytes) : no signature detection.
Malwarebytes detect it as - Trojan.Serverstart
SuperAntiSpyware does not detect
ThreatExpert
http://www.threatexpert.com/report.aspx?md5=fc841cdc6d09e3638e40b9c32b7d0cec
system
3
Avast already defines
http://online.us.drweb.com/cache/?i=847ca5c4ab6265df3057e300f96e6f28
WIN32.EXE packed by NSPACK
WIN32.EXE - archive CAB
WIN32.EXE/Rmqub.exe packed by ASPACK
WIN32.EXE/Rmqub.exe infected with Trojan.DownLoader5.6538
polonus
4
@Dim@rik,
Well thanks for verifying,
polonus
system
5
UHARC.exe
Sent to 2 laboratories … Avast and DrWeb, look at what analysts say.
polonus
8
Hi Pondus and Dim@rik,
Anyway with you two around we know for sure the labs will have all the samples,
polonus
Pondus
9
SOPHOS lab…quick as usuall 
WIN32.EXE -- identity created/updated (New detection Troj/Zegost-R)
Norman
This file is multi-compressed file. Firstly compressed with SFX and after that compressed with UHARC Compresses. Actual compressed file is already detected by Norman. Detection on this archive may lead to FP.
Actual Win32.exe is detected as W32/Packed_NSPack.A.
system
11
DrWeb lab…
WIN32.EXE - Trojan.MulDrop3.23120 http://vms.drweb.com/virus/?i=1690824
MD5: 4c1ce091c5dfe58b2509134a8cafaf56
UHARC.exe - Sent you the file is located in the base of trusted (clean) files Dr.Web and not a threat.
MD5: 50ce184e4cf489dac8b75a6023f67020