Analysis Date2014-04-19 17:45:47
MD57e631e21100529822a3b0042cca888f7
SHA10084506d7664c0c4a17c20942c22e7b52b43eb32

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e6a90e46ec163e2f4ad6ec7de37be830 sha1: 0e44339e064529dbb6b4f614aa7a7c1a8da6ffc6 size: 127488
Section.rsrc md5: 5160d5a58ec13ecc4d78223cad3e2a2a sha1: 0f30e201abbf67024cebdd7c0c05fa97f8fc92ea size: 10752
Timestamp2029-10-13 15:59:23
VersionLegalCopyright: Microsoft Corporation
InternalName: Desktops
FileVersion: 2.00.0003
CompanyName: Microsoft Corporation
LegalTrademarks: Microsoft Corporation
Comments: Desktop
ProductName: Desktop
ProductVersion: 2.00.0003
FileDescription: Desktop .exe
OriginalFilename: Desktops .exe
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhashe0cb23fb6f4c19d2a21049278ee2b92f786f9f45
IMPhash09d0478591d4f788cb3e5ea416c25237
AVavgPSW.Banker.DKY
AVaviraTR/Spy.Bancos.u
AVmcafeePWS-Banker
AVmsseTrojanSpy:Win32/Bancos
AVclamavW32.Xorala-9

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\windows\desktops .exe
Creates Processc:\windows\desktops .exe

Process
↳ c:\windows\desktops .exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Service System ➝
"c:\windows\Desktops .exe"\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Run\Service System ➝
"c:\windows\Desktops .exe"\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ieupdate.dat
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFF158.tmp
Winsock DNSwww.supernet.speedserv.com
Winsock URLhttp://www.supernet.speedserv.com/downloads/updade.dll
Winsock URLhttp://www.supernet.speedserv.com/downloads/winlockdll.dll

Network Details:

DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSwww.supernet.speedserv.com
Type: A
DNSsmtp.mail.yahoo.com.br
Type: A
Flows TCP192.168.1.1:1032 ➝ 188.125.69.59:25
SMTPtodasboas2009@bol.com.br

Raw Pcap
0x00000000 (00000)   48454c4f 20434f4d 50555445 522d5858   HELO COMPUTER-XX
0x00000010 (00016)   58585858 0d0a4155 5448204c 4f47494e   XXXX..AUTH LOGIN
0x00000020 (00032)   0d0a6332 566b5a58 67334e7a 63330d0a   ..c2VkZXg3Nzc3..
0x00000030 (00048)   4d544179 4d444d77 0d0a4d41 494c2046   MTAyMDMw..MAIL F
0x00000040 (00064)   524f4d3a 3c736564 65783130 32304079   ROM:<sedex1020@y
0x00000050 (00080)   61686f6f 2e636f6d 2e62723e 0d0a5243   ahoo.com.br>..RC
0x00000060 (00096)   50542054 4f3a3c73 65646578 31303230   PT TO:<sedex1020
0x00000070 (00112)   40796168 6f6f2e63 6f6d2e62 723e0d0a   @yahoo.com.br>..
0x00000080 (00128)   52435054 20544f3a 3c746f64 6173626f   RCPT TO:<todasbo
0x00000090 (00144)   61733230 30394062 6f6c2e63 6f6d2e62   as2009@bol.com.b
0x000000a0 (00160)   723e0d0a 44415441 0d0a4672 6f6d3a20   r>..DATA..From: 
0x000000b0 (00176)   434f4d50 55544552 2d585858 58585840   COMPUTER-XXXXXX@
0x000000c0 (00192)   70726f67 612e636f 6d2e6272 0d0a546f   proga.com.br..To
0x000000d0 (00208)   3a207072 6f636c69 656e7465 4070726f   : procliente@pro
0x000000e0 (00224)   67612e63 6f6d2e62 720d0a44 6174653a   ga.com.br..Date:
0x000000f0 (00240)   20536174 75726461 79202c20 31392041    Saturday , 19 A
0x00000100 (00256)   70722032 30313420 30353a30 393a3039   pr 2014 05:09:09
0x00000110 (00272)   20504d0d 0a537562 6a656374 3a204176    PM..Subject: Av
0x00000120 (00288)   69736f20 21202120 21202031 392f3034   iso ! ! !  19/04
0x00000130 (00304)   2f313420 31373a30 390d0a58 2d4d6169   /14 17:09..X-Mai
0x00000140 (00320)   6c65723a 204d6963 726f736f 66742043   ler: Microsoft C
0x00000150 (00336)   6f72706f 72617469 6f6e202d 204d6963   orporation - Mic
0x00000160 (00352)   726f736f 66740d0a 0d0a2020 0d0a4572   rosoft....  ..Er
0x00000170 (00368)   726f3a20 6e6f2061 67756172 646f2064   ro: no aguardo d
0x00000180 (00384)   6f207061 672e2064 6f20646f 776e6c6f   o pag. do downlo
0x00000190 (00400)   61642c20 65207661 69207061 6761722e   ad, e vai pagar.
0x000001a0 (00416)   2e2e0d0a 4d736720 64612076 657273e3   ....Msg da vers.
0x000001b0 (00432)   6f2e3a20 322e302e 33202d20 0d0a0d0a   o.: 2.0.3 - ....
0x000001c0 (00448)   2e0d0a0d 0a515549 540d0a              .....QUIT..


Strings
040904B0
2.00.0003
Comments
CompanyName
Desktop 
Desktop .exe
Desktops 
Desktops .exe
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
Microsoft Corporation
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
%?(@ :
																														
04s}\)
$	}0"E/
0EdW;K
@-0E,M
0j*:&P
0\r]u~
0	/si9#W
0T0V+tUK
0'#XrK
1uKRwT
1upb#U
1WlP"J
2"g63<
2#!L ;
2|NR.`
31l+?/
38.E&Y
(3 bsv
{.3I|piDv
3"K~&l
3KX&(,
3!s<D\
{[=	\4
4gy@;F
4$MEWR[c
4VsyTY
50#,(fJ
54aD]e
.5LG>-
5RML#_q
5(Zk<<u
6F!T@?
6g1	o(
6i^SDLz7f
6Nz4VNEM_
-#"6)Xu8[Y
7gbgaoZ
7l F#;
7T-!%kP'
]7wsw&!
>8]`	a
/(8;aM
8I"Q8,
8~w-`V
?8X.d4`
93;o#)N
_9mRRguO)(w
9u!q]	
9Z"%^IJ{g
A#2	bl
,[(?af
aFBD,D
agBoxAS
aJL(2r
Aml,-ZAN
_a `oh]
Aplicat
a&r;9#
[AspackDie!]
atCs<!
AWW"bt3[
A_}yp3}-p
Az#gM~
*b2j&n
bbR-5k4
 Bl2YV
Blhvs+
bO%=7i9
BoHFI:
C 7/q9{S;
cBF[r#
CDk@KR&
}C=K]-(
CKWH`T
C<n/4p
cOSf"	{
*c*(;W
.c+Y%5
	D27*cB
d4R]iL#8
D^a9o5,}t_e
dBp|KT
?d(}O?
*?D $XJ
^E0YjFZv
e!azVk
.]Ek9a
`evzHp
e;!YDPJ
FB3Qsk.
f_ /d!
fuK75!)@{
G.5xd,al 3
=G74M&
GaBm%9i
GetProcAddress
,GZKrX
H)4$bP
h+B3Az
HbC[fM)
H]c,dn
HdC	+7T
/H! gAne
:^ H	j
Hj7vKz
hR8ApW
H,=Tt}
huV%?;
h&ya63~
I0X$ WtB
@I11ul
I(5o|aQ
iKs}q!K
Ilic5/
i+(%p\
irtualFe
i}~s3,
I;v)mg
iwj o{
jDb'>R
)JG<qx]
{jn-{l
Jqyme{
	J#y|4n-
JYUMY_
K%1"oQO
k%1Pco x
K3@ i3B2"
K8O*ylR^
k',a5}|
/kA8.b(
kernel32.dll
kernl32.d
K>H >I
Kkn9A8
kt[#DE
~k:UFcB
l\6p\M
lg.%|!
l mTQ}K
LoadLibraryA
L;r^!c0
Lrf	oq$
lSF#t3
LTJV5;x0#
LU_dh{< %_
=L%VJ*%
|m3)v@
m6)PV3btD
MaXj9&
Me"xK~^
]m=G"f
mj{Xih
MOH=gu
mO\:n=
M&OW9R
_M=SKr
N6` h)Y}
n	{^8$b
=NFfPg
n.i	<F
N]%\oI
nRCe;Z
NrlOa-H
N_w}oag
.*O >/
	 o1Jj.r
)#o3^^+o
o6UM77!+
O76H\c
+o/`Jj
on er~
/o(RCVHl
P2 a%8
;p#5JbV
paa['`
P&C2X(
PECompact2
PhOw?~l
!{PWQS
q3+XM!
Q4LEui
q5@Q=7l
]q7mt.5
QB$\=F
Q	dx^U
,qLpeQ9
qmTLjr
qu42Y\	
qZ07Yq
qZglAU
!R)_1l)(h=~
R,7{\f
RE'<MGk
{;Re\n
rI"WF4o
R{}p58"M
r	Vb(?
_rZL:s{T
s2k<lel
S)|{3}
 =sB=?4
seni:r
|sKX_*
[S,#MZP
SzROHl
[T"E6q
tf@LS]
t/fvD-E
!This program cannot be run in DOS mode.
`TH xE,
TK=$y;
tl\)BZ
	tozZ4
T:zx8@
$@/u?~
U17x$L
u9B=%X;
u-A@n!
u=*e+y(
(Ugu(b
uj9m"k
~U|mpf8
USQWVR
UZ>@_/
V3b0;l
%v&`aWZ1
VG}]Fr
>vgKNq
VirtualAlloc
VirtualFree
V	Jjcc
vj\Z@	oXyR
vnqo4(
	(vTkL
=W'`@3
<W$7*K(
wBRiPP
Wvw_D+X
wxk4L-
$wYmd3
WZ%Jxc
x1^Prv
x4Ml'rTf
;x4[q{Bf
x.a_z%
x}^BF/,%
X~h#au:
X][hu"
*?xK+	T
XqJ'>_
_YaoVI
YB,E,M
y<e0e:
*y*I	Z
y:%~kN
yl<\;9
z,*05X
z8Uexg
z\a%ZbAJ
ZB++h4
-zdZp%
ZI=?fa
:ziP[W
z>J9oy
!#%zL/ 
z/m<nY
Z^_Y[]