Analysis Date2015-01-27 20:30:16
MD5f83c5b39dd139e8abbf788d46ffdb108
SHA102251011881efd2ef57fac5903fc070394c609f2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6c61f2c782d20943b9056534f4d2159a sha1: 35216abb09ce22b34d2c6279b07919577a5b3fd5 size: 6656
Section.data md5: e8df613c4ba6ff98da8ad5e754e75688 sha1: 41b0438ed5682cd84343ff75e92066b91acad445 size: 47616
Section.rsrc md5: 750ce3f9645e63602744d1b5337e18fd sha1: ef5fad077ab405b6ab87f29549d15db2cef1e328 size: 4096
Timestamp2009-04-24 11:27:53
VersionLegalCopyright: Copyright © 2010 4 PC Tools. k All rights reserved.
InternalName: mag8l.exe
FileVersion: 7.0.0.61
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName: 0 5H
ProductVersion: 7.0.0.61
FileDescription: Video Component
OriginalFilename: mag8l.exe
PEhash2eef51c9d3e4c58e39098ff72e53dacaf192b21e
IMPhashd4911e45f93e475a6f8c77cd18a4ba9d
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.20472
AVAlwil (avast)Dropper-gen [Drp]
AVArcabit (arcavir)Gen:Variant.Kazy.20472
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Variant.Kazy.20472
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Jorik-94
AVDr. WebTrojan.DownLoader2.42837
AVEmsisoftGen:Variant.Kazy.20472
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BBT
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Variant.Kazy.20472
AVGrisoft (avg)Generic22.TKZ
AVIkarusTrojan-Downloader.Win32.Renos
AVK7Trojan-Downloader ( 0017ee531 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.aq
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.20472
AVRisingTrojan.Win32.Generic.128A1A09
AVSophosMal/FakeAV-IZ
AVSymantecDownloader
AVTrend MicroTROJ_KRYPTO.SMIJ
AVVirusBlokAda (vba32)Heur.Trojan.Hlux

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Deletes FileC:\malware.exe

Network Details:

DNSrepubblica.it
Type: A
213.92.16.101
DNSseesaa.net
Type: A
59.106.98.139
DNSseesaa.net
Type: A
59.106.28.139
DNSyelp.com
Type: A
198.51.132.180
DNSyelp.com
Type: A
198.51.132.80
DNSflashz.in
Type: A
DNSwebdatum.in
Type: A

Raw Pcap

Strings
3pg..
.
...7
040904E4
0 5H
 2010 4 PC Tools. k All rights reserved. 
7.0.0.61
&About
ASCw
BBABORT
BBALL
BBCANCEL
Comments
CompanyName
Copyright 
E&xit
&File
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
mag8l.exe
MAINMENU(
&Open
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
Video Component
videosoft
VS_VERSION_INFO
0cl7yY
0,N	VB
0udB|n
1o4y8Q9
1t4zHUAA3
}1tyW,_
20:f1^
:33:"$
"*"$33
3333:"$
333333
3333333
$3333333
33333333
33333333?333333
333333333333333333
3333333333333338
333333:"33333338
33333:"$3333338
3333339
333338
33333833
#33338
:*"*"$3338
333838
334C33333338
33B$3333333
34""C33333833
3B""$33333
3Qt	&o
)"$>4}
49~EdA[
4"*""C3338
,\<4"t
4U.texZ
5XPlY8L
7"PDaz	
7;`qgU
9xtcvF
	? A5=
AcELIW
  </application> 
  <application> 
Apr 24S
AQA38bq
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
b7llI!
bCPmY#
BiQuHo
bS40QT
c1\MMV
"C3338
c792ZJ
"C8338
CALC.EXE
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
C^OVz:M=
CP60v>
`.data
>dWINT
E5<%}+
-Eisgo{
erffdgK
#Es{|V
ET.dlwU
ExitProcess
F8XV4Y0
G987654
GetFileAttributesA
GetFileType
GetMenu
GetMenuItemCount
Gm]pf-
HV?	#(
_hZLV+
inVjHD
IoEAkp
"J333333
"J"C3333
$kCoun
KERNEL32.dll
/KiXp`
=-#%Kp
LFQ:"6
=lgQ)u{'4X
Ln3SBt
LoadLibraryA
-m{1e|
mag8l.exe
MB4VX57iw
mek __
M_WFl\
N3OcfaEg
n8ifXM3
P6|70*
PayHc8
Pj-_e"
q61v6T
QAEvXZ\
QaFjfF
qM{~=;
qMY>w$K&
qSqcBJ
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
      </security>
      <security>
SetClipboardData
SetCursor
SetForegroundWindow
S-gXPs[
SsttR8l
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
T="1.0}o{
t%6"5D.M
T8sI1Z
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
_TidyN
tr$ng@7,
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
tt207X
Uj8|G(
Umbly 
UOg9vU
U?Q1X$b
urM:HchM
USER32.dll
VirtualAllocEx
VKQ[Q<
v.u5H;
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xml vh
X_Nl5T
Y3tTl7T
Y3YGaf
']YBCf
yC2rSn
>yD%4X
yF|{@=
YjFwY07
}y|oPkZ
yqUkWwgtcx
zEYB0DEcl