Analysis Date2015-02-01 15:53:23
MD59cc3fb80d72bf26df41b41b7df2a8aab
SHA10312547ec93d47d53d407d2e13d34001227106ec

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1c77abd4f925e09047e1fc293b2f1a9a sha1: c0bec1766d9144ca035c0c84df9562902553fd10 size: 40448
Section.data md5: e9adad2634873705fa0daa26055079b4 sha1: 3175026e1d78e134c2b9a518002105b57b6c0d34 size: 3584
Section.idata md5: efe217ac6d8fadb114f3dbbef12114ac sha1: de2216cc9c92f555f579d8a5102ecd44d4bd7977 size: 4096
Section.rsrc md5: c4aa351bdc9003ab066d57dd059d07c8 sha1: fd0bf8887d7c6404deef650e0ab447ad2031b073 size: 15360
Timestamp2003-03-08 19:04:18
PEhashbfe691241667c1846a8d7e9704d26a27d8edae2f
IMPhashd12511746616e51fa0b0ad0ceadeab40
AV360 Safeno_virus
AVAd-AwareDropped:Generic.Banker.VB.97FC3362
AVAlwil (avast)Bancos-MS [Trj]
AVArcabit (arcavir)Dropped:Generic.Banker.VB.97FC3362
AVAuthentiumW32/Bancos.GUUZ-9135
AVAvira (antivir)no_virus
AVBullGuardDropped:Generic.Banker.VB.97FC3362
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVTrojan.Spy.Banker-981
AVDr. WebTrojan.PWS.Bancos.207
AVEmsisoftDropped:Generic.Banker.VB.97FC3362
AVEset (nod32)Win32/Spy.Bancos.U
AVFortinetW32/Bancos.NJN!tr
AVFrisk (f-prot)W32/Bancos.HGT
AVF-SecureDropped:Generic.Banker.VB.97FC3362
AVGrisoft (avg)PSW.Banker.YPI
AVIkarusTrojan-Banker.Win32.Bancos
AVK7Spyware ( 00482d511 )
AVKasperskyTrojan-Banker.Win32.Bancos.ha
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Dropped:Generic.Banker.VB.97FC3362
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan Horse
AVTrend MicroTSPY_BANKER.GEN
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\WinRAR SFX\C%%WINDOWS ➝
C:\WINDOWS\\x00
Creates Filemsndll.exe
Creates ProcessC:\WINDOWS\msndll.exe

Process
↳ C:\WINDOWS\msndll.exe

Creates Filec:\windows\kernels32.exe
Creates Processc:\windows\kernels32.exe

Process
↳ c:\windows\kernels32.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Service System ➝
"c:\windows\kernels32.exe"\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Run\Service System ➝
"c:\windows\kernels32.exe"\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates File\Device\Afd\AsyncSelectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFE927.tmp
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ieupdate.dat
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSwww.supernet.speedserv.com
Winsock URLhttp://www.supernet.speedserv.com/downloads/winlockdll.dll

Network Details:

DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSwww.supernet.speedserv.com
Type: A
DNSsmtp.mail.yahoo.com.br
Type: A
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25

Raw Pcap

Strings
/
 
%
"
\
YRCN
..._ 
\"
//
//
PKc

!1Aa
#+3;CScs
about:blank
Accept
ASKNEXTVOL
&Browse...
Bro&wse...
bytes
Cancel
&Cancel
Cannot create folder %s6CRC failed in the encrypted file %s (wrong password ?)
Cannot create %s
Cannot open %s
Close
Confirm file replace
CRC failed in %s
Decline
&Destination folder
DVCLAL(
Enter password
&Enter password for the encrypted file:
ErroraErrors encountered while performing the operation
E<ul><li>Press <b>Install</b> button to start extraction.</li><br><br>6<li>Use <b>Browse</b> button to select the destination4folder from the folders tree. It can be also entered
Extracting from %s
Extracting %s
File close error
folder is not accessiblelSome files could not be created.
GETPASSWORD1
hmsctls_progress32
Insert a disk with this volume and press "OK" to try again or press "Cancel" to break extraction
Install
Installation progress
jjjj
License
LICENSEDLG	RENAMEDLG
Look at the information window for more details
manually.</lI><br><br>8<lI>If the destination folder does not exist, it will be2created automatically before extraction.</lI></ul>
modified on
MS Sans Serif
Next volume
Next volume is required
Not enough memory
No to A&ll
Packed data CRC failed in %s
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Please download a fresh copy and retry the installation	All files
Read error
Rename
&Rename
Rename file
REPLACEFILEDLG
Rs$@
Select destination folder
Shell.Explorer
Skipping %s
STARTDLG
The archive comment is corrupt
The archive header is corrupt
The file "%s" header is corrupt%The archive comment header is corrupt
The following file already exists
The required volume is absent2The archive is either in unknown format or damaged
Unexpected end of archive
Unknown method in %s
WinRAR self-extracting archive
with this one ?
Would you like to replace the existing file
Wrong password for %s&Write error. Probably the disk is full
&Yes
Yes to &All
You need to have the following volume to continue extraction:
!!!!!!
!!!!!!   ! 
!!!!!!!
!!!!!!!!
!!!!!!!!!
!!!!!!!!! 
!!!!!!!!!! 
!!!!!!!!!!!!
!!!!!!!!!!!!!
?*<>|"
						
								
009537bf="Insufici
05d8c9ea="Aceitar"
077e53df="Instalar"
093ef12e="Voc
|#09Ty 7]
0aee06f8="OK"
0Ap%a<
0ea6cb24="&Sim"
0fafb862="modificado em"
0$\KPsdD
0P>4UuH
0tpkt#s
0[Yy'.
105565f5="Confirmar substitui
1-0;U_
195bc0ec="Insira o disco com este volume e pressione \"OK\" para tentar novamente ou pressione \"Cancelar\" para suspender a extra
@1AG+$l
*1++[f
1>"~Q1
1u<i,b
|1Vq]^
20fad17e="Erro de escrita. Disco provavelmente cheio"
2436fb2e="<lI>Se a pasta de destino n
2669d7b6="Falha de CRC em %s"
28968711="Fechar"
28b64ee0="Selecione a pasta de destino"
&'2=dR
2e0652f2="OK"
2eb7591b="para"
2}ZghH
33!D	3
341ff0ef="&Cancelar"
3478d231="100*100"
36b5f3ee="Licen
37e0cfac="Digitar senha"
3b30ef57="OK"
3bf460be="Todos os arquivos"
3!cIp:,s
3dbfa101="Voc
3f75c3f0="Pr
3f980735="100*100"
4022c518="N
499da57f="O seguinte arquivo j
4bcf6a1f="bytes"
4^CFU[]
4d117d42="M
4eb4cd58="O coment
4ebc6a80="<ul><li>Pressione o bot
4ed7812c="&Procurar..."
=(4)*i
4/-KU.
4.qVtL
5641709d="Renomear"
58b99109="Erro de leitura"
593ccce5="120*100"
59d2a7a6="destino da 
5ec2b9a4="Final inexperado do arquivo"
5j"g<`
5ky<\b
5R`*W"
62240658="N
644f7b2f="N
64e322fd="Progresso da instala
664abaa4="Erro"
6tBm5g*%
6XwVTi#
6y=iH$u
74850758="100*100"
75286f0d="Renomear arquivo"
77661a9c="Cancelar"
7a5d8062="automaticamente antes da extra
7b70360d="Alguns arquivos da instala
7c1e30d8="N
7e3a9609="O cabe
%7nOSY
806642a0="Sim Para &Todos"
858e1138="&Instalar para"
879b7c99="100*100"
8a38104b="Cancelar"
8deeac82="Este arquivo est
8e950692="O cabe
$8&-f`
8fda2e04="Arquivo auto-extra
#8=L'u
977f0bd5="&N
9=kl6op
"9|)&qh
9+#_vG&UU
a05a6a8d="pasta n
aa1ca1f1="inserida manualmente.</lI><br><br>"
 acess
ADVAPI32.DLL
alho do arquivo est
alho do arquivo \"%s\" est
alho do coment
aP#p"Q
AQRPhD
 ausente"
b0:sua
b127402c="O cabe
bb9461d3="&Renomear"
	Bd3O<
bdba36ee="Extraindo de %s"
be1ce28b="Pr
bf41b9e0="<li>Use o bot
b(mZ!+O
bX,p$We6
ByAU~X9'"
c282ae83="O volume requerido est
c2f7663d="Extraindo %s"
c35d8b22="100*100"
c4a704f5="&Digite a senha para o arquivo codificado:"
}>{C@5:3
ca228992="Alguns arquivos n
C:\Documents and
cedc96f3="Falha de CRC nos dados comprimidos em %s"
CharLowerA
CharToOemA
CharToOemBuffA
CharUpperA
CloseHandle
CLSIDFromString
c.M[m+CK
c	m,?V
CoCreateInstance
COMCTL32.DLL
CompareStringA
CopyRect
 corrompido"
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
CreateStreamOnHGlobal
CreateWindowExA
 criada "
c_X1wr
c"]ZA]
d7b7d4f4="Senha incorreta para %s"
d9cae1a1="Cancelar"
`.data
}Db};2
:DBuZ5
D$";D$
ddc0ae8a="Pro&curar..."
DefWindowProcA
Delete
DeleteFileA
DeleteFileW
DeleteObject
DestroyIcon
DestroyWindow
dfKM,(
dh%FtD
:?D%]i
;  Dialog ASKNEXTVOL
DialogBoxParamA
;  Dialog GETPASSWORD1
;  Dialog LICENSEDLG
;  Dialog RENAMEDLG
;  Dialog REPLACEFILEDLG
;  Dialog STARTDLG
DispatchMessageA
?dk.Ka
DosDateTimeToFileTime
drHm<)sq
d	SgEG;c!
e040fd4a="Cancelar"
E0cfo1
e1wV}|D
e6184908="Ignorando %s"
,Ea4eg
=*ee\KY
e*jvQn:9
 em formato desconhecido ou danificado"
EnableWindow
EndDialog
E'Q-Fn
es, reinicie o Windows e recomece a instala
 exigido"
 existe"
ExitProcess
ExpandEnvironmentStringsA
ExtSign
f16e8119="com este aqui ?"
f5b348e1="Recusar"
f819b84b="Foram encontrados erros ao executar a opera
f876d4dd="Falha de CRC no arquivo codificado %s (senha incorreta ?)"
/fbO~3
fc92e4b0="Erro ao fechar o arquivo"
Fgh>2u@x
fHRg"Z
Fi)F?Y
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceA
FindWindowExA
Fp5;|L
FreeLibrary
Fxx>b7
}g]3>$
g33WwQ
GDI32.DLL
GetClassNameA
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetDateFormatA
GetDlgItem
GetDlgItemTextA
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetNumberFormatA
GetParent
GETPASSWORD1
GetProcAddress
GetProcessHeap
GetStdHandle
GetSysColor
GetSystemMetrics
GetTempPathA
GetTickCount
GetTimeFormatA
GetVersionExA
GetWindow
GetWindowLongA
GetWindowRect
GetWindowTextA
g'H+pN
GlobalAlloc
GMHA`:
 gostaria de substituir o arquivo existente"
gwS3	3
gwS37%w`	
G^XOVW
*GyDzy(
h3^yKP!
h67,nN$DN
@@hcvw(~
[Hd2Jk
<head><meta http-equiv="content-type" content="text/html; charset=
HeapAlloc
HeapFree
HeapReAlloc
[ho*1-
H($sEA
</html>
<html>
i#0uogz}
|I?-{3
i320Vr
.idata
If4W"#
Ih'Nhj8cG
)~(IM&O
(incomplete d-tree)  
(incomplete l-tree)  
InitCommonControlsEx
Install
IPH<4b
IsDBCSLeadByte
IsWindow
IsWindowVisible
i>~;T}
IV]BZ.
I)XC._
IyE15em
J@+M6U
~JV|6&
J<VDjp2}R
J=Zt`pp
KaW@1K	
KERNEL32.DLL
KgV,;UjC
K>im? T
kj[3#L
KVywElt
~k'$YD
_lclose
L|duoZ
License
LICENSEDLG
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
LocalFileTimeToFileTime
:*lSmK/
lstrcmpiA
lstrlenA
L^-vM_
lZ_a\hhO
M	1%RP
m%1-$SSmt\
	m<##5p
m{8qV!
MapWindowPoints
Mc1/947
m comando de sequ
MessageBoxA
***messages***
*messages***
M}M/Ln
M(~nDR
MoveFileA
MoveFileExA
m poder
$mRy54
msndll.exe
msndll.exePK
Mt/*WZ
MultiByteToWideChar
&nbsp;
ncia de mem
ncia SFX
n{DFcL
:n~HbU
#-N\xB
NXvX#,
N_^[Y]
nz*heQ	V
NZO3`,Ox`
o <b>Instalar</b> para iniciar a extra
o <b>Procurar</b> para selecionar uma pasta de "
;O coment
o corrompidos.\nFavor fazer o download de um novo arquivo para refazer a instala
o da janela para maiores detalhes"
o de arquivos"
OemToCharA
OemToCharBuffA
o existir, ser
o foi poss
O(}l9,[
OLE32.DLL
OleInitialize
OleUninitialize
o.</li><br><br>"
o.</lI></ul>"
o\nAten
OOBtiE&
o para a informa
o Para T&odos"
OpenFile
o puderam ser criados.\nFavor fechar todas as aplica
Ot<$h^
Overwrite
Overwrite=1
oWp@!d
o"YF.QI
O^[zF:
])^}p!
p23IVx<Bg
P}}9!+
Path=C:\WINDOWS
,p/B*!
pD3-!\
PeekMessageA
=</,pg
:P}#iJ
-	pIZtV
	!p],k
PostMessageA
 precisa ter o seguinte volume para continuar a extra
Presetup
ProgramFilesDir
|PrPfR
@Psp:~=
qdBO<Y
-\*`}Qe
+qEzY%
Qh=<ET
q=hJ`NF
 qI8I4
Qkkbal
;!!Q_.z
ra3i_j
RarHtmlClassName
rc9mpt
ReadFile
RegCloseKey
RegCreateKeyExA
RegisterClassExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RENAMEDLG
REPLACEFILEDLG
riched20.dll
riched32.dll
RichEdit
rio abaixo cont
rio do arquivo est
R):K~N+
@.rsrc
Ru&|:R
rvore de pastas. Tamb
s2YlDx>
s6VC7-
SavePath
%s.%d.tmp
SendDlgItemMessageA
SendMessageA
 ser "
SetCurrentDirectoryA
SetDlgItemTextA
SetEnvironmentVariableA
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileTime
SetFocus
SetLastError
SetMenu
Setup=C:\WINDOWS\msndll.exe
SetVolumeLabelA
SetWindowLongA
SetWindowPos
SetWindowTextA
>SF,	3
sfxname
SHAutoComplete
SHBrowseForFolderA
SHELL32.DLL
ShellExecuteExA
SHFileOperationA
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
shlwapi.dll
Shortcut
ShowWindow
Silent
Silent=2
s#|j8.B
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
S\pp,N
%sRarSFX%d
%s %s %s
STARTDLG
;  Strings
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
sv/3t`-
!S=x-P
SystemTimeToFileTime
T8jMv|
TempMode
TE{O=v
This program must be run under Win32
tings\Administrador\Desktop\0.ico
;tj!gv
todo desconhecido em %s"
TranslateMessage
t=U0R<
 ^U<5X
UDv;gh
U.L8Qk
ul=vqv
u*N>v1
UpdateWindow
USER32.DLL
Usvrw@
utf-8"></head>
$uu<mKn[
	uvU]&
&ux:|_7
vel abrir %s"
vel criar a pasta %s"
vel criar %s"
vel do WinRAR"
vMMH}T
w!02%pr
:w2A7r
WaitForInputIdle
WaitForSingleObject
(^WA&N
wf?^=d1`Sf
WideCharToMultiByte
w#(k4Y
W?.kj+h
%WLEHm
Wpq?N/
WriteFile
wsprintfA
wvsprintfA
Wwgu"'P
WwR"'P
WwS7'u
wwwwww
wwwwwxL
wY>#57
xBc-$q
=.^x*eF
|=XHtHc'?
ximo volume 
ximo volume"
xlFzX9
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>
xM*V$PS
xo)u`Z
=|XQfJp
_x|Ui~P
xXNWI`
\*xZP^
&.Y4HM-_p
yEoL?;_ 
YpM2`r
{<:y&q?	
YShl2@
$YZ_^[
z&0eSN
Z1&U1;
z*==iiU-
'zJn67
 }ZQbhq
-zqJvX
z$SaBU
 ,ZSO{
`ZWr>[O
.zY~*z