Analysis Date2013-09-17 14:01:45
MD58982dc2bd1f972f45b9aede4f39da802
SHA103ca48f8091cc6d8c4e033a939471515fe8848e1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9348c59cf1118f756c83bd01f555dc11 sha1: 1a637c91dfbc8c9f0a0be7c0b5dc3562fb5246b9 size: 5120
Section.rdata md5: d35e64079f49e0f9efbb40f3e2a9e065 sha1: 387259820fb17a2e76ebab562b9e6e23a8ddc8b6 size: 1536
Section.data md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: af337b73547fe44d8db91b0d9d073c52 sha1: 9de8c09c6de68aaccd2f59ea51fb0a22ffe4a949 size: 55296
Sectionbkwiutb md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1996-01-22 02:23:44
PEhashdbb13ac9f9163b8d46bba2c715899c85aeb5fccd
AVmsseTrojan:Win32/Lethic.B
AVavgGeneric30.IPO
AVclamavWin.Trojan.Agent-157589
AVaviraTR/Winwebsec.884987

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Process"C:\malware.exe"

Process
↳ "C:\malware.exe"

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2a2f_appcompat.txt
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 168

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 168

Network Details:


Raw Pcap

Strings
"$~-=]
06mWeD`
0]_Dyq
0O1L-pc
]1QEc~7_
3f0To_]
@3kH;:uT
,43Ofg
6eOG9uQE
>#6jxh
~6'rnVh
`6x.).h
7}qYZw}7k
8^SqOG
]9NDId^
a^_a=D
{,A'!G
\::A'os[AU
bkwiutb
Bq%n68^z	6`
BT33a5
BT=bo'.
BT@Hv za[;
B&U"3'
CallWindowProcA
CancelIo
cC;RRf
ce1=GSCy
CL'dW$
CloseHandle
CreateEventA
CreateIcon
Cy {,e
d7>eMf
DeleteFileW
DestroyMenu
DispatchMessageA
Dp&l87_x
DrawTextW
ejuEd[
EQ, B^\
E"y/28I
:\Fb)m8
\FdL)|
FindResourceW
FindWindowA
fO_go4
F:r$lg
,g_77o&pet
GetClassInfoA
GetCommandLineA
GetEnvironmentVariableA
GetModuleHandleA
GetStartupInfoA
GetSysColor
GetTimeFormatA
GetVolumePathNameA
GetWindowLongA
g-`F{PD<e
g,'oPvl
gTaIfs
h(23AC
h6`Hyo'
HeapCreate
HeapDestroy
-i^el(
I EQRby
IsWindow
IsZoomed
`JDi.Q
{J%IMs
j,.`j,6
j+?k Q
jmokR6
%|J|xIQW
KERNEL32.dll
KHCA>w9lC
KK"OLs
k+T	.h
l*7	r$
l*fUq%
Lg>tV}
*li@b4
lstrlenA
{>>]mbu
N)?f^q
Niz~\'>
\>{N$X_
O0~1ZH
*&)O"d
'osMd2
P$0TV[
pc"S	EQ(
PeekMessageA
PF@zp%
PSBASE.dll
%q1p2d
`.rdata
RDT5n(
ResetEvent
S<I80{w
SPDeleteSubtype
sQb^"$
T'*a#o
This program must be run under Win32
TlsGetValue
/trU6um>$
USER32.dll
VirtualQuery
vLy]vK
@Vw1k+
wqU5D!_
wwwwwwwx
+XEe?	
XVt:1n
xxdD"pp
' :Y3>
	"y<k]
ztQi-#