Analysis Date2014-09-02 02:38:36
MD5542127b9a06e6a1c07024bca2d7cdb34
SHA103ca96455fba259efc14ac976b8f6255553548e7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a6d83d845138ad7b2873779800bcfd83 sha1: 27134a27cb453ac57c07b1a1ab7eeb3d4624084f size: 62976
Section.rdata md5: e732e4b5d0885c4262804813c0b08f9e sha1: 37cac6d0d4d9f69f287df80011797650244787a0 size: 512
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 4ae71336e44bf9bf79d2752e234818a5 sha1: e129f27c5103bc5cc44bcdf0a15e160d445066ff size: 16
Timestamp2009-05-21 12:48:14
PackerBorland Delphi 3.0 (???)
PEhash2d05aa453409b9898636187f786fed2d2303b707
IMPhashfdd8a53a57827a7a2c48d0c0c65be18e

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1a65_appcompat.txt
Creates FilePIPE\lsarpc
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\1a65_appcompat.txt
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1208 -e 124 -g

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1208 -e 124 -g

Network Details:


Raw Pcap

Strings
>
.n.QR^
.
.
Y..
.
^
TYPELIB
        />
!	[>02
0sRXpr
0wQc4>
1xz><b
2M+j>g
\>2mQAp>Q
2vVsF|mJ
<3ee9D
)4ci_`4RuF
4i&ej>!NGPZk
4p>mQz
>`/5uh
\>6aPX
6B9Cr4
@6o#j8n)
\>6*	RI
6xPdxR^f
+_=7bV
8P7PM^
&(8tt_[
92$~\ijyv
!#:^)#\A
!a'_4Cv+
&A	F|1
</assembly>
<assemblyIdentity
        <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
aUP([b
A_Y%4+
BH#!rZ)
>bkLmX
+}bX6X
b/z!bf
Cdpe9 
ceCvt@
/CG,;9
C>noeTK
c-/OMI7
CuLd%<
c$}wG)4h
c*xE0J.
c-~{Zf
d0~tQsqr
d20d;[s
d%6w%*
@.data
DeleteCriticalSection
</dependency>
<dependency>
    </dependentAssembly>
    <dependentAssembly>
<description>MSN Messenger Service</description>
dtvuRPwMr
{ege6i
EnterCriticalSection
EznVtE
f3|aQh
$f7ORu
fb}&KpZ
"/f`f6
ffffg`
fg&Rmz
fhohg`
"fi&,uoA
fsLs$R|t&
fw\r}c<
F];X6W;
]@gDpU
GetLastError
^G)HDz
GH[J7{
G/n%ow
H8sqzr
hbkYKuOpK
hcrvQ::
hMs*U8qy
i5SvQt4
	ICN{e
	i>d`6r6x:Mw0s\W
iIJb<#(bc
Ii?~|R
io)]XRDk
iX|,8I
JAc3*e
Jis`6s@
JjmUCM
\(jm#b
;jo8c:Nu>wh_jqs{Pi>d:\bqboP'8~:zH
{juvIZjjk
JV_tA>T
k6JhPt
KERNEL32.dll
k>gsOf]
]K=I,Q&
KuXp?V
            language="*"
LeaveCriticalSection
L	MP4a
Lr?dsSbquhLh#
LWu%e{RF=|u]
lW`'z&)
LzmbX\Ev
m"J(_H
M?lI+LaX;
MpnMiEV"
m#PzZno	TK
MVDk{mtb
mzB_,0
    name="Microsoft.MessengerService.Messenger"
            name="Microsoft.Windows.Common-Controls"
"&n]os
,{NQ8um
nzI<grF_v
#o5MLj;
OGHx4:Ta
;o#h|>^y\
o+iimI
)Ok=<]=)K
}oMsqr
~O.o$<L
OYd/X';
pDrWtq`hQ`#qw
<=Pe44=w*{
pjF'hnh
PkB4	&
~PKpU])KZ
p>mQFM
p>mQ@r>
;`Pn;Fj
            processorArchitecture="X86"
    processorArchitecture="X86"
PRVTDm
            publicKeyToken="6595b64144ccf1df"
/P}Xi!V&
Q8cO},z0H
QFsLs$qvnu>d
QFsLs$qvxu4u
QJw4c>~RkQ]Jl)5|v>P
Q@p>mQ
Q@p>mQz
%q_tHM}
qUvl6,
r_Ct<.
Rd76sj
`.rdata
rKlToY
r#YAHT
RY+O.tJ
sbbsPqC2
SetUnhandledExceptionFilter
sP^PMR
?sW0wg G
swf{z,
tCn]ik
TerminateProcess
TgkQey|i
!This program cannot be run in DOS mode.
T>:mQ@
T>*o=TK
            type="win32"
    type="win32"
T*>Yz%
^>,t@Z
_u6eKM
`u7mP,
~uB(m0
U?:Gxe
U{JB\Y
u(l6"n|
unnu>s[Zc#uiM
unqw4~_Pr<Q
u@SNWjU
u$~:WiqTUm'<
uyJh#i3
V9%=8z6
Vb0`uq
    version="1.0.0.0"
            version="6.0.0.0"
VirtualAlloc
vr)v|j&B
~V[u|O
@VX""@!
vzEVy8}
^w7|Umc9
wE$!:ukYP
wIcx"3%_`
|,WN%>
W Pw1L1
\wrxtLrD
XBm/)P
XdJTlMb
XM(	>	bd)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
]xn'wo
xP$o0@
|y_d9u
yxLf#i[>
z#I@r>
ztu]~:
(z&_uc8
]zXgY~z