Analysis Date2015-02-26 19:01:20
MD5a1c3adcb6eb161412a113ab8a2acb4ad
SHA10428cc7027591c3fd670c299eac5e7ec9023f1b7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bdf9ff571cb715841f3070eab9b48bd6 sha1: 78913f49baf6b15520ccb3c1a64f556eab4801fc size: 8192
Section.rdata md5: 2e28b00638373d261901f903a9b718bb sha1: 72894963fc43a9a32cb5410a86be545bc18e2587 size: 79360
Section.data md5: b123c4225fd7ea8ee80aedde87c66661 sha1: 7c69890943a336d1a0886101c0299be959c5eb99 size: 20480
Section.rdata2 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.data3 md5: c09c50076d33f36b4c69df5193709373 sha1: 8982f308d3a86f0704fe26d229068e0a87a7c372 size: 1024
Section.rsrc md5: 2e5d23bf9177dca909a71f49bd7d990c sha1: a517910f9da5316d34fb756b5d73bb5a12fe950a size: 1024
Timestamp2013-02-14 06:26:30
VersionLegalCopyright: © tttttt Corporation. All rights reserved.
InternalName: migrate.exe
FileVersion: 9.00.00.4503 (xpsp.080413-0845)
CompanyName: tttttt Corporation
ProductName: tttttt® Windows Media Services
ProductVersion: 9.00.00.4503
FileDescription: MLS Migrate DLL
OriginalFilename: migrate.exe
PackerBorland Delphi 3.0 (???)
PEhashcd69c5645ce152e16dec1ee82752878aca28c407
IMPhash048e6d70cc482666d43f7adfa7dd799a
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.146618
AVAlwil (avast)Sirefef-AXJ [Rtk]
AVArcabit (arcavir)Gen:Variant.Kazy.146618
AVAuthentiumW32/S-6e812e11!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Variant.Kazy.146618
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Cutwail
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.739
AVEmsisoftGen:Variant.Kazy.146618
AVEset (nod32)Win32/Wigon.PH
AVFortinetW32/Wigon.PH
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.146618
AVGrisoft (avg)PSW.Generic10.BUFX
AVIkarusTrojan.Signed
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.QHosts
AVMcafeePWS-Zbot-FAKU!A1C3ADCB6EB1
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Kazy.146618
AVRisingno_virus
AVSophosMal/EncPk-AIT
AVSymantecPacked.Generic.459
AVTrend MicroTROJ_SPNR.14BP13
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.SB.01798

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\folohadlobos ➝
C:\Documents and Settings\Administrator\folohadlobos.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\folohadlobos.exe
Creates File\Device\Afd\Endpoint
Creates Mutexfolohadlobos

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25

Raw Pcap

Strings
Re4..
?9
..
.N.X.
040904B0
33vapi32
9.00.00.4503
9.00.00.4503 (xpsp.080413-0845)
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
migrate.exe
MLS Migrate DLL
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
tttttt
tttttt Corporation
 tttttt Corporation. All rights reserved.
VarFileInfo
VS_VERSION_INFO
 Windows Media Services
130204161337Z
:!1'Y8^
[]1+YL
2AxraA
2bJ*4~
33gOpenKeyExA
391231235959Z0
	)3jlH
4;;	kBx'H
}5SZ"j,	
5XW/BcE
6dxp0-
6sw*/oqY9aap;ah
_8L}T5n
9duCPiL
ab*1Fl5
AddFontResourceA
aHwsiHOs
applications\msconf.dll
B%7}4%.
'B]jYw
.bQNT1ShG3U
)c\bv>
cI?>mD
CloseHandle
CreateFileA
CreateFontIndirectA
CreateMutexA
CreateThread
csF[<E
D97r	"
@.data
@.data3
dA`YJUh;9G#J ?
DeleteCriticalSection
~]EAt<
EE9Xz.
>EH5Aa
'EUk#|
Fi,/Dh9+Jb
FileTimeToDosDateTime
FileTimeToLocalFileTime
FormatMessageA
\]F]tU
\/G'}A
GDI32.dll
GetCommandLineA
GetCurrentDirectoryA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetFileAttributesA
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetStockObject
GetVersion
GetVersionExA
<Gy	d|
Ha> \}
HeapAlloc
HeapFree
HpE{zO
{i%3Af
i8Wp q}
InitializeCriticalSection
jc:+BcJ
je `jdndw.bf
j~m5WP
:J&$Vt
KERNEL32.dll
k-m2LS%
LeaveCriticalSection
L[O3T2u4e@B
LoadIconA
LoadLibraryA
LoadLibraryW
LocalAlloc
LocalFree
lstrcmpiA
lstrcpyA
lstrlenA
M29~4B9
m9w;x[G
mVGJm$
n!%)68S2WVX
(n7f;t"b
(n^}*i"
nU&34-
o`PL*/+
oR4u"K
osaaZp'dS6
Oty\&e
PCea?y [N
pU`P/8
{Qw*~z
`.rdata
.rdata2
rd[y,xt
r ;qrK;
SetCurrentDirectoryA
SetErrorMode
SetLastError
!This program cannot be run in DOS mode.
 T&@k<
t{w7ZJN%u
'UjrC4
USER32.dll
V6`\8z
VirtualAllocEx
WaitForSingleObject
#_xd"-o
]xh2f=
%$Xw;Q
XX3uE&
\xx]:~P
Y8<437C
=^yL,A77-
)?y:"TBY3;b
$\Zd=[C"
zE')\Vd
?;_zG;
ZTh{J?y
zym=PhT