Analysis Date2015-09-10 03:30:45
MD5dee2cf43edef5cad8e5acf72c786b457
SHA1053488d90976b676ee07a92366f3677af8d5a468

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 96f19965715a9b4a77290326ac9e545c sha1: 5c40f458dea04920bd36bd718a4eed9e52b9ff43 size: 4608
Section.data md5: 5e210c11b9fe92358c4fa917043afda7 sha1: 0facd928697b3deed173c2149df0e2bc3e3a78a0 size: 7168
Section.idata md5: bdd6e11a11fffb3445806e7648a94008 sha1: 8d8b343a67cd2d91ec8e124914714cdc3cd4cc70 size: 1024
Section.rsrc md5: 2d206b8f393c1844fd6fb61d74d40184 sha1: fd6b747a1d974c755bb891bfc7d7eff66104bf98 size: 5632
Timestamp2005-05-22 14:12:56
PEhashce3bc120108d387da2ce5a17a7e137c6979cb775
IMPhashc5effa462f51432aeac8904668baca02
AVCA (E-Trust Ino)Win32/Zbot.HSD
AVF-SecureGen:Variant.Kazy.311358
AVDr. WebTrojan.DownLoad3.28161
AVClamAVWin.Trojan.Agent-926624
AVArcabit (arcavir)Gen:Variant.Kazy.311358
AVBullGuardGen:Variant.Kazy.311358
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVTrend MicroTROJ_UPATRE.SMZ3
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Bublik.Win32.12641
AVEmsisoftGen:Variant.Kazy.311358
AVIkarusTrojan-Spy.Zbot
AVFrisk (f-prot)W32/Trojan3.GVH
AVAuthentiumW32/Trojan.SCZK-3312
AVMalwareBytesTrojan.FakePDF
AVMicroWorld (escan)Gen:Variant.Kazy.311358
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVK7Trojan ( 00491c461 )
AVBitDefenderGen:Variant.Kazy.311358
AVFortinetW32/Kryptik.CF!tr
AVSymantecTrojan.Zbot
AVGrisoft (avg)Crypt2.CDKF
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.311358
AVTwisterTrojan.F6A51FE26F4C2052
AVAvira (antivir)TR/Dldr.JQGV
AVMcafeePWSZbot-FOH!DEE2CF43EDEF
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"
Creates MutexVideoRenderer

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexVideoRenderer
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSpvwebsolution.com
Winsock DNSbestdatingsitesreview4u.com

Network Details:

DNSbestdatingsitesreview4u.com
Type: A
50.63.202.53
DNSpvwebsolution.com
Type: A
192.151.147.35
Flows TCP192.168.1.1:1031 ➝ 50.63.202.53:443
Flows TCP192.168.1.1:1032 ➝ 50.63.202.53:443
Flows TCP192.168.1.1:1033 ➝ 50.63.202.53:443
Flows TCP192.168.1.1:1034 ➝ 50.63.202.53:443
Flows TCP192.168.1.1:1035 ➝ 192.151.147.35:443
Flows TCP192.168.1.1:1036 ➝ 192.151.147.35:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings