Analysis Date2014-08-08 15:35:10
MD5f00c0284f25358ec22ddd01ed1f913f8
SHA10785d524829d497353097106323aead142f4a20e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 37c2841a5ca24cc2ae7e360f0b2f07f7 sha1: 86ffe76652bc89e350ca1ae55aaa9936ae68a6df size: 55296
Section.rdata md5: 57a63bf35ef7c806e2d303b36e119d19 sha1: 1efc0665762684a2881b5c2fafe39f64e0cc0bac size: 4096
Section.data md5: bb0a3cfd3de27fec9c04a0f7dadc379b sha1: 99f514b3d78a6f5a60ca61d18a51314511104791 size: 11776
Timestamp2014-06-24 12:37:47
PackerMicrosoft Visual C++ v6.0
PEhashb47400669e3d9d53a18f9b49683e955cbb33210a
IMPhashda4f2d72ecc03dc3009734657fa8884d
AV360 SafeTrojan.GenericKD.1730845
AVAd-AwareTrojan.GenericKD.1730845
AVAlwil (avast)Dyrez-B [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Backdoor.JZPV-2509
AVAvira (antivir)TR/Dldr.Cutwail.BF.6
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Kuluo.r3
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.1730845
AVEset (nod32)Win32/Wigon.KQ
AVFortinetW32/Kuluoz.QBS!tr.dldr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1730845
AVGrisoft (avg)Generic36.TWO
AVIkarusTrojan-Downloader.Win32.Kuluoz
AVK7Trojan ( 0009fb6c1 )
AVKasperskyTrojan-Downloader.Win32.Kuluoz.qbs
AVMalwareBytesno_virus
AVMcafeeRDN/Generic Downloader.x!kk
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BF
AVMicroWorld (escan)Trojan.GenericKD.1730845
AVNormanwinpe/Kryptik.CECM
AVRisingno_virus
AVSophosMal/Zbot-QL
AVSymantecDownloader.Upatre
AVTrend MicroTROJ_UPATRE.SMN5
AVVirusBlokAda (vba32)TrojanDownloader.Kuluoz
AVYara APTno_virus
AVZillya!Downloader.Kuluoz.Win32.769

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dedtolso ➝
C:\Documents and Settings\Administrator\dedtolso.exe\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\dedtolso ➝
C:\WINDOWS\System32\dedtolso.exe\\x00
Creates FileC:\Documents and Settings\Administrator\dedtolso.exe
Creates FileC:\WINDOWS\System32\dedtolso.exe
Creates ProcessC:\WINDOWS\System32\svchost.exe
Creates Process/c del C:\0785D5~1.EXE >> NUL

Process
↳ /c del C:\0785D5~1.EXE >> NUL

Creates FileNUL
Deletes FileC:\malware.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

Network Details:


Raw Pcap

Strings
..
\
. 

Button
Edit
Exit
         (((((                  H
Head1
Head2
mahifgte
ojikofry
SysListView32
03O\J/
@03YAEh@
04dH	@
0B@b@x
<<0bEb@@@@@b@@b%@
,0KhFb@@@@@b@@b%@
0/_L-3
2,Aj@b
2Aq%* 
2@b@b@@
 2@b@x
*2@b@x
2<EiHbb
2hc@.@0
+2o4<Y
@@%32C|
3+4@*C
=@#3@b@
3B5C1@Z
.=3<HD
3i#b@@@@@b@@b%@
3l@b@x
3TEs25@
3x[}2QO
=3Y~FA
<@4[b@@
@4@b@x
4c.kF+i3
4RqA k
4XGb@@
@@%4x<m2cs3
=5}+z3
6F.L*xC{
6Ib@@@@@b@@b%@
8Bb@@@@@b@@b%@
)|8KBb@@@
%.8WH+
8WH0Ps
8@zL!P
^}%95H*A
9xHd6b@
/A3i~"
A|Ab@@@@@b@@b%@
AAD*b@@
ab@@@@@b@@b%@
a<bbjk@X2g)
abnormal program termination
\\\ACL
,@@'Ag
A@H@	0
aj13K5
aLPUYb=z2v=
AMa#c'?
>AmSc7
As(y`m~
August
AVWAf9
AxA|:T
,%|b@@
b ,.2eP
bA@b@x
^b<b@@
,@b@b@@
:@b@b@@
"@b@b@@
@@b@@b@
@b@@@b
@b@b@@
%@b@b@%
@@bb3NaO
@b@bA{
@b@ba"<@N
,b@@@@@b@@b%@
:b@@@@@b@@b%@
/b@@@@@b@@b%@
@'b@@@@@b@@b%@
b@@@@@b@@b%@
b@@b@@b@@
b@@b@@b@@\>
b@@b@@b@@0|
b@@b@@b@@2?h
b@@b@@b@@3
b@@b@@b@@3A
b@@b@@b@@5<
@@bbB7
@b@bBaey
b@@b@@b@@FTI
bb@@bh
b@@b@@b@@H<f
@@bbbi
b@@b@@b@@ k_E
b@@b@@b@@N
b@@b@@b@@T
b@@b@@b@@Ti<H@
b=?Bb`U
@@bbC-
bbcE3@L
@b@b@h
@@bbH@
@@b@@@bh@@bxh@xhh@
@b@b#I
@b@bi4
@@bbKo
@@bb?v@
@b@bZb
bDAm@cA
BEfQ#=
bH'|Ej!
b`Id@F
@bp-C3
bv0ADO
bx@@b@@@b@@
bX@b@@@%bb
%bx@hbX@
C(#1<?
CbNgI<<
cCjib@@@@@b@@b%@
cczriv
CK[`@)
COMCTL32.dll
CreateFileW
CreateWindowExW
@.data
D@b@b@@
dddd, MMMM dd, yyyy
`d?E(a3DX
December
DefWindowProcW
DE M,	
DestroyWindow
DispatchMessageW
DOMAIN error
D$yvK	
@@%E|+
EIzcm)
EnterCriticalSection
ExitProcess
F,B<2D
f@b@b@@
February
- floating point not loaded
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
FT\Ab@
"fTI@@
"Gb@@@
gB8d(@b@x
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetScrollPos
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetVersion
GetVersionExA
__GLOBAL_HEAP_SELECTED
GPzDAb@
@gs@b@x
%@@h@@
%@@h@@\<
%@@h@@26
%@@h@@3
%@@h@@4g
%@@h@@7
HA@b@b@@
~#.HBu
Hb\`vUrB<
%@@h@@cdk
he	9b@@@@@b@@b%@
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeO@+,l
<%hHw]
%@@h@@iI
%@@h@@L
H:mm:ss
H,p0Yn
HsB.6#L3
HT@PYTlC
@hXb<"
@hXb2|@
@hXb.B#
@hXb+cBJ
@hXbg1BUS@
@hXbv>??O`
Hxh}ik
%@@h@@z
%@@h@@)&.z
ia*@IAH0A
i@b@b@@
i) b@l
iB[w%@
i|$@cb
i@CSb@
^"i	E!@b
I<I)$P
@@%,<ij
iMBTL@
InitCommonControlsEx
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IrKoi,gs
i@(sK]G
i#yi@b@x
 j3(@L
JanFebMarAprMayJunJulAugSepOctNovDec
January
jfkl;@@
jHxUZ;
JmAI'K
JNbbrX
J@QwLU
jV:&wkd
K2!3MW
kABb@@
kBKkbIj
KERNEL32.dll
@KyxzE
L06DEx
LAdk<G@
*L@b3d
?lB5ZT
lb@@@@@b@@b%@
+Lcb@@
LCMapStringA
LCMapStringW
LeaveCriticalSection
LI@j@ 
L.<M,9
LoadAcceleratorsW
LoadCursorW
LoadIconW
LoadLibraryA
LoadStringW
lstrcpyW
M82ib@@@@@b@@b%@
MapViewOfFile
MapWindowPoints
m@b@b@@
M/d/yy
MessageBoxA
MessageBoxW
miA,,a
Microsoft Visual C++ Runtime Library
[m"I@u@6l
Monday
<m<-RL@U
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
m,~y0.iq,
nezzb@
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
O0ES_B}
/<O`3G
O5((-@
O5d3C~
October
OdX mF
\Ol.SJ
OrLHbo
OwbM*,
p$3<2M
P@b@b@@
<P}@b@x
!pEiB<uO7w
\PhC,@@3i
@PLb<-M<@P
PostQuitMessage
/PP<b@@@
PPPPPPPP
Program: 
<program name unknown>
pUGLd;0
- pure virtual function call
]q-Dd"
Q[zAQl
`.rdata
r_dR5b
RegisterClassExW
rIcH3Q)M
RtlUnwind
runtime error 
Runtime Error!
s4kbNR
<SA@j|
Saturday
SendMessageW
September
SetHandleCount
SetLastError
ShowWindow
SING error
SS@SSPVSS
Sunday
SunMonTueWedThuFriSat
T@b@b@@
Tb@@@@@b@@b%@
t%(CiI.#C
TerminateProcess
T<GikM
!This program cannot be run in DOS mode.
Thursday
{tivY"I>
T@KJbA
TLOSS error
TlsAlloc
TlsGetValue
TlsSetValue
TranslateAcceleratorW
TranslateMessage
t#SSUP
t.;t$$t(
Tu\3o3Ab@
Tuesday
TVB}G@n
t$$VSS
uALi0B
u!Bb@@@
UE<D@b@
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UnmapViewOfFile
UpdateWindow
user32.dll
USER32.dll
UU@<?H
v4+;Mi,
Vb@@@@@b@@b%@
VC20XC00U
VirtualAlloc
VirtualFree
v,=/ ]t
W0\@"Cy?(c(
w@4@5/
w{@b@b@@
Wednesday
WideCharToMultiByte
WriteFile
x0!A(2
@X{3Em*2Di
xAJ	iT@
%@x%b@@
x@@@@b
xb@@.,
xb@@3S2
xb@@D#
xb@@HbT
Xbh@@@hb
@XBk:.fH.
xb@@q7q
xb@@T^)
xb@@u#
@@xbXb@
@xjb+/
@XL2u	?@
*XP@cb
X@X@@h@@
YrD1@P
_^][YY
|zcs,AT
z,IpCTK