Analysis Date2014-06-14 05:30:27
MD517be139b91536d516648f03f8954756a
SHA10c302351a8b4012a50da781cd0337573470a1e87

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b8c7d2b79b6e075fa16186260d8bd8af sha1: 50b868e5d94965ba0e4665f85ea39d0cdc6d53f1 size: 29696
Section.rdata md5: 565cb22cd6726dc339bca282f56eae8e sha1: ffe05cef14f7483f1361b1462b82adc16135556f size: 7680
Section.data md5: 77c143087e2059e000cb57fd55bc4d44 sha1: 54a8820ad6a9244836f38b93ba06059d6afc517d size: 3584
Section.rsrc md5: c2fa465e0e954a64921b52fa9faddfea sha1: 17d769c4e82635333e3f4a8c182f0b9f63dbb21a size: 82432
Timestamp2014-03-27 13:35:30
PackerMicrosoft Visual C++ 8
PEhash8115a23048e9e3a70a0037c51422bc6341d122b0
IMPhash08d46be45535e62e18ac0f54d769aac6
AV360 SafeTrojan.GenericKD.1622241
AV360 SafeTrojan.GenericKD.1622241
AVAd-AwareTrojan.GenericKD.1622241
AVAd-AwareTrojan.GenericKD.1622241
AVAlwil (avast)Dropper-gen [Drp]
AVAlwil (avast)Dropper-gen [Drp]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Downloader.EHQJ-6398
AVAuthentiumW32/Downloader.EHQJ-6398
AVAvira (antivir)TR/Crypt.Xpack.11304
AVAvira (antivir)TR/Crypt.Xpack.11304
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Cutwail.r4
AVCAT (quickheal)TrojanDownloader.Cutwail.r4
AVClamAVno_virus
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.1414
AVDr. WebBackDoor.Bulknet.1414
AVEmsisoftno_virus
AVEmsisoftno_virus
AVEset (nod32)Win32/Wigon.PH
AVEset (nod32)Win32/Wigon.PH
AVFortinetW32/Cutwail.COG!tr
AVFortinetW32/Cutwail.COG!tr
AVFrisk (f-prot)W32/Trojan2.OEBL (exact)
AVFrisk (f-prot)W32/Trojan2.OEBL (exact)
AVF-SecureTrojan.GenericKD.1622241
AVF-SecureTrojan.GenericKD.1622241
AVGrisoft (avg)SHeur4.BSUQ
AVGrisoft (avg)SHeur4.BSUQ
AVIkarusTrojan-Downloader.Win32.Cutwail
AVIkarusTrojan-Downloader.Win32.Cutwail
AVKasperskyTrojan.Win32.Cutwail.cog
AVKasperskyTrojan.Win32.Cutwail.cog
AVMalwareBytesSpyware.ZeuS.GO
AVMalwareBytesSpyware.ZeuS.GO
AVMcafeeRDN/Generic Downloader.x!jz
AVMcafeeRDN/Generic Downloader.x!jz
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVMicroWorld (escan)Trojan.GenericKD.1622241
AVMicroWorld (escan)Trojan.GenericKD.1622241
AVNormanwinpe/Cutwail.CJR
AVNormanwinpe/Cutwail.CJR
AVRisingno_virus
AVRisingno_virus
AVSophosMal/Generic-L
AVSophosMal/Generic-L
AVSymantecTrojan.FakeAV
AVSymantecTrojan.FakeAV
AVTrend Microno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Buzus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\bozlosjorodo ➝
C:\Documents and Settings\Administrator\bozlosjorodo.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\bozlosjorodo.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wsipowerontheweb[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tutuji-saitama[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\d4drmedia[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rueggeberg[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fujino-lab[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\photoclubs[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wsipowerontheweb[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tutuji-saitama[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rueggeberg[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexbozlosjorodo
Winsock DNSkvadratoff.ru
Winsock DNSphotoclubs.com
Winsock DNStutuji-saitama.com
Winsock DNSbrookfarm.com.au
Winsock DNSurantiaproject.com
Winsock DNSwsipowerontheweb.com
Winsock DNSfujino-lab.com
Winsock DNSbigtopmultimedia.com
Winsock DNSd4drmedia.com
Winsock DNSoptiver.com.au
Winsock DNSrea-soft.ru
Winsock DNSfastarchofamerica.com
Winsock DNStheartofhair.com
Winsock DNSchoice-select.com
Winsock DNSplus.ba
Winsock DNSrueggeberg.com
Winsock DNStoutenmeuse.com
Winsock DNStotalearthcare.com.au
Winsock DNStaykon.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25

Raw Pcap

Strings
\
.CC
 
.
e.
..
..8

                                 H
         (((((                  H
         h((((                  H
KERNEL32.DLL
mscoree.dll
                          
"""""*
*"""**
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
^0}8%T
0A@@Ju
0DDDDD
0DDDDD@D@D
0DDD@D@@DDDDDDDDDDDD
{0hwjI
0SSSSS
0V;xNPB
1T=8\I
*"""#2"""""2""
2""*""*b"&
2 s~IK
31	,Gp
:3@9gV'
3OpfFBE
4DDDDDD@DDD@DDD
{4KQ9T5
/	5*0D|%
5Bag-O
5ml%4^xj
5SIhY(*
67gr)5o
6g>RCZ_
=6rM{;_
7x0dX=
~8Tg3`
8[x#,&Q
>*9b7M
&9H<>f-
9'{Qd&
9Y,^S$
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
AD@DDDBH
AD@D@DDD@D
^a,'mS
An application has made an attempt to load the C runtime library incorrectly.
As5[Ii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
aUcoar
August
""""b""""""
BDDDDD
BDD@DDD
"""*&""""""#b'"&k
#""#""b"""""""k
c;1%sP
*"c4k0k
CDD DD
CorExitProcess
- CRT not initialized
]@@@D@@
@.data
DA!xEn{b
D@C$DD
DC@@@DDD
@@D@D@
@DD@@@
D@$@D@
`@DD@D
@@DDD@
@DDD@@
@DDD@@@@
DD@D@@
DDD@@@
?DDDA@DD
@@@@@DDDD
@@DDDD@
@$D@DD@@@@D
@D@DDD
@D@@@DDD
@D@DDD@
@DD@DD
@DDD@D
@DDDD@
D DDD@
D@@DDD
D@D@DD
D@D@<DD
D@DDD@ 
DD@D@D
DD@D@@D
DDDD@@
DDDD@@@
DDDDA@
@DDDDD
@@D@@DDDD
@DD@DDD@
D@DDDD
D@DD@DD
D@DDDD@
DD@DDD
DDD@DD
DDD@D@D
DDD@DD@
DDDD D
DDDD@D
DDDDD@
DDDDD@@
DDDDDD
@DDDDDD
@@DDDDD@D@
@DDDD@DD
@DDDD@D@D
D@DDDDD
DD@DDDD
DD@@DD@D@D
DD@@DDDD@
DD@D@DDD
DD@DDDD@
DDDD@DD
DDDD@D@D
DDDDD@D
DDDDD@@D
DDDDD@D@
DDDDD@D@@
DDDDDD@
DDDDD@D@@CD
DDDDDDD
@DDDDDDD
@D@DD@@DD@DD
@D@DDDDDD@
@DDD@DDDD
DD@DDDDD
DD@DD@DD@D
DDDDD@DD@
DDDDDDD@
DDDDDDD@@
@@DD@DD@D@DD8
@DDD@@@DDDDBDD
DDDD@DDDBD@D@L
DDDDDDDC
DDDDDDDD
@DDD@DDDDD
@DDDDD@@DDD
D@DDDDDDD
DD@DDDDDD
DD@D@DDDDD
DD@D@@DD@DDD
DD@D@D@DDDD
DD@D@D@DD@DD
DD@DDDDDD@
DDD@DDDDD
DDD@@@DDDDD
DDDDD@D@DD
DDDDDD@@@@DD
DDDDDD@D@D
DDDDDDDDB
@DDD@DDD@DDC
DDDDDDDDD
'D@DDDDDD@DD@
@D@DDDDDDD@D
@DDDDDDDD@D@
D@DD@DDDDDD
DD@DDDDDDD
DD@DDDDDDD@
DDD@DDDD@@DD
DDDD@DDDD@D
DDDDD@DDDD
DDDDDD@DDD
DDDDDD@@DDD@
DDDDDDD@DD
DDDDDDDD@D
DDDDDDDD@@D
DDDDDDDDD@
DDDDDDDDD@@@
DDDDDDDDDD
@D@@DD@DDD@DDDD@
@D@DDDD@@DDDDD
@D@DDDD@D@@@D@DDD@
D@D@DD@DD@DDDD
D@DDDDD@DDDD
DD@DDDDDD@DD@@@
DDD@@DDD@DDDD@
DDDDD@D@@@D@@DDD@
DDDDD$DDDDD
DDDDDDD@DDD
DDDDDDDD@DD
DDDDDDDDD@D
DDDDDDDDD@D@
DDDDDDDDDDD
@DDDDDD@DDDDD@
D@DDD@@@DDDDDDD
DD@@DDDDDDDDD
DDD@@DDDDDDDD
DDDDD@DDDDDD
DDDDDD@DDDDD
DDDDDDD@DDDD@
DDDDDDDD@D@DD
DDDDDDDDDDDD
@DDDDDDDDDDDD
@DDD@@@@DDDDD@DDDD
@DDDDD@DDDDDDD
D@DDDDDDDDDDD
DDDDDD@DDDDDD
DDDDDDDDD@DDD
DDDDDDDDDDDDD
D@DDDD@DDDDDDDD
D@DDDDDD@D@DDDDD
DDD@DDDDDDDDDD
DDDDDDDD@DDDDD
@@DD@@DDDDDDDDDDD@A
D@DDDD@DD@DDDDDDB
DDDDDDDDDDDDDD
D@DDDDDDDDDDDDD
DDDD@@DDDDDDDDDD
DDDDDDDD@DD@DDDD
DDDDDDDDDD@@DDDD
DDDDDDDDDDDDD@D
DDDDD@DDDDDD@@@D@DDD
DDDDDDD@DDDD@DDDD
DDDD@@D@DDDDDDD@@D@D@DD
DDD@DDDD@DDDDDD@DDDD
D@DDDDDDDDDDDDDDDDD
DDDD@D@DDDDDDDDDDDDD
DDDDDDD@DDDDDDDDDDD
DDDDDDDDDDD@@DDDDDDD
dDDDDDDDDDDDDDDD@DDD
D@DDDDDD@DDDDDDDD@DD@DD
DDDD@D@DDDDDD@DDDDDD@D@D
DDDDDDDDD@@DDDDDDDD@DD
DDDDD@DDD@DDDDDDDDDDD@D
D@DDDDDDDDDDDD@DDDDDDDDD
DD@DDDD@DDDDDDDDDD@D@DDDDDDDDDDD@D@DDDD @
DDDD@DDDDDDD@DDDDDDDDDDDDDDDDD@DDDDDDDDDD@DD@
D@DDDD@@@DDDDDDDDL
DDDDDDDDDH
DDDDDDDDDJ@
DDDDD@DDD@GD`DDDD@D@DD@DDD
@DDD@DDDDDHP
DDDDDDDE
D@DDDDDE
DDDDDDFD
DD@DDDE 
D$D@DDDE@D@
@DDDDD mdDDDM
D@@DDDE
$@DDD@DI\
dddd, MMMM dd, yyyy
DDDD@T
DDDD@TDD
DD@DE@D
DD@DEDPDDDDD
@DDDLD@DDDDD@@@DD@DDD@DDDD
@DD@HD
@@@DD@PDDDD
DD@PDDDDD
DDT`DDDDDDDDD
@DDTF@D@@
@DD@XD@
December
DecodePointer
DeleteCriticalSection
D@EodDDD
[@@DG 
@DG"(DDD@DD
DkY{,n
D@LDDDD@DDDDD@D
dO)Dqz\
DOMAIN error
D@T@DD
Dz3HZ1[{
@@E@D@
-e%D@tS#
+Ef"\<
EncodePointer
EnterCriticalSection
e@>%Pg0C^d\O
ExitProcess
February
FindResourceW
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
fps=&_b
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
GDI32.dll
GdiGetBatchLimit
GetACP
GetActiveWindow
GetCharWidthW
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDesktopWindow
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetGraphicsMode
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleW
GetOEMCP
GetParent
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
-H5B/o
+[?H]9b
H@DD@D
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
H/VQ)$
hYPDDD@DDDD
&i138$
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
"""'j/
J\aA_?
JanFebMarAprMayJunJulAugSepOctNovDec
January
j@j ^V
k64iKQ
KERNEL32.dll
k&[Z!IK
LCMapStringA
LCMapStringW
LeaveCriticalSection
l!LW`5
LoadLibraryA
LoadResource
!lWyuJ-
#m2*Hx*
M[[?9x4K
MDDDDD
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
MpQus3b
m^&s)^
MultiByteToWideChar
NDDDD@@@D
@nDDDD@D@DDDDD
@{Nf	TG19
N&it 	
.nj|=p
N<&>n5Y
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
ntVUtO
o1CkuP
O74elu
October
OUGKY0
=O|Yhee
/o?zV	
;/pcKz
 pDDDD@
PjXjXj
Please contact the application's support team for more information.
PPPPPPPP
 pR=CAq
Program: 
<program name unknown>
- pure virtual function call
q!>4kl
Q,//[o[
QueryPerformanceCounter
QueryPerformanceFrequency
:r("	(
r6Geon$
,r6U\'
`.rdata
#r"""""r#&""""#"
RtlUnwind
runtime error 
Runtime Error!
Saturday
sDa&l9
September
SetErrorMode
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
)sf:mYZ
SING error
Sunday
SunMonTueWedThuFriSat
SystemParametersInfoW
;|$ t	C;\$
TerminateProcess
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t"SS9]
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
U#Bz5k
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UQPXY]Y[
URPQQh``
USER32.dll
USER32.DLL
?:utXzG
VirtualAlloc
VirtualFree
v	N+D$
vrw%p?
WC_:)/
Wednesday
WideCharToMultiByte
WriteFile
X`A$Cg
xDc=ButA
XDDD@DD$
.x%dh-
yegLiV
>=Yt1j
'ZO	7mk
ZOv{$^