Analysis Date2015-11-16 22:04:21
MD5e0831f08f5f69837e5f8625f327eeabc
SHA10c67c1b449c065be830a9528b894ddcdfb485da0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 44b200f40ae9754044be23da2985ddea sha1: 5f11f7e009fb2365120c197934cac908d3be6df0 size: 3072
Section.rdata md5: 9f54fed295c5bf23b793d759a4f7f487 sha1: 1c417c12270e375a4af290ba3c37c2463a8fec6b size: 1024
Section.data md5: 1205206d88340b9f0289fd001fabb56c sha1: 93a7347331b6f74d28cae14c7a222b0a42795c8b size: 1536
Section.rsrc md5: 86368315a71d57d4a885f92c67d82135 sha1: e6927a24869932121e9ce7dee189b7621f234e54 size: 40960
Timestamp2014-06-17 19:22:32
VersionLegalCopyright: Copyright (C) 2008
InternalName: sickly
FileVersion: 7,2,4,19
ProductName: sickly Application
ProductVersion: 6,3,4,31
FileDescription: sickly Application
OriginalFilename: sickly.exe
PEhashaa08b345557f392f5cf9a25e767913eb6eda649a
IMPhashcabb308efe69c2b97bdbdd5c98e96b1c
AVF-SecureTrojan.Dropper.Agent.VNI
AVAuthentiumW32/Trojan.KVRV-1821
AVMalwareBytesTrojan.Agent.ED
AVDr. WebTrojan.DownLoad3.40088
AVGrisoft (avg)Agent
AVMalwareBytesTrojan.Agent.ED
AVEset (nod32)Win32/Kryptik.CEET
AVMicroWorld (escan)Trojan.Dropper.Agent.VNI
AVTrend MicroTROJ_CUTWAIL.SM8
AVClamAVno_virus
AVTwisterTrojan.DOMG.bszi
AVEset (nod32)Win32/Kryptik.CEET
AVBitDefenderTrojan.Dropper.Agent.VNI
AVMicroWorld (escan)Trojan.Dropper.Agent.VNI
AVAvira (antivir)TR/Dropper.Gen
AVAlwil (avast)Kryptik-NXT [Trj]
AVFortinetW32/Kryptik.CEET!tr
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVIkarusTrojan.Dropper.Agent
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)Trojan.Cutwail
AVArcabit (arcavir)Trojan.Dropper.Agent.VNI
AVMcafeeDownloader-FAKN!E0831F08F5F6
AVAvira (antivir)TR/Dropper.Gen
AVAd-AwareTrojan.Dropper.Agent.VNI
AVAlwil (avast)Kryptik-NXT [Trj]
AVSymantecno_virus
AVFortinetW32/Kryptik.CEET!tr
AVK7Trojan ( 0049b9671 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVRisingno_virus
AVMcafeeDownloader-FAKN!E0831F08F5F6
AVTwisterTrojan.DOMG.bszi
AVAd-AwareTrojan.Dropper.Agent.VNI
AVGrisoft (avg)Agent
AVSymantecno_virus
AVBitDefenderTrojan.Dropper.Agent.VNI
AVK7Trojan ( 0049b9671 )
AVAuthentiumW32/Trojan.KVRV-1821
AVFrisk (f-prot)no_virus
AVEmsisoftTrojan.Dropper.Agent.VNI
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardTrojan.Dropper.Agent.VNI
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Dropper.Agent
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\xanyledqirhe ➝
C:\Documents and Settings\Administrator\xanyledqirhe.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\xanyledqirhe.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rcainc[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexxanyledqirhe
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdphp.net
Winsock DNSaldacos.net
Winsock DNSagro-pro.com
Winsock DNSchaseinternet.com
Winsock DNShsanmiguel.com
Winsock DNSnyack55.com
Winsock DNScokocoko.com
Winsock DNSwilliamsphc.com
Winsock DNSarice.net
Winsock DNSsigmaflex.com
Winsock DNSsoko.nl
Winsock DNSmarianaresort.com
Winsock DNS100-fold.com
Winsock DNSocdburgos.org
Winsock DNSrcainc.biz
Winsock DNSlee-square.com
Winsock DNSsormpack.com
Winsock DNShornetinc.com
Winsock DNSpeterday.co.uk
Winsock DNSlagranmanzana.es

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25

Raw Pcap

Strings