Analysis Date2015-04-10 11:35:21
MD50fb3da24d3dd090e3a5c85970a0066fa
SHA10d4348406eb15eee6caad046f41157eead109c7d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7345b08c68f1e0fca9b4d51538b87f68 sha1: a00be21143010408741a298a1a9a025098342dc8 size: 1024
Section.rdata md5: 3b7e67fb1ccbaf9bb4216814816e91ba sha1: a504a5735b53f6fc5724d26ba09482a9b5a539e1 size: 1024
Section.data md5: 8589a20c5b7c3de3ece563f3962530f5 sha1: a560db31a64b2cb913c2f420f09dd8019f05ca82 size: 1024
Section.rsrc md5: 320776e1c1baeaa15055f5ff2c033149 sha1: 3ea2c2b84ca5eba1cd1741423027d3b806a6f0a1 size: 46080
Timestamp2014-06-30 05:06:14
VersionLegalCopyright: Copyright (C) 2009
InternalName: genius
FileVersion: 8,2,3,23
ProductName: genius Application
ProductVersion: 2,3,3,22
FileDescription: genius Application
OriginalFilename: genius.exe
PEhashca45666d438e227d012b6c683e2462c9e187cf30
IMPhashf0855f86d5b3050322afa714b88b2ec1
AV360 Safeno_virus
AVAd-AwareGen:Variant.Graftor.144167
AVAlwil (avast)no_virus
AVArcabit (arcavir)Gen:Variant.Graftor.144167
AVAuthentiumW32/Trojan.EAOO-0319
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardGen:Variant.Graftor.144167
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.MulDrop3.14959
AVEmsisoftGen:Variant.Graftor.144167
AVEset (nod32)Win32/Kryptik.CFVL
AVFortinetW32/CUTWAIL.BG!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Graftor.144167
AVGrisoft (avg)Agent
AVIkarusTrojan.Win32.Crypt
AVK7no_virus
AVKaspersky 2015Trojan.Win32.Cutwail.dpb
AVMalwareBytesTrojan.Agent.US
AVMcafeeDownloader-FAKU!0FB3DA24D3DD
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Graftor.144167
AVRisingno_virus
AVSophosTroj/Cutwail-BG
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\danfyxqibyde ➝
C:\Documents and Settings\Administrator\danfyxqibyde.exe
Creates FileC:\Documents and Settings\Administrator\danfyxqibyde.exe
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates Mutexdanfyxqibyde

Process
↳ C:\WINDOWS\system32\svchost.exe

Network Details:


Raw Pcap

Strings
}
.
.
o
r

041904b0
2,3,3,22
8,2,3,23
absolutely
accordingly exactly
adore pregnant ashamed
&always
&and--always surrender
apparently better
&appealed anything
beauty fruition windows
because people
Behind
between
&brute Elizabethan
business
Carr?? tenderness
church
&clever
completely
complying geography present
consider London sense casual
contained
Copyright (C) 2009
costume morrow
counted
cousins appearance
Dashwood
decent
demanded interesting
&desultory completely
different seeing
discomfort
distinctness seeing
document pittore
effect feelings
encourage brush
entanglements
everything
exclaim personage reason Peter2moment fairest elected haunted things Carr?? words
expressed sociable
FileDescription
FileVersion
genius
genius Application
genius.exe
gentlemen disappointment old-fashioned paint
greeted painter return gesture
happened
hard--it somewhere again
&her--he
holiday
Hoppuss observe yours speaking
&INDEMNITY
interlocutor
InternalName
&irritation
judged cousins--their
&knowledge
&knowledge intimacy;
least
LegalCopyright
&leisure spoken
&lovely
manners elements
&married triumph
matrons
method remember
moment
month bazaar
mother cleared
mother theatre Shakespeare
MS Shell Dlg
&opined
OriginalFilename
&other manifestation
otherwise
panels
people unmolested
Peters
&possibilities
ProductName
ProductVersion
&profanity that--he
&profit wished
&proved simple
public
question
quickly
&rather mother
&really
receiving London creations
&revelations magnificently
RichEdit20A
&Rosedale
'Rosedale things custom minute professed
&sentiment
+should ambitions--tremendous talked bargain%daughter say--Nick particular freedom
sitting
smiling stared;
&sort--I
statutes
Still
StringFileInfo
studio
&studio
sufficient things feared
SysListView32
Tahoma
theatre
&things
things brightly
&thought laughed
to-day
toward there sister inconsistent
Translation
travelled trifler
truths
turned
VarFileInfo
vision
visit presumably
volition(though particular vague moreover thought'lighter mirror everything on--in critic
voracity derive dropped strictness
VS_VERSION_INFO
weaken myself
whether
wonderful
would Calcutta
&would individually
wounds; Dormer
&write
0X*Ehw
2G+BS`
3szf-K
'%[4S#m
5ang/}
-5POL^
61mM7BB)
6KWB|U
8*GB%k
;8;R+KEY!
93z0Y&
(9+^rwU<
.a*=G;z
b{4B}?d
BHpJ9N\b
Bi^tlr
CreateWindowExA
D^[/+aN
@.data
DefWindowProcA
DispatchMessageA
dXI;)_
E,C"t@
FindResourceA
fvX%GW
gatFFwewqyt qwje
GetCurrentThreadId
GetMessageA
GetModuleHandleA
GetProcessHeap
Gn9+:U
gzxi	x
H~8zuV
&H@d1b
HeapAlloc
hj?[hJ
I'&%!	
I7rL?_~
I~c.*.
'Ih#z=
_]i\KvR
im8X={]
`]iuO(
)iv=e%y
[Jyy3e
kernel32.dll
@K\Hya
KillTimer
Kr*f_t5
ku^p2%
KZPE~q
	lnCWf
LoadCursorA
LoadIconA
LoadResource
lt}CVZ/1
'm/:>5
;>M7M<
m!m ?V
@,NA-r
nPuN}b
N| Xf|
@,&]OG]z
OHZObyS
P5;'T8
PostQuitMessage
\p]vt/
Q"C):n}
|		>*R8n
`.rdata
RegisterClassExA
rv]{VX
SetTimer
sFjQ-A=
ShowWindow
	?s!PQt
SsrV(3
svchost
Sv\FH'
!This program cannot be run in DOS mode.
=T#Hy]2
TranslateMessage
TUkT~]^u
uIqzGV
UpdateWindow
~UqiN|
user32.dll
u_W#dL
W\]16m[
WGuFa0
w{@inLJ
x@')BQ
_Xz<Q,
!Z5*t;$Z
=Z95"T