Analysis Date2014-03-10 16:32:43
MD5d79cdffdc32257df0a9ddd8b5b8a6911
SHA10ddeb00d79a1a1c390994bc0a9109e8497bed3eb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 88ea1df32c1f8f210f5724d220bbc596 sha1: e90b1935472697b27b177748cc2f2ba27ca2146e size: 48128
Section.rdata md5: dc4b2c791be0f4c80e7241221674ed1e sha1: c4ded873438ef331eb416e59ffa4e69cdc0cf43b size: 16896
Section.data md5: 07cb54846a57fc2b38d68f9525279bea sha1: d0ee23f91f9ffb7ccd08621e0f409b0e0c5f3bb4 size: 3072
Section.rsrc md5: 56c08f92bb24fb0ac5a257fcb0968f03 sha1: 0814d857c2fb26b19513a1da22fa2757a3c568dc size: 512
Section.trdata md5: ea703f461580295ae397db1e9c6736fc sha1: be76d9799ec7dbdce59e59f9a54d17ba8d0aadba size: 20480
Timestamp2012-06-27 21:25:07
PEhash8e3b2502fc51c5dda045475ef3c22669492d8143
IMPhash1fd08a9a9ade1c57b4a034bae710407a
AVaviraW32/Sality.Q
AVavgWin32/Sality
AVclamavW32.Sality.Q-1
AVmcafeeW32/Sality.x
AVmsseVirus:Win32/Sality.R

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Client Server Runtime Process ➝
C:\Documents and Settings\Administrator\Application Data\System32\csrss.exe\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\BC Clients\0 ➝
.{RM#"'$H/::l <-\\x8dR+=8(<.^]O-!(< ^5<(8. U,1>%%"3=D. iH &(1R7:8$?z\\x9f]-:>2!gH9+
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process ➝
C:\Documents and Settings\Administrator\Application Data\System32\csrss.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process ➝
C:\Documents and Settings\Administrator\Application Data\System32\csrss.exe\\x00
Creates FileC:\WINDOWS\system32\vcmgcd32.dl_
Creates FileC:\KUKU300a
Creates FileC:\WINDOWS\SYSTEM.INI
Creates FileC:\Documents and Settings\Administrator\Application Data\svchost.exe
Creates FilePIPE\SfcApi
Creates FileC:\Documents and Settings\Administrator\Application Data\System32\csrss.exe
Creates FileC:\WINDOWS\system32\vcmgcd32.dll
Creates FileC:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\ADOBE\READER 9.3\SETUP FILES\READER9\Setup.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\System32\rundll32.exe
Deletes FileC:\KUKU300a
Creates ProcessC:\Documents and Settings\Administrator\Application Data\System32\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\System32\csrss.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Host-process Windows (Rundll32.exe) ➝
C:\Documents and Settings\Administrator\Application Data\System32\csrss.exe\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\BC Clients\f ➝
\\x9f
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host-process Windows (Rundll32.exe) ➝
C:\Documents and Settings\Administrator\Application Data\System32\csrss.exe\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host-process Windows (Rundll32.exe) ➝
C:\Documents and Settings\Administrator\Application Data\System32\csrss.exe\\x00
Creates FileC:\WINDOWS\system32\vcmgcd32.dl_
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\malware.exe
Creates MutexYAHWKKS65HAKSDJA
Winsock DNSsmtp.mail.ru
Winsock DNSsmtp.live.com

Network Details:

DNSlb1.www.ms.akadns.net
Type: A
65.55.57.27
DNSwww.he3ns1k.info
Type: A
166.78.144.80
DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.172.254
DNSsmtp.mail.ru
Type: A
217.69.139.160
DNSsmtp.mail.ru
Type: A
94.100.180.160
DNSwww.g1ikdcvns3sdsal.info
Type: A
166.78.144.80
DNSwww.microsoft.com
Type: A
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1034 ➝ 166.78.144.80:80
Flows TCP192.168.1.1:1036 ➝ 65.55.172.254:25
Flows TCP192.168.1.1:1037 ➝ 217.69.139.160:25
Flows TCP192.168.1.1:1038 ➝ 85.17.87.33:7000
Flows TCP192.168.1.1:1039 ➝ 166.78.144.80:80
Flows TCP192.168.1.1:1040 ➝ 166.78.144.80:80

Raw Pcap

Strings
$.$....
.l..
S.
.
.lG
..
Ss~|
Uc=}G
                          
56`$2XG/
<,6E]m
6NyH'.R
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
a%;~P'6
</assembly>PA
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
-a"Vb|
BeginDeferWindowPos
Br0{v1
>,]~c0
CloseHandle
CompareStringA
CompareStringW
ConvertDefaultLocale
CreateEventW
CreateFileA
CreateFileW
CreateProcessA
D[A9!G;
,d\}aesx
@.data
DecodePointer
DeleteCriticalSection
DestroyCaret
DestroyWindow
DrawTextW
DuplicateHandle
Dy`@qde
eD0LdZ
EnableMenuItem
EncodePointer
EnterCriticalSection
EnumSystemLocalesA
}e@pnu
EUt~EF
|<EWES
Ew mHlj
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
	fJYaA
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatA
GetDateFormatW
GetDesktopWindow
GetDlgCtrlID
GetDoubleClickTime
GetEnvironmentStringsW
GetEnvironmentVariableA
GetExitCodeProcess
GetFileInformationByHandle
GetFileType
GetForegroundWindow
GetLastError
GetMenuItemCount
GetMenuState
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetNextDlgTabItem
GetOEMCP
GetParent
GetProcAddress
GetProcessHeap
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSysColor
GetSystemDefaultLCID
GetSystemTimeAsFileTime
GetTempFileNameW
GetTickCount
GetTimeFormatW
GetTimeZoneInformation
GetUserDefaultLCID
GetVersionExA
GetVolumeInformationA
GetVolumeInformationW
GetWindowLongW
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
InvalidateRect
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
;J%$Q:
jVQH%,
j"} w@
KERNEL32.dll
%KQJ}:
LCMapStringW
LeaveCriticalSection
$LE}UX
LoadLibraryA
LoadLibraryW
LocalFileTimeToFileTime
:M9fsd
Majtw(
MessageBoxW
ModifyMenuW
MoveFileA
MultiByteToWideChar
O{GR0<
o{W8'18
-P},iV)$
QueryPerformanceCounter
.rdata
RealChildWindowFromPoint
RedrawWindow
ReleaseCapture
RemoveDirectoryA
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
]rtHu<:
RtlUnwind
    </security>
    <security>
SendDlgItemMessageW
SetConsoleCtrlHandler
SetConsoleMode
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetFileTime
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
Suwsic
sw@e\1
TabbedTextOutW
TerminateProcess
!This program cannot be run in DOS mode.
$TlAigtle
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
@.trdata
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
ulIykC
UnhandledExceptionFilter
USER32.dll
VirtualAlloc
VirtualFree
VirtualProtect
W_:^@^
WideCharToMultiByte
W$mxit
WriteFile
}XivEu
YR7kx@
zLBR~g