Analysis Date2014-06-06 06:40:42
MD59fc0960292e9eeca456782375044d682
SHA110a1c8441925cc75267aa742ff2413acb4a0e1e8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: b95083aa3d991baeb313f379ae5a7e00 sha1: 34e6dbfea7b24bee7f27f8435bbbd84aa66df8f7 size: 260096
SectionDATA md5: 29b186043114e092a99a68887d1f2d3e sha1: 812429f7a2343c642c224a4ea712af0041779caf size: 8192
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 7e559423e73cdf3770ac8530422c0af8 sha1: 6e18b07726aaee52e125df0943ebcd1110440c4f size: 1536
Section.reloc md5: 2976e9911fe8af0067cb5640b37a990d sha1: e5738ddd23109f583fa22efdf5bf5c7c80e17f8d size: 4096
Section.rsrc md5: ff6c29654e8999121a5aca01df7e2c69 sha1: 2ee09858e35c5f3e40a6f309a1567c1c6cccece2 size: 18944
Timestamp1992-06-19 22:22:17
VersionLegalCopyright: C o p y fi g h t © 2007 - 2011 P i r i f 4 m L t d .
ProductName: N e 4M e e i n g
FileDescription: N er Me sti g® I ns grrr ll er
FileVersion: 3.3.0.1
CompanyName: P i gr r m Lrrr t d .
PEhashf9871ed86e6043b2b1c143c724db86fa478a8eda
IMPhash732ccd55f17fef2dc0307afc88be578c
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.370381
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.LoadMoney.262
AVEmsisoftno_virus
AVEset (nod32)Win32/Kryptik.CCXI
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.370381
AVGrisoft (avg)Win32/DH.FF8400F4{Mw}
AVIkarusno_virus
AVKasperskyTrojan-Downloader.Win32.Agent.henb
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.370381
AVNormanwinpe/Kryptik.CDIC
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processtear

Process
↳ tear

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSforces.mindmagazine.ru

Network Details:

DNSforces.mindmagazine.ru
Type: A
5.254.120.124
HTTP GEThttp://forces.mindmagazine.ru/get_json?stb=4&did=866019670&file_id=38691791
User-Agent: Downloader 1.3
HTTP GEThttp://forces.mindmagazine.ru/get_json?stb=4&did=866019670&file_id=38691791
User-Agent: Downloader 1.3
HTTP GEThttp://forces.mindmagazine.ru/launch_error?text=can't%20get%20info:%20Error%20HTTP%20status%20404
User-Agent: Downloader 1.3
Flows TCP192.168.1.1:1031 ➝ 5.254.120.124:80
Flows TCP192.168.1.1:1032 ➝ 5.254.120.124:80
Flows TCP192.168.1.1:1033 ➝ 5.254.120.124:80

Raw Pcap
0x00000000 (00000)   47455420 2f676574 5f6a736f 6e3f7374   GET /get_json?st
0x00000010 (00016)   623d3426 6469643d 38363630 31393637   b=4&did=86601967
0x00000020 (00032)   30266669 6c655f69 643d3338 36393137   0&file_id=386917
0x00000030 (00048)   39312048 5454502f 312e310d 0a557365   91 HTTP/1.1..Use
0x00000040 (00064)   722d4167 656e743a 20446f77 6e6c6f61   r-Agent: Downloa
0x00000050 (00080)   64657220 312e330d 0a486f73 743a2066   der 1.3..Host: f
0x00000060 (00096)   6f726365 732e6d69 6e646d61 67617a69   orces.mindmagazi
0x00000070 (00112)   6e652e72 750d0a43 61636865 2d436f6e   ne.ru..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..

0x00000000 (00000)   47455420 2f676574 5f6a736f 6e3f7374   GET /get_json?st
0x00000010 (00016)   623d3426 6469643d 38363630 31393637   b=4&did=86601967
0x00000020 (00032)   30266669 6c655f69 643d3338 36393137   0&file_id=386917
0x00000030 (00048)   39312048 5454502f 312e310d 0a557365   91 HTTP/1.1..Use
0x00000040 (00064)   722d4167 656e743a 20446f77 6e6c6f61   r-Agent: Downloa
0x00000050 (00080)   64657220 312e330d 0a486f73 743a2066   der 1.3..Host: f
0x00000060 (00096)   6f726365 732e6d69 6e646d61 67617a69   orces.mindmagazi
0x00000070 (00112)   6e652e72 750d0a43 61636865 2d436f6e   ne.ru..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6c6175 6e63685f 6572726f   GET /launch_erro
0x00000010 (00016)   723f7465 78743d63 616e2774 25323067   r?text=can't%20g
0x00000020 (00032)   65742532 30696e66 6f3a2532 30457272   et%20info:%20Err
0x00000030 (00048)   6f722532 30485454 50253230 73746174   or%20HTTP%20stat
0x00000040 (00064)   75732532 30343034 20485454 502f312e   us%20404 HTTP/1.
0x00000050 (00080)   310d0a55 7365722d 4167656e 743a2044   1..User-Agent: D
0x00000060 (00096)   6f776e6c 6f616465 7220312e 330d0a48   ownloader 1.3..H
0x00000070 (00112)   6f73743a 20666f72 6365732e 6d696e64   ost: forces.mind
0x00000080 (00128)   6d616761 7a696e65 2e72750d 0a436163   magazine.ru..Cac
0x00000090 (00144)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000a0 (00160)   61636865 0d0a0d0a                     ache....


Strings
.
.
I.
N..L
.
.h.
.
.
.
..
.\
c
$.
X
.
..
o
.
.
...Y
t(
.
V
8
...8...
.
8.V
8
V
8
...[e..
.
.V
.
V
...8
...e
V
.
V
8.
V
4

00000003
02_x5dt2
  2007 - 2011 P i   r i f 4 m   L t d .  
2m+g wrqn bv7nk
3.3.0.1
355#0yxmr 7
5jduwni_hhzvia8c
72g 4vdrp
7sxus3v+vadaj
9cff6a4eu
&Auto Size Columns	Ctrl+Plus
Choose Colum&ns
CompanyName
&Copy	Ctrl+C
C o p y fi g h t   
cz9y#2uf
&Deselect All	Ctrl+D
e4+2_t6b
&Export TCP/IP Streams	Ctrl+E
FileDescription
FileVersion
&HTML Report - TCP/IP Streams
 I ns grrr ll er
&IPNetInfo	Ctrl+I
k#59#wxv#xqv  czwaam
l+4-nl3o5
LegalCopyright
lqpgcg0x
mmp8bltzqytlwda3fi
Move &Next	F8
Move &Previous	F7
N e 4M e e   i n g
N er  Me sti   g
P i gr   r m Lrrr   t d .
Popup1
Popup2
ProductName
S&ave Packet Summaries 
Select &All	Ctrl+A
StringFileInfo
sv6ei5+o45
Translation
VarFileInfo
VS_VERSION_INFO
>">(>.>
0&0,02080C0N0T0Z0`0j0y0
0(0.080>0D0J0Q0^0c0j0u0
0$010;0A0_0j0p0v0|0
0#020?0E0K0U0[0a0f0l0}0
0AW6!&
0`DATA
;#;);0;E;N;T;a;p;v;|;
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
0?q}6L
!)0t1U
 0UwqwrS
<%<+<1<:<
110824000000Z
1!1'191F1L1R1f1
1$141:1B1M1X1^1d1j1t1
1(161<1C1M1S1Y1f1l1t1
12181>1D1J1R1]1c1q1z1
1231821
140424000000Z
140527224838Z0
150424235959Z0
190709184036Z0
1E?Y!'qG.
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
]^,@1X
200530104838Z0{1
2%2+20272A2G2M2S2
2"2(22282@2F2M2V2]2d2l2s2
2)2/252B2H2N2h2m2x2
2!242C2R2X2c2m2s2y2
262;2F2K2^2c2n2s2{2
; ;&;,;2;9;A;F;K;P;`;k;q;w;};
?"?(?.?2?=?C?J?Q?_?e?k?u?{?
2kcT|@
2n'-,Q6Y
3*30363@3G3V3c3m3s3}3
3 3)3/363=3C3I3O3U3_3k3q3w3
3"3(3/373K3
3!3'363>3F3N3V3^3f3n3v3~3
3%3C3I3O3d3j3r3w3
?(?3?9???E?O?U?
=3DIy8Z
]$*3}m
3m]rn4
`3R*`'\
3^VH_B<
4"40464<4C4M4R4i4s4y4
4 4&434<4B4K4Q4V4a4j4p4w4~4
4 4&4:4B4H4L4S4^4j4t4z4
4!4)4/4Y4`4
4&4.464>4F4N4V4^4f4n4v4~4
4&494L4_4r4
<4=:=B=H=\=j=p=w=
<"<(<.<4<><D<I<Y<`<h<p<y<
, 4&FiP
=#=*=4=:=@=F=M=U=[=b=k=s=
=(=.=4=;=M=T=b=h=n=w=~=
4QK+hoo
:":(:.:4:::@:x:~:
5+51585@5F5Q5W5]5
5$5*505:5@5K5Q5X5^5d5j5|5
5(5.545:5D5M5U5Z5a5n5{5
5!5'5-515B5T5Z5`5f5l5r5v5z5~5
5)5/5B5G5R5_5j5v5
5'575G5W5g5
5cGvyR
?)?5???E?O?U?[?a?h?
?)?5???E?O?U?[?a?h?p?y?
}]5HnS
5"I\(A
5okY|~
5-S'*|
6'0yIOd
6'616;6D6J6P6V6\6p6v6
6"6*606;6G6Q6W6a6g6m6s6z6
6&6.646n6v6
6"6)6/656;6B6V6b6m6y6
6"6&6*6.626
6#6)6/696?6E6K6T6\6a6h6n6y6
6ewH\i
!6 str. 2 Komn 8, ul.Shchukinskaya1!0
-,6~*x
6yTw:vU!
7;56 D
75<@<I<O<U<]<d<n<t<
7%7*71787A7I7O7U7^7q7v7
7!7&7,72787H7N7X7c7i7o7v7~7
7!787A7G7M7X7b7h7r7x7
7\7o7x7~7
7^8d8j8
=7>A>I>O>V>^>c>
7qYOiS
7Y 	_#&U
8[1i;!
(84MKh
8"848:8C8H8M8T8Z8d8m8r8x8~8
8"8,818
8K8U8^8d8j8t8
990709183120Z
9&90969C9M9U9[9e9o9x9
9$9*90969<9F9P9W9a9m9s9y9
9$9*989>9D9J9P9W9
9&9,999C9I9
AddAtomA
advapi32.dll
<A<G<M<Y<_<h=n=u=|=
>*>;>A>G>N>V>q>z>
:':-:A:L:X:b:h:r:x:~:
AreAnyAccessesGranted
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
B1/$}K
$*BbmF
BeginPaint
<B<H<N<d<j<v<|<
:BIHxMP
b-%Mr7
*}b$*o
.ccW/r_B
C^@<g{
C_ mi"";p
CO2>{A
COMODO CA Limited1!0
COMODO Code Signing CA 2
COMODO Code Signing CA 20
cQm!':
CreateFileMappingA
CreateJobObjectW
CreateNamedPipeA
cTaOH`
~'cu8?
~>CWu@
CY}|D!
DeactivateActCtx
DefFrameProcW
    </dependency>
    <dependency>
    </dependentAssembly>
    <dependentAssembly>
    <description>Stickies - note taking software</description>
d(ik]6
DisconnectNamedPipe
>!>D>J>e>
D{[!*{M
:%:+:::D:N:
D{[ )|N
"(@Dp+0
+;DQ!V"
DsxtZl
DV8S$}
dxS?lG
EE9Ivx
ejqs"a
EngFillPath
E+UdN3
evIehB5
F}^1)|K
,F2|3x"SG
; F2zBZ
F6RFXH
f%7mTWY
-f9ufWu
FileTimeToSystemTime
FindActCtxSectionStringA
FindClose
fJFhN`
>$>*>F>L>R>W>]>o>u>{>
f_M^R?
FmS?#G
FreeEnvironmentStringsW
fSD>3]{
F#yl-`"
gdi32.dll
GDI32.DLL
GdiComment
GdiGetBatchLimit
GdiInitializeLanguagePack
GetBinaryTypeA
GetCaretBlinkTime
GetCommandLineW
GetComPlusPackageInstallStatus
GetConsoleTitleA
GetCurrentProcessId
GetDevicePowerState
GetDiskFreeSpaceW
GetFileSecurityA
GetGlyphOutlineW
GetICMProfileW
GetPath
GetProcessTimes
GetProfileIntA
GetProfileSectionA
GetRgnBox
GetStartupInfoA
GetStringTypeExW
GetTextMetricsA
GlobalUnWire
Greater Manchester1
g Xo(:
_gY 62
h0Z"bl
h<5r2M
HeapLock
HeapWalk
Hg@"oY[
$!HJB/
Hlax"^&OEu
;#;-;>;H;O;V;^;d;j;q;w;
Hqpl2R
#Hsv^I?o
http://ocsp.comodoca.com0#
http://ocsp.usertrust.com0
https://secure.comodo.net/CPS0A
http://www.usertrust.com1
i3B=_S
?)IB.8	l
.idata
iM\\E+
Information services OOO0
Information services OOO1!0
IsDBCSLeadByte
I.=Y!j
/<	J,5
j&9W41F
jbU$7a
jRDg2n
j>SpAy
JVU7Mu~
j#`Xf9
k2/gbh
/k2l=:70
, k=3	
k8L`LN
kernel32.dll
KERNEL32.DLL
kH>K9-
kM+Gm 
\k~S#Zd
K&U/W?
         language="*"
!lcn|7
          level="requireAdministrator"
LoadLibraryW
loc$>JT2
LockFileEx
LockResource
lstrcmpiW
lstrcpyn
 l]y"(V
MhDLHa
!;M>iou
Moscow1
Moscow1*0(
;";M;S;Z;`;f;l;r;};
MulDiv
N4&D\|qZ
         name="Microsoft.Windows.Common-Controls"
    name="Zhorn.Stickies.Stickies"
nkmw6i
n-!Vk9
O#0b]s'
OffsetRgn
OpenJobObjectW
Op*LAr1
O;q]pc
OS>!\0
OUQ4VQ
%`$O<X
% _~%P
)p\4$>
p b&h;VX
}Pc@Q8
PNnZx%
         processorArchitecture="X86"
    processorArchitecture="X86"
P.rsrc
         publicKeyToken="6595b64144ccf1df"
P;v`uT
PzD~	^
'>#{^q
Q7.WW']
!-Q}8k
}qbD;ln
@QLE?;@
qM%ne[ij/
qO}bi4
)*Q||Q
Q*:uFTRe
ReadConsoleOutputAttribute
ReadConsoleOutputW
.reloc
RemoveVectoredExceptionHandler
        <requestedExecutionLevel
      <requestedPrivileges>
        </requestedPrivileges>
r[mNh=
+{r>o+
'S3d_D
s3}QXf
<s9({g
Salford1
Salt Lake City1
S#a[Y>
    <security>
       </security>
SetCommState
SetCurrentDirectoryA
SetLocalTime
SetMagicColors
@'S#U{
support@info-services.ru0
;S?VB*J
	T@^@=
The USERTRUST Network1!0
%thhDuR2
This program must be run under Win32
<tJ9dq
)T!*n{
  </trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
tU8H+V2
@tW#+{N
T>X>\>`>d>h>l>p>t>x>|>
Tx%*{Q
         type="win32"
    type="win32"
U/757^
u/8=  D
uc2U*+
uDBb`:
u+?f&FW
          uiAccess="false"/>
UKK\%,
}Ul)>8
user32.dll
UTN-USERFirst-Object0
=uV*2{R
U'wEsr
v7(_M|+R
VAvQ]^
    version="1.0.0.0"
         version="6.0.0.0"
VirtualUnlock
>vV&+yM
.W@4GF)
weF.dU
w	N=!\
WOD^hR/
WriteConsoleOutputA
:|Wt;wU
wyR+u7/
XaD|c4
&XFbyT
xiLD-j
XJ2l1|[
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xoN,o!
XvcvEe
yFMz;B
yNpnxi
y-xQ88
z127+M
z#}70.
Zb|Til#
[z?}_L
z@LO+&C"2
zMxd=6
^Z:sR	?
ZxaYS!g