Analysis Date2014-06-16 07:19:26
MD5a1d80ed250788260ffd66258555a4876
SHA110b81c2cdc4a7d645f9058c220587fac79281351

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8df572164ba21d4e3e5b2bd4fe059cf1 sha1: 11bb910bebf9708f01a77ddf1fbf2ce32d03171d size: 52736
Section.rdata md5: 823da3808e7602d6799496b6d2df8998 sha1: 87ba6496b69e59380f58aa7452036158b68f9a1b size: 1536
Section.data md5: 75f5ba014b90f903b0ee5e6aaafefb7c sha1: b5288131245cd0d514633bf9ab2e464b827fd024 size: 41984
Section.rsrc md5: bcba07b0109c85dfb7266f5d11772d22 sha1: e56dca5c87d833d0242b5ca5a4aec447ea57cc5c size: 512
Timestamp2005-09-26 05:23:31
PEhasha94b5adf350b6caff702c6708f86e2d079e31cbe
IMPhashd4ac9fe23335028a8292b4efe78dc647
AV360 SafeGen:Variant.Kazy.43312
AVAd-AwareGen:Variant.Kazy.43312
AVAlwil (avast)Cycbot-OE [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.P.gen!Eldorado
AVAvira (antivir)TR/Crypt.EPACK.Gen2
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVno_virus
AVDr. WebTrojan.PWS.Siggen.29938
AVEmsisoftGen:Variant.Kazy.43312
AVEset (nod32)Win32/Kryptik.VFG
AVFortinetW32/FakeAV.IS!tr
AVFrisk (f-prot)W32/Goolbot.P.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Variant.Kazy.43312
AVGrisoft (avg)PSW.Generic9.AMQY
AVIkarusBackdoor.Win32.Agent
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesMalware.Packer
AVMcafeeBackDoor-EXI.gen.aa
AVMicrosoft Security EssentialsPWS:Win32/Fareit.gen!C
AVMicroWorld (escan)Gen:Variant.Kazy.43312
AVNormanwin32/Cycbot.EH
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen9
AVTrend MicroTROJ_KAZY.SMO
AVVirusBlokAda (vba32)BScope.Backdoor.Gbot.2621

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\WinRAR\HWID ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSourdatatransfers.com
Type: A
208.73.211.152
DNSourdatatransfers.com
Type: A
208.73.211.172
DNSourdatatransfers.com
Type: A
208.73.211.196
DNSourdatatransfers.com
Type: A
208.73.211.199
DNSourdatatransfers.com
Type: A
208.73.211.235
HTTP POSThttp://ourdatatransfers.com/gate.php
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Flows TCP192.168.1.1:1031 ➝ 208.73.211.152:80

Raw Pcap
0x00000000 (00000)   504f5354 202f6761 74652e70 68702048   POST /gate.php H
0x00000010 (00016)   5454502f 312e310d 0a486f73 743a206f   TTP/1.1..Host: o
0x00000020 (00032)   75726461 74617472 616e7366 6572732e   urdatatransfers.
0x00000030 (00048)   636f6d0d 0a436f6e 74656e74 2d4c656e   com..Content-Len
0x00000040 (00064)   6774683a 20313933 0d0a436f 6e6e6563   gth: 193..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a436f6e   tion: close..Con
0x00000060 (00096)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000070 (00112)   63617469 6f6e2f6f 63746574 2d737472   cation/octet-str
0x00000080 (00128)   65616d0d 0a436f6e 74656e74 2d456e63   eam..Content-Enc
0x00000090 (00144)   6f64696e 673a2062 696e6172 790d0a55   oding: binary..U
0x000000a0 (00160)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x000000b0 (00176)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x000000c0 (00192)   6c653b20 4d534945 20352e30 3b205769   le; MSIE 5.0; Wi
0x000000d0 (00208)   6e646f77 73203938 290d0a0d 0a435259   ndows 98)....CRY
0x000000e0 (00224)   50544544 30a871d1 895350b1 e178ca28   PTED0.q..SP..x.(
0x000000f0 (00240)   0b1499fe 0aeaa017 b20d4995 a67d6257   ..........I..}bW
0x00000100 (00256)   c1f66b22 8a2777fd ab9d4eb1 2a102e2a   ..k".'w...N.*..*
0x00000110 (00272)   769e6253 e4b632c2 14f8e527 778caa85   v.bS..2....'w...
0x00000120 (00288)   57154e06 81d21dc6 79490d8a adc11ab3   W.N.....yI......
0x00000130 (00304)   b33c353d ee38ea3d 5cf05a69 93bdbed3   .<5=.8.=\.Zi....
0x00000140 (00320)   431b5897 1f973344 e2cb1d52 f5cb19df   C.X...3D...R....
0x00000150 (00336)   47badfe8 9e718992 46b71314 b347b642   G....q..F....G.B
0x00000160 (00352)   337662ec c962ddab ffd2f3a4 bb0e1a2e   3vb..b..........
0x00000170 (00368)   bc0b2495 3eebd386 a5a30594 dc8e5d0a   ..$.>.........].
0x00000180 (00384)   18dc9462 2e20d504 e738b5e2 dc673a08   ...b. ...8...g:.
0x00000190 (00400)   570b251a a4e6a20a 40544c44 74d8       W.%.....@TLDt.


Strings
...
.9..[
.
z.
.
.
..$
.p8
.q
f
..
2.6 
\^JB
.JPf
jv^p
Nf@`
rFL4
R.*t
T4pH
TnPf^
T^$\P
x|~x
ZX8X
,,,,,,,
******
&&&&&&
0r)U[n
1(kQeq%i
```222
;2KzmpX
&3GcyB6
3O]P=D;fp
|!!!!!!!4
"497iU
4@(Bqh
555555
5}S9R!O
6/~8^1
!7d8+<\
*7S:::
88888j
8ML&5%
9NjhI9(`2u+
9{~qil
aaaaaa
AddAtomA
a+{ohzX
}a-&Sc
'B)!"?p
~bx]wQ)
C{\["[
C24mIRYX
Cc3#R|
CheckNameLegalDOS8Dot3W
CloseHandle
CM_Get_Child
CM_Get_DevNode_Status
CMP_WaitNoPendingInstallEvents
@.data
DDDDDc,,
DeleteFileW
DLD"aJn
D OW?c
(e/c S?z^Z
(ek9shP
EnumResourceNamesW
eVVVVV:kkkM
\F4TP.uq
fB!2#l
fBF7Se
fB!#P+
/;{FE;
||||FF
ffffff
FindClose
FindFirstFileW
FindNextFileW
======G
.....G
GetACP
GetCurrentDirectoryW
GetDriveTypeW
GetFileAttributesW
GetFileSize
GetFileTime
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetSystemDefaultLCID
GetVersion
GetVersionExW
GetVolumeInformationW
GGGddd
gggggg
GlobalAlloc
GlobalFree
GlobalReAlloc
GlobalSize
GlobalUnlock
~gp".s
/hH6YW
HHH{{^
HOP<x+ 
Hsrf34
i;;555
$.i H/
i,iSb_
IsDBCSLeadByte
IsDBCSLeadByteEx
iuasi:
<`ix60
jjj_Eo
=j jZ"
Jx#Cog7
k)4V:ik
\\k55lllleeet
kellll	wwwvv||(gggg
KERNEL32.dll
K	K0QoC!
\ll11111
LoadLibraryW
LockFile
lstrlenW
L"ty:'
!]LZ7c
MMMMM2222bbVVVNN6
Mou"q^1
MoveFileW
nn       
nnHFFFF``9~
nnnnnn
o]1Yz,k
OOOOzz
OutputDebugStringA
ppi'''
ppp666vM
pppp=eee
Qjl5;l
`.rdata
ReadFile
RrRn7<
rrrrrPh{{{{fcccg
Rz,PSw
SearchPathW
SetFileAttributesW
SetFilePointer
SetFileTime
SetLastError
SETUPAPI.dll
SetupDiGetDeviceRegistryPropertyW
{{SRR//
SU%Oh-
T3{sL	
T=5*FQ
\)t7]x
!This program cannot be run in DOS mode.
TT664k_bb
^TT}n>YV
ttttttt
UnlockFile
UUiiiii
uuuuuuuu-
V"uQHJY
vvvvvvvw
V;yA7il
WD,M>?io
WinExec
WriteFile
x33r#*:]p
Xor4JT
XXXXqqqqqqqqq\\\\\
XXXXXXXaa
Xy<	Dx
XZDri5
Y@Bl{"
-YeuQ{
YYYYY"";
z|k?:TG
ZNjVL"qG
z	yDb,
:::zzz