Analysis Date2014-04-21 23:16:42
MD5b64cc0bf80ccaea76d6026e26ff6ed1a
SHA111efed84142f62682ad1cc2607e6509f5251d123

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 941d965b946936c4653b2a3ba9c45c01 sha1: 086797b622b4b16ffdd68c5cbd26a70c06e0d520 size: 140288
Section.rsrc md5: e49d31f2480a098a473c3509b015c68c sha1: a2b1cc1e7d9f2072c2ac6c45252ee3e6b3eb7603 size: 6656
Timestamp2005-12-22 05:11:59
VersionInternalName: ferrera10
FileVersion: 8.00
CompanyName: MSpaint
Comments: TaskList.exe
ProductName: Sistema operacional Microsoft® Windows®
ProductVersion: 8.00
OriginalFilename: ferrera10.exe
PackerPeCompact 2.xx (Slim Loader) -> BitSum Technologies
PEhasha86caa198cc12f4bd1972ab355d6db1c0211d9e1
IMPhash09d0478591d4f788cb3e5ea416c25237
AVavgPSW.Banker.RFK
AVaviraTR/Spy.Bancos.NV.1
AVmcafeePWS-Banker.gen.h
AVmsseTrojanSpy:Win32/Bancos.MZ
AVclamavTrojan.Spy.Banker-3954

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\windows\system32\tasklist32.exe
Creates Processc:\windows\system32\tasklist32.exe

Process
↳ c:\windows\system32\tasklist32.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TaskList ➝
"c:\windows\system32\tasklist32.exe"\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\InternetMail\RealTimeScan\OnOff ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFC668.tmp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\winhlp32.dat
Creates File\Device\Afd\AsyncConnectHlp

Network Details:

DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSsmtp.mail.yahoo.fr
Type: A
Flows TCP192.168.1.1:1031 ➝ 188.125.69.59:25
SMTPminotauro333@gmail.com

Raw Pcap
0x00000000 (00000)   48454c4f 20434f4d 50555445 522d5858   HELO COMPUTER-XX
0x00000010 (00016)   58585858 0d0a4155 5448204c 4f47494e   XXXX..AUTH LOGIN
0x00000020 (00032)   0d0a6247 467a5932 46775958 566b5a57   ..bGFzY2FwYXVkZW
0x00000030 (00048)   3530636d 383d0d0a 4d54497a 4e445532   50cm8=..MTIzNDU2
0x00000040 (00064)   59513d3d 0d0a4d41 494c2046 524f4d3a   YQ==..MAIL FROM:
0x00000050 (00080)   3c6c6173 63617061 7564656e 74726f40   <lascapaudentro@
0x00000060 (00096)   7961686f 6f2e6465 3e0d0a52 43505420   yahoo.de>..RCPT 
0x00000070 (00112)   544f3a3c 6d696e6f 74617572 6f333333   TO:<minotauro333
0x00000080 (00128)   40676d61 696c2e63 6f6d3e0d 0a524350   @gmail.com>..RCP
0x00000090 (00144)   54204243 433a3c66 65727265 72613130   T BCC:<ferrera10
0x000000a0 (00160)   40676d61 696c2e63 6f6d3e0d 0a         @gmail.com>..


Strings
.D
.
.`.
`Z
l
Y..
040904B0
333f3
8.00
Comments
CompanyName
f3fff
ferrera10
ferrera10.exe
FileVersion
InternalName
MSpaint
OriginalFilename
ProductName
ProductVersion
Sistema operacional Microsoft
StringFileInfo
TaskList.exe
Translation
VarFileInfo
VS_VERSION_INFO
 Windows
]^_[(#
0:gJ\3
0'V?Z(
*0:yT{
|12)mk3
1P,I<y
2>9G<f~
`;2F=2
2F;S&$
<[]<2P
2/r2UW
2r9&-}
2<r&;P
30H1=L
 `3<^O
:3Tt}-S.<
3@(;uuI
'3Z5Zn`	
]4QY3~
* "4S	
\4Z|Wr
5A0r[YI
\*5[!o{a
_=?;60sr%
6p$FA6
'(6P}h!
6pk	Un
6={roD}
*>	_6V:b
6:xs&v
79[m.@
\7N9&]
=7N->[u
7sR+|:q
~(8%*`)?
8fv^gK
8,gF@F>WW
8H}AJqO
|8{k>mq[
8MxK36
-9EsL9[
9-l_S_
9`Zd%d
A0]hn''
%^_ap%
~aXZ*%
>"A|Y@!
AZb2!t
@*][B)
,]B{'2
BBXwUX
	b	dZB"
b.<>"\h0
b/~OkwMr
bXWi.5
c)9|g$
CL3=lCtK
c+L=l=
Cn]f;k
]c]n"-+>j|
c&p2F~
C`P8ew
cSF9Te=u
d:diim_
:~dhyI
d u+? 
dX/}yb#
D#y4W 
_-E?$3
e4VVG{
@Ed/Txc
EDU;oE
(]e$NtX
Er}y_4
 (e\U'U
eVqZ#fM}
:'+E@Vw
FaDl*k
faiaxs
Fb+D:C
f'c5]g
fC;fws
fCg/QdjB
FdGp`{
f>o6m<
FrvBE&F?
Fv>i\DO
f&--w-
GD@HfH;e
GetProcAddress
gKG8w-
Glsfn@e/
G n#+$U
-[.( h
/|h2AF
H"-'A.
,HD=N1	h
h=FEZh,
hF=PZR
"HNule
)>^h's
@<H!VWB3
I6}^W\
Ia;kJ5"
$i=e=6
IIi>9m
-iMgAj
$INHKG
irtualF
IV#H?D
IYK?_e_
J~2M$`
/j32Nb
JB@)TMA
@/jdhT
j|e$2Y
.jfrW}
%!?JGQuX
;ju}`jJK
j.w#4H
Jx=S\o)
Jy=Rbq&
;JzH_I@
k>&1Xv
><-K5IA
K`*5K1
^(K94]
-!kc:1
kernel32.dll
K(-hPG
'kij[YV&n
kjxQt*
)[	 kKS
k?V<f]
}Kzp``
l4,|2d
`!lA:<
lFeG*qbC
l:H8Bt
LoadLibraryA
l,V)*Zb"g*
mB'B~L]/
&(miu.
MJ$.W*
]M:S}7gNV
nAjGub
N~d?'W
NOKmddmE
#n(R'D
)nw )*@
NwBy;H
>o3B$9
o.3IA^
O\9nVvZy
OIu*r$
oN8U^R
OP4<tgd
OQ$k4$
?{o)(zO
	)pdB~Y%j
Pg^pncB
Pj.@Rr
"p|/@p
PQZwwk
pWN5I2
!{@PWQS
	pYO*$
q72b2{P
qcp)n_M
=qe#d'P 
qf5?.;J6
q~i3fu
QRV#ZL
qU]6(M
:~@@~'r
r	)%Kk
Rl-(kr
:*S^.+
SC>x{ot
SH"(BP
S|oL7 +Q
S~pZE+4
"	SS":)
sSk&wv
t4TY|e-
T(bzNX
!This program cannot be run in DOS mode.
t"I4uP
T.*-&L:
T-MkK=a
[tPy[Bk
tQHTCHA
tr	w8!JR
TyV4`D
	U/$h|!
uh3"Q_
UH`+mtGG
UHRhaV
USQWVR
\+.UY_
/u[zn b
v^3OZq
V6Rt)iMR
V8EKWs
/v&crn
"vFT?-
V-g(Mx;
VirtualAlloc
VirtualFree
vk	31a)
vk/l%a'
'~Vl!-
V	Q1Wb
vsa05z^\1%Y
VTEoDE
vUW'nr?
V+|v5!:
&v@wmb
w0AL^F=
w4#K/}
W8P	Kq9
;WAkrR
Wb<> m
WDQjWq
-;Wis,
wP=^%OAN(<
W?$UZB
wZ4BTG
	Wz:qH
XB`@iD
,Xb\z=@
/xi6,7
xq*fD^
xqSse<
XrdDAuH
__	/xY?o
Y4V/Bm
y>6X}Q
Y7kK$J
yfS_KP
%%ymHm
 *|y.o
+>YqDy
yWT+bE\(
z^3sSz
z8N/9l
zNRtb&1{#
zPeO:M
z}rBbY
Z^_Y[]