Analysis Date2015-02-03 16:51:32
MD5b34c55a73948ef1d328a89fb2487ee03
SHA11543874f46b9d930b7337fd0f3de67d3262e644c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 15acbb8fe871d5deec00d41bcf8c0b5f sha1: fe29a2a0a8982d3c6e3a0516b6575e7a841c923d size: 7168
Section.rdata md5: c20890377d15ce2dc509d6e291f52c65 sha1: 5b048ae453335151d8e479fc1535e51193d799a7 size: 3584
Section.data md5: 5b579014e31b7c75372671f0bd606028 sha1: d185e1e1818c5b839a71baa527f5687ad1defde8 size: 2560
Section.rsrc md5: 25abb94d48dd2c09f49e8c2b1b3be335 sha1: 85255c91f96c0084b45c515aaa8c514808a32450 size: 20480
Section.reloc md5: d4b1fb40e321fc9a2f5e2e1229833304 sha1: 39f60bd10c0f2677418ec632a34ea072ea87bbc4 size: 5632
Timestamp2006-02-07 12:59:56
PEhash1f4c6e8af498e21d381b2ec3986806ea8a968649
IMPhasha15124486db62937438227bf2a31287a
AV360 Safeno_virus
AVAd-AwareTrojan.Ransom.Dalexis.A
AVAlwil (avast)Downloader-VQV [Trj]
AVArcabit (arcavir)Trojan.Ransom.Dalexis.A
AVAuthentiumW32/Trojan.PJPG-2490
AVAvira (antivir)TR/Dldr.Agent.40448.44
AVBullGuardTrojan.Ransom.Dalexis.A
AVCA (E-Trust Ino)Win32/Tnega.EUYaEC
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Ransom.Dalexis.A
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVFortinetW32/Kryptik.CVBD!tr
AVFrisk (f-prot)W32/Trojan3.NFR
AVF-SecureTrojan.Ransom.Dalexis.A
AVGrisoft (avg)Crypt3.BTOC
AVIkarusEvilware.Outbreak
AVK7Trojan-Downloader ( 00499db21 )
AVKasperskyTrojan-Downloader.Win32.Cabby.cccy
AVMalwareBytesTrojan.Email.FakeDoc
AVMcafeeDownloader-FAMV!B34C55A73948
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.C
AVMicroWorld (escan)Trojan.Ransom.Dalexis.A
AVRisingno_virus
AVSophosTroj/Agent-AIRO
AVSymantecno_virus
AVTrend MicroTROJ_CRYPCTB.SMD
AVVirusBlokAda (vba32)Trojan.FakeAV.01657

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_74921.cab
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1543874f46b9d930b7337fd0f3de67d3262e644c.rtf
Creates Mutex93031785
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.192.91
DNSwww.update.microsoft.com.nsatc.net
Type: A
157.56.77.148
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 65.55.192.91:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520372e 303b2057   ble; MSIE 7.0; W
0x00000040 (00064)   696e646f 7773204e 5420362e 30290d0a   indows NT 6.0)..
0x00000050 (00080)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000060 (00096)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000070 (00112)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000080 (00128)   6c6f7365 0d0a0d0a                     lose....


Strings
.
`+..6tU....*r
n..4..](.R....1v...c..E...lz1I.....3^B.N...^.o.
..
....S>.q...'V.......E..3&.z....F.$....R..
.g.clG.=....._J.
....zx...z.u3
eT
.D6....y..,..
..b5.H.\}.
..
.
H
0!0&0+010;0J0N0V0\0c0m0v0
0$0*0/040:0I0P0U0Z0`0j0o0u0}0
1"1(111B1K1X1a1h1t1z1
1!1(1-12181J1P1W1^1d1i1o1z1
:%:*:1:6:<:K:O:U:[:a:g:u:{:
:#:*:1:7:=:G:Z:`:f:m:r:y:~:
;!;&;+;1;;;A;F;K;Q;^;e;k;q;x;|;
2 222:2C2I2O2V2]2p2|2
2#2(2.262<2F2U2
3!3(30393@3H3Z3m3s3{3
3!3'32373=3A3M3T3[3a3i3o3t3~3
4"4(474=4C4G4M4T4Z4`4f4
<$<*<4<G<W<]<b<g<m<w<}<
=$=)=.=4=?=N=R=g=o=v=|=
?!?'?.?4?:?Q?V?\?m?t?x?~?
5#5/565;5@5F5Q5W5]5c5g5m5s5y5
5%5.575P5W5]5h5o5t5y5
6&6,61686=6C6O6b6f6l6r6y6
6#6'6-636<6B6I6W6m6t6y6
7,73787?7D7J7U7\7e7i7t7z7
7$757<7C7G7M7S7Y7_7e7u7{7
8&878=8C8J8O8T8Z8x8~8
8(8.848:8Q8\8b8i8n8s8y8
8wkI-)b@
9$959C9\9b9h9m9t9y9
9"9'9,929H9N9T9X9k9r9{9
ADVAPI32.dll
AlphaBlend
aO64P;
B W/G%
CACloseCA
CACloseCertType
CADeleteCA
CAEnumNextCA
certcli.dll
;';.;<;C;H;M;S;^;g;k;q;{;
C!iTdB
ClearEventLogA
ControlService
CountryRunOnce
cpsj&%
CreateProcessAsUserA
@.data
dByrP/D
DllInitialize
@DR	4ql
drvCommConfigDialogA
drvGetDefaultCommConfigA
drvSetDefaultCommConfigA
><>E>J>Q>V>[>a>t>x>~>
eMWGgPdEZvqCtzK
GetComputerNameA
GetConsoleAliasW
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetFullPathNameA
GetGeoInfoA
GetModuleHandleA
GetNumberFormatW
GetPrivateProfileIntA
GetPrivateProfileSectionA
GetPrivateProfileStructW
GetProcAddress
GetProcessHeap
GetProcessId
GetTimeFormatA
GradientFill
HeapValidate
InitializeSid
IsTextUnicode
IsValidSid
jHrfxV
kernel32.DLL
KERNEL32.dll
kgzUuYjnNDaOvXT
lokitar.pdb
lstrcmpiA
lywUsnIMaXJio
m-C-_'$`
M+{I'G
mKqRtR
modemui.dll
msimg32.dll
nddeapi.dll
NDdeShareAddA
NDdeShareDelA
NDdeShareEnumA
NDdeShareSetInfoA
n:lEaD_s{I
PathCombineA
PathCompactPathA
`.rdata
RegCloseKey
RegDeleteKeyA
RegEnumValueA
RegFlushKey
RegOpenKeyExA
RegSaveKeyA
@.reloc
RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1
rP]5wU
S1B.tR
S(%b@@
SetEnvironmentVariableW
SetFilePointer
SHLWAPI.dll
!This program cannot be run in DOS mode.
TMxWUDswpJCWjmk
]:UdsO
UpdateResourceA
UrlCanonicalizeA
UrlCombineA
UrlCreateFromPathA
UrlEscapeA
UrlHashA
UrlIsA
UrlIsNoHistoryW
UrlIsOpaqueA
VirtualAllocEx
WaitForSingleObject
WriteConsoleA
WTSAPI32.dll
WTSEnumerateServersA
WTSFreeMemory
WTSLogoffSession
WTSOpenServerW
WTSQuerySessionInformationA
WTSRegisterSessionNotification
WTSSetUserConfigW
WTSVirtualChannelClose
WTSVirtualChannelOpen
WTSVirtualChannelPurgeInput
WTSWaitSystemEvent
XCs[X/
Y7RNG%
YUJdzYsVPB
yWo{G%1q