Analysis Date2015-12-18 23:36:45
MD52790c477a46f113746ece3c41091f204
SHA1162c3c76d587d75f30b44c712662ed4850305a68

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1f1f7f730dbde008b76c8f4722a7e724 sha1: 45bfece0cb835c125f1053965fefc587078a8d05 size: 5632
Section.rdata md5: 11df99c186851140513216ec424b6ef2 sha1: 0996b7a1a76d5b26776450802a36f692c1128705 size: 5120
Section.data md5: 50e220e184b2afda3ca5d02c0c24a385 sha1: c23de603095ab54cf28842879b86ed9cbbbbe886 size: 1024
Section.rsrc md5: 8943f17561446e9565bda606b43bee8c sha1: abe0979f9f7138d5b1891cd951d6bb08dfe50af1 size: 18944
Section.reloc md5: 1349da72f29f3a985c36ac7a8f241e19 sha1: b752b291124a5498b1b931eee5b8bef80837bda4 size: 2560
Timestamp2007-09-14 07:38:58
PEhash21f0a707c0c6288582ee9a6301e492d58b68212f
IMPhash7585564eb7908f9e16ed747ff84cf9de
AVAd-AwareTrojan.Agent.BHHK
AVDr. WebTrojan.DownLoad3.35539
AVKasperskyTrojan-Downloader.Win32.Cabby.cbti
AVAuthentiumW32/Downloader.ANXR-3630
AVEmsisoftTrojan.Agent.BHHK
AVK7Trojan-Downloader ( 00499db21 )
AVTrend MicroTROJ_CRYPCTB.SMD
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVIkarusTrojan-Downloader.Win32.Upatre
AVAlwil (avast)Downloader-VQV [Trj]
AVFortinetW32/Kryptik.CVBD!tr
AVGrisoft (avg)Inject2.BLSX
AVAvira (antivir)TR/Chabot.oslrr
AVFrisk (f-prot)W32/Downldr2.IZQD
AVF-SecureTrojan.Agent.BHHK
AVSymantecDownloader.Ponik
AVVirusBlokAda (vba32)TrojanDownloader.Cabby
AVBitDefenderTrojan.Agent.BHHK
AVZillya!Downloader.Cabby.Win32.793
AVBullGuardTrojan.Agent.BHHK
AVRisingno_virus
AVMicroWorld (escan)Trojan.Agent.BHHK
AVCA (E-Trust Ino)Win32/Tnega.PJQVNLC
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis
AVArcabit (arcavir)Trojan.Agent.BHHK
AVCAT (quickheal)TrojanDownloader.Dalexis.A3
AVMcafeeRansom-CTB!2790C477A46F
AVTwisterTrojanDldr.Cabby.cbti.bdko
AVClamAVWin.Trojan.Agent-837432
AVMalwareBytesBackdoor.Bot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_76671.cab
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\162c3c76d587d75f30b44c712662ed4850305a68.rtf
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Mutex56730099
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 65.55.50.190:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520372e 303b2057   ble; MSIE 7.0; W
0x00000040 (00064)   696e646f 7773204e 5420362e 30290d0a   indows NT 6.0)..
0x00000050 (00080)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000060 (00096)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000070 (00112)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000080 (00128)   6c6f7365 0d0a0d0a                     lose....


Strings
...
$.
.c-.....Z..\=lg#.2.
 .
U.
.r......;..'C?....ZM\.GT.. ...
.m2..g%[.
.Y..CK....&3.M*?.:.{
.
.E...L.-.iK......^.....o.
..

ATERNUS
0 0&03090@0D0J0P0Y0_0e0l0{0
0+03080>0U0b0g0m0r0x0~0
1+10161C1J1O1U1[1a1h1u1y1
1"1)1.141I1M1X1^1k1q1z1
=%=,=1=7=>=C=I=S=]=b=h=p=v=|=
&1=EP@
2%2+2/2<2C2I2\2d2j2o2u2~2
2 2&2,232D2I2O2c2l2p2x2
<!<+<2<6<<<C<I<O<U<[<a<h<m<s<x<
2j	hCR@
3)3-32383?3H3}3
3%3+3/353<3B3I3O3U3\3a3g3v3z3
?$?*?3?<?@?I?P?V?m?u?z?
4%4,424;4S4`4m4s4
4(4:4J4S4X4^4l4s4y4
46u@E#
;4|<#*QQb/?\	
5$5*535E5M5S5Z5`5f5m5y5
5"5(575=5A5L5R5
>!>'>5>=>B>H>S>\>c>i>p>t>z>
5ksQ!7rP
6~+	48
; ;*;6;;;A;G;M;S;W;];d;r;x;
6hq*v[@
7'7+767<7B7H7N7T7[7`7f7t7
:%:/:7:?:D:J:_:f:n:u:y:
8#8)8/858;8B8F8Q8X8^8d8m8u8z8
9%959:9@9K9R9Y9]9c9o9u9{9
}[9ca?
ADVAPI32.dll
ajn{dbe
AlphaBlend
A)=rQ@
Bp]8=.
CloseHandle
CompareStringA
ControlService
CountryRunOnce
CreateDirectoryA
CreateNamedPipeA
CreateServiceA
@.data
DeviceIoControl
DllInitialize
drvCommConfigDialogA
drvSetDefaultCommConfigA
FMYdVsYj
FormatMessageA
FpRWKbkoRz
GetAtomNameA
GetBinaryTypeA
GetComputerNameA
GetConsoleAliasW
GetConsoleTitleA
GetCurrentDirectoryA
GetCurrentProcess
GetFullPathNameA
GetLongPathNameA
GetNumberFormatW
GetProcAddress
GetProcessHeap
GetProcessId
GetTickCount
GetTimeFormatA
GetVersionExA
){G;fa
Gj	hCR@
HeapValidate
InvokeControlPanel
IsTextUnicode
IsValidAcl
IsValidSecurityDescriptor
IsValidSid
?j	hCR@
{j	hCR@
j	hCR@
kernel32.DLL
KERNEL32.dll
Kj	hCR@
k:UZ{x
lmmxa[S
LoadLibraryA
lstrcpynA
m'K@Sv)
MO9J:`
modemui.dll
msimg32.dll
nddeapi.dll
NDdeShareDelA
NDdeShareGetInfoA
NDdeShareSetInfoA
nL[EB 
nLvanL
OpenServiceA
p^b u{MY
[$P!C{7'
pnevnut.pdb
QueryDosDeviceW
`.rdata
ReadConsoleA
ReadFile
RegCreateKeyA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegFlushKey
RegOpenKeyExA
RegQueryValueA
RegSaveKeyA
@.reloc
)rgE(+c
RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
R\\P$c,
@SEs}[
SetEnvironmentVariableW
SetFilePointer
sQVOnL
!This program cannot be run in DOS mode.
TransparentBlt
VirtualAllocEx
WaitForSingleObject
w+B !ee
WriteConsoleA
WTSAPI32.dll
WTSEnumerateProcessesA
WTSFreeMemory
WTSLogoffSession
WTSQuerySessionInformationA
WTSRegisterSessionNotification
WTSSetUserConfigW
WTSVirtualChannelClose
WTSVirtualChannelQuery
WTSVirtualChannelRead
WTSVirtualChannelWrite
X$W&m-!Z^z m8m}q
y4A#pdB&
ZWv=(_p