Analysis Date2015-02-13 20:58:12
MD5f0bd155a904a5e3347f201291a0a538c
SHA116a61e387306d2bccce650edd08eecb6cc08b192

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: c3d101dd4b974c8feb1148c51785ff03 sha1: e60a36b7d5b97843709252b108ba3a434af8583e size: 70656
Section.rsrc md5: e5c26533de69b9279c208b8c670a5349 sha1: 5afcfc06676f5c5a7cd54c55e25a7c24c0bba55d size: 2560
Timestamp2004-02-08 14:31:36
VersionInternalName: Oct Baggy Lied Agony
FileVersion: 8, 2, 7
ProductVersion: 8 2 3346
SJ1ofVrV4QjHdHCEv: osynmGPlpiHw
NfL1iHVQMf: RrSeOyFwL4
etMAms3FGChy: 5MofnCHV1hTFQmon
PackerUPX -> www.upx.sourceforge.net
PEhash127fa28fe0b12ba1be847375349713b05924b95e
IMPhashceff844a79cb3246090fbadc3edea78d
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.157231
AVAlwil (avast)Dropper-gen [Drp]
AVArcabit (arcavir)Gen:Variant.Kazy.157231
AVAuthentiumW32/Trojan.PFQW-3284
AVAvira (antivir)TR/Crypt.ULPM.Gen
AVBullGuardGen:Variant.Kazy.157231
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Generic.r3
AVClamAVWIN.Trojan.Pushdo-29
AVDr. WebBackDoor.Bulknet.847
AVEmsisoftGen:Variant.Kazy.157231
AVEset (nod32)Win32/Kryptik.AXQD
AVFortinetW32/Yakes.B!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.157231
AVGrisoft (avg)PSW.Generic11.MFX
AVIkarusTrojan.Win32.Crypt
AVK7Spyware ( 0040f2f71 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeePWS-Zbot-FAQO!69ADDD2E668C
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVMicroWorld (escan)Gen:Variant.Kazy.157231
AVRisingno_virus
AVSophosMal/Zbot-LF
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.SB.01742

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\wynofdonsebv ➝
C:\Documents and Settings\Administrator\wynofdonsebv.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\wynofdonsebv.exe
Creates File\Device\Afd\Endpoint
Creates Mutexwynofdonsebv

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25

Raw Pcap

Strings
..9.y8
.
.
 V
.
.
X
8
..9.y8
.
.
 V
.
.
X
8

040904B0
5MofnCHV1hTFQmon
8 2 3346
8, 2, 7
etMAms3FGChy
FileVersion
Film
InternalName
NfL1iHVQMf
Oct Baggy Lied Agony
osynmGPlpiHw
ProductVersion
RrSeOyFwL4
SJ1ofVrV4QjHdHCEv
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
>06%	H
0"(p['
?1lSlr
2=?9;5713-/)+%'!#
2OHuMu
 3F6CX
4G)G9=f
4I8460
#4."nX
5]Z_-z
6-bEX	
?6IsZo
7kpj?t
>8:4-;z
9ViewTOrg
A}_Ala\W
AD4ovo
&A;Di/<
ADVAPI32.DLL
AiP9Shutdown
AVFreeEn
`BDofL
BK@\s-
_Bl'mlv
BTQ(@kwrG4SZ5
CbbCT	E^_aA
cbH4D2
,CowAqe O
cVirtualFree
$Cx|t/;
{*D&cF
dD6aiF
dRMPHW
dthFn\
E2pire\
Eb;Raw*
EhXDPJuf
EmuwuW
<ermissi
etModuleHand
ExitProcess
e?zt`,
*f.ap"F
f\&@Gh
Fidyghom8
foF^8]
Fu0q027O
Fvtfz^n~
Fyvato
GDI32.DLL
<`gF8Z
Hfd{@/
H;@!Ku
iDWS[9
Ifaset
IKEGAC}
IsZoomed
Iurr($~
J8;Icr
_Jc[$\
KERNEL32.DLL
kImp.ta
LAAGjJ]w
Lbg>r6M
Lbout_
lDx^yx,
lMemoryStatusEx
LoadLibraryA
Lr~nuW
LsaAddP
LsaClose
lwTV)rI
{lyS.zxzgxw
m'3He>Id/
M7GH[Z
mEsjOszFHaq
m*$TRV}{
Ngo/W7G
n/h&<|
N'L?lG
o,Fehil&otujanEq
OF=]Op
&Of{/V>
oseTracLRegSRV:ueo
oX1&4t
>'OX=QB
oxVf}>vqm
[OYJ_J
Paci:lim
p^cFX3X
pL,t[l
P;?xIR
QDH@vGK
qi~cB~
_QWZh)
 \>$/R
rGetProcAddress
rGN!t~C!
rh(7gX
RichJ2i
ringsW0HeapDe
@.rsrc
s'Ch&.
Sj/:_@
!This program cannot be run in DOS mode.
(TV*+	
tyiDuplic4
U_]<2H
u[JrP-#
u@k4<*
USER32.DLL
V8j|v|
=v/<Ca
vironment
VirtualAlloc
VirtualProtect
v[Q6~&w
V,!=Zl
>w6w6N}
wapBuff
ww>o8f
x<Ccfvm8
XEndPage
XPTPSW
]Xv!rJj
yGo^?_
!Yh`Qh
]_Y[UWQSMO
y{uwqsmoi|gac
Yxopoc
z3]87/
ZRGxBW
ZVI[Re*