Analysis Date2014-11-21 15:24:08
MD5b8454239c061b0914a6bff614f4659e3
SHA11822b40898ace50d77e6100dc383ef7cbae8339e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 12cbba1e678536588fa8290a3b4fe541 sha1: 68d590c1658aa8e4d3f81b3779af0636ee4d394b size: 1024
Section.rdata md5: 3b7e67fb1ccbaf9bb4216814816e91ba sha1: a504a5735b53f6fc5724d26ba09482a9b5a539e1 size: 1024
Section.data md5: 8589a20c5b7c3de3ece563f3962530f5 sha1: a560db31a64b2cb913c2f420f09dd8019f05ca82 size: 1024
Section.rsrc md5: c60d7d40d0a8853bab911d04146d27a9 sha1: c1fd7899d4d7f2abd8484beb10ce6a5784bac396 size: 42496
Timestamp2014-06-30 05:06:07
VersionLegalCopyright: Copyright (C) 2009
InternalName: genius
FileVersion: 8,2,3,23
ProductName: genius Application
ProductVersion: 2,3,3,22
FileDescription: genius Application
OriginalFilename: genius.exe
PEhashc7d051cb67aa79021e1fdf22e08021326cd976b7
IMPhashf0855f86d5b3050322afa714b88b2ec1
AV360 SafeGen:Variant.Graftor.144167
AVAd-AwareGen:Variant.Graftor.144167
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.KQUE-2734
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardGen:Variant.Graftor.144167
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Cutwail.r4
AVClamAVno_virus
AVDr. WebTrojan.MulDrop3.14959
AVEmsisoftGen:Variant.Graftor.144167
AVEset (nod32)Win32/Kryptik.CFVL
AVFortinetW32/CUTWAIL.BG!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Graftor.144167
AVGrisoft (avg)Agent
AVIkarusTrojan.Win32.Cutwail
AVK7Trojan ( 0049cbf01 )
AVKasperskyTrojan.Win32.Cutwail.dpb
AVMalwareBytesTrojan.Agent.US
AVMcafeeRDN/Generic Downloader.x!lg
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Graftor.144167
AVRisingno_virus
AVSophosTroj/Cutwail-BG
AVSymantecTrojan.Zbot
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Cutwail

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\huqalsymafur ➝
C:\Documents and Settings\Administrator\huqalsymafur.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\huqalsymafur.exe
Creates Mutexhuqalsymafur

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25

Raw Pcap

Strings
.
?.o..
041904b0
2,3,3,22
8,2,3,23
absolutely
accordingly exactly
adore pregnant ashamed
&always
&and--always surrender
apparently better
&appealed anything
beauty fruition windows
because people
Behind
between
&brute Elizabethan
business
Carr?? tenderness
church
&clever
completely
complying geography present
consider London sense casual
contained
Copyright (C) 2009
costume morrow
counted
cousins appearance
Dashwood
decent
demanded interesting
&desultory completely
different seeing
discomfort
distinctness seeing
document pittore
effect feelings
encourage brush
entanglements
everything
exclaim personage reason Peter2moment fairest elected haunted things Carr?? words
expressed sociable
FileDescription
FileVersion
genius
genius Application
genius.exe
gentlemen disappointment old-fashioned paint
greeted painter return gesture
happened
hard--it somewhere again
&her--he
holiday
Hoppuss observe yours speaking
&INDEMNITY
interlocutor
InternalName
&irritation
judged cousins--their
&knowledge
&knowledge intimacy;
least
LegalCopyright
&leisure spoken
&lovely
manners elements
&married triumph
matrons
method remember
moment
month bazaar
mother cleared
mother theatre Shakespeare
MS Shell Dlg
&opined
OriginalFilename
&other manifestation
otherwise
panels
people unmolested
Peters
&possibilities
ProductName
ProductVersion
&profanity that--he
&profit wished
&proved simple
public
question
quickly
&rather mother
&really
receiving London creations
&revelations magnificently
RichEdit20A
&Rosedale
'Rosedale things custom minute professed
&sentiment
+should ambitions--tremendous talked bargain%daughter say--Nick particular freedom
sitting
smiling stared;
&sort--I
statutes
Still
StringFileInfo
studio
&studio
sufficient things feared
SysListView32
Tahoma
theatre
&things
things brightly
&thought laughed
to-day
toward there sister inconsistent
Translation
travelled trifler
truths
turned
VarFileInfo
vision
visit presumably
volition(though particular vague moreover thought'lighter mirror everything on--in critic
voracity derive dropped strictness
VS_VERSION_INFO
weaken myself
whether
wonderful
would Calcutta
&would individually
wounds; Dormer
&write
0]|b'q
2<~m8&
!2]#O*
2R,3L3cx>[
3G%-N`
;5_	C3!
5N:1ZK
9k|Y#.K
a~6Sh6
aj|GCX^U
AwjJwk(
&BBId?
bi.Pd1kH
CreateWindowExA
c[Uw2?
@.data
DBGt($
DefWindowProcA
DispatchMessageA
DK[XJMAJH
DL,J{!
EA9-VKcQ
EN\SS@B59
e|>TAb
f \Cko
FindResourceA
gatFFwewqyt qwje
GetCurrentThreadId
GetMessageA
GetModuleHandleA
GetProcessHeap
gM/cq.
gqm`dk
gwvB4B
HeapAlloc
HX+Bq/
iVAZx2
j;	Hv!
JZjNv2
KDZAIN@CG
kernel32.dll
KillTimer
kxfe%>(SGLR
la^{E^uwPFK
LoadCursorA
LoadIconA
LoadResource
l[oESdy
loqfRA7HP{e
|L rt`
L='?=Vk
M04l>U
`-(mh#
<Mtxv6
n96@@:
OJl.:B
OT	 :y;
PostQuitMessage
QSx[` b
`.rdata
RegisterClassExA
re:Y.G
rfU[Y\
?.^RIv
Rlmt=9
	&`RS5B3
SetTimer
ShowWindow
svchost
!This program cannot be run in DOS mode.
TranslateMessage
TWbp0m\
uaKV*k@1
uH]>6G
UNKDdIs
UpdateWindow
user32.dll
vA[PXGMN
]VP_cxv
%!VuWz_
v|"	]wkUs=a;
)WFCas
WfQ	<QN
\W Nd~
x@KA>*a{
XZMz81
YcTqm3
=YEd0Y
yzZY_\XS
Z)QMmO
zto+^_