Analysis Date2015-10-09 13:14:34
MD5beaec8e4b05951e3c23c8aabe120ad66
SHA11927bf0b249ccfe7f2a46bde0cc1992c6994cadf

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b56dab19d17bc1ff269d12b142fe122b sha1: cde13bec55f7efbcc6bad1abbe79a4181d72a2c7 size: 17920
Section.rdata md5: 639f11c9be9a3e2a234f9fa0b2e8a75f sha1: 87af921f54beef320fccf8eabfa011cde0dc2519 size: 4608
Section.data md5: 3e72b69a011f0bcaa10dcdc1f52a6b62 sha1: c5f724f55db40e299f3cabc83c840a079a1c4ec8 size: 20480
Section.reloc md5: d0bc9b078e8366125437dc5bc2c39212 sha1: 6c30a4b30d842370d88da9bc19e289b7463dc734 size: 2048
Timestamp2005-09-09 10:03:38
PEhasha40397b07fb299c63db0d5b870e1624072a51cb2
IMPhash330b21bd5dd4b7f81f4c324418bc688f
AVCA (E-Trust Ino)no_virus
AVF-SecureGeneric.Malware.SFBdld.54415E1F
AVDr. WebBackDoor.Bulknet.1105
AVClamAVTrojan.Downloader.Small-3221
AVArcabit (arcavir)Generic.Malware.SFBdld.54415E1F
AVBullGuardGeneric.Malware.SFBdld.54415E1F
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Generic.r4
AVTrend MicroMal_DLDER
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Wigon.Win32.4047
AVEmsisoftGeneric.Malware.SFBdld.54415E1F
AVIkarusGen.Trojan
AVFrisk (f-prot)New or modified Patched
AVAuthentiumPatched
AVMalwareBytesTrojan.Agent.US
AVMicroWorld (escan)Generic.Malware.SFBdld.54415E1F
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVK7Trojan ( 0040c0821 )
AVBitDefenderGeneric.Malware.SFBdld.54415E1F
AVFortinetW32/Pushdo.RFX!tr
AVSymantecBackdoor.Trojan
AVGrisoft (avg)Win32/DH{AyAkIg8TF4EOgQ8}
AVEset (nod32)Win32/Wigon.PH
AVAlwil (avast)ShellCode-AU [Trj]
AVAd-AwareGeneric.Malware.SFBdld.54415E1F
AVTwisterTrojan.B91D89C1257B2F2A
AVAvira (antivir)TR/Spy.Gen
AVMcafeeCutwail-FDDA!BEAEC8E4B059
AVRising0x55a4ae1a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\gearupicjudu ➝
C:\Documents and Settings\Administrator\gearupicjudu.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\gearupicjudu.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexgearupicjudu
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSminatech.net
Type: A
157.112.152.43
DNSwsipowerontheweb.com
Type: A
176.58.125.225
DNSauthentica-travel.com
Type: A
98.124.199.1
DNSbredainternet.nl
Type: A
127.0.0.1
DNStss.org
Type: A
107.22.254.167
DNSsolutioncorp.com
Type: A
209.208.32.251
DNSchildscope.com
Type: A
173.203.121.238
DNSspiti.org
Type: A
217.199.187.58
DNSe-kagami.com
Type: A
54.249.238.243
DNSmastergrp-spb.ru
Type: A
186.2.166.26
DNSleadershipforum.us
Type: A
66.39.30.185
DNSgraceweb.net
Type: A
208.97.174.44
DNSaltonhousehotel.com
Type: A
5.159.228.225
DNSwlf.louisiana.gov
Type: A
184.106.119.164
DNSiaiglobal.or.id
Type: A
49.50.8.93
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNScoopsupermarkt.nl
Type: A
DNSenzoyrodrigo.com.br
Type: A
DNSmomonophoto.com
Type: A
HTTP POSThttp://childscope.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://solutioncorp.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://mastergrp-spb.ru/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://authentica-travel.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://wsipowerontheweb.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://spiti.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://minatech.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://e-kagami.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://tss.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://authentica-travel.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://wsipowerontheweb.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://leadershipforum.us/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://graceweb.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://altonhousehotel.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://wlf.louisiana.gov/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://iaiglobal.or.id/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25
Flows TCP192.168.1.1:1038 ➝ 173.203.121.238:80
Flows TCP192.168.1.1:1041 ➝ 209.208.32.251:80
Flows TCP192.168.1.1:1042 ➝ 54.249.238.243:80
Flows TCP192.168.1.1:1043 ➝ 186.2.166.26:80
Flows TCP192.168.1.1:1044 ➝ 98.124.199.1:80
Flows TCP192.168.1.1:1046 ➝ 176.58.125.225:80
Flows TCP192.168.1.1:1048 ➝ 217.199.187.58:80
Flows TCP192.168.1.1:1049 ➝ 157.112.152.43:80
Flows TCP192.168.1.1:1050 ➝ 107.22.254.167:80
Flows TCP192.168.1.1:1045 ➝ 98.124.199.1:80
Flows TCP192.168.1.1:1051 ➝ 176.58.125.225:80
Flows TCP192.168.1.1:1052 ➝ 66.39.30.185:80
Flows TCP192.168.1.1:1053 ➝ 208.97.174.44:80
Flows TCP192.168.1.1:1054 ➝ 5.159.228.225:80
Flows TCP192.168.1.1:1055 ➝ 184.106.119.164:80
Flows TCP192.168.1.1:1056 ➝ 49.50.8.93:80

Raw Pcap

Strings