Analysis Date2014-03-15 05:43:15
MD5ca99955b9356ed3bcb20175f1245d801
SHA119957f4cc33d8676736756f81899a2fbd0586c1e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 007f3c1d24b13e154d82f54a3c929a8f sha1: 4ba183a95edd5c9fc3f999af5073a7d563a9aba3 size: 25600
Section.rdata md5: 155734851e150e085db58bf18b01f8ea sha1: dbfaacfba4a6d9eb4545632dd9f5000223dacf2b size: 74240
Section.data md5: 7b0b1e94c5ba63302447d5b959767ead sha1: 2975189bc1b9add7e1e49dd0e3a54efa5c3ce3fa size: 3584
Timestamp2014-02-20 03:44:18
PackerMicrosoft Visual C++ ?.?
PEhashbde7dd5c691d2181868aeadfcba7a60163cf75dd
IMPhash44b8b693759315b204dbd6aba6e75c6b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\DRM\RasTls\RasTls.exe
Creates ProcessC:\Documents and Settings\All Users\DRM\RasTls\RasTls.exe
Creates MutexGlobal\ommkhgoct

Process
↳ C:\Documents and Settings\All Users\DRM\RasTls\RasTls.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates Process
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\elthiffdi
Creates MutexGlobal\ufkhhimbcxyzj
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\ommkhgoct
Creates MutexGlobal\mschu
Creates MutexGlobal\aabhnqurdbfoh
Creates MutexGlobal\kglwtnsgqecwvvtgv
Creates MutexGlobal\onswfymydmowhbfwb
Creates MutexGlobal\ganijochb
Creates MutexGlobal\sobse
Creates MutexGlobal\inkxsdwqbtist
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\wymmprdiqzsfmygaj
Creates MutexGlobal\omlohwqne
Creates MutexGlobal\aelyqgtun
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\egbhmpyceumde

Process
↳ Pid 0

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\DRM\RasTls\nprqyjadoqkp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexMy_Name
Winsock DNSscqf.zuesinfo.com
Winsock DNSscqf.bacguarp.com

Network Details:

DNSscqf.bacguarp.com
Type: A
210.56.63.61
DNSscqf.zuesinfo.com
Type: A
210.56.63.61
HTTP POSThttp://scqf.bacguarp.com:443/61CACA77FE868E0896CDBF8E
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
HTTP POSThttp://scqf.zuesinfo.com:443/75A93F96D853DE5E0155496B
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows TCP192.168.1.1:1031 ➝ 210.56.63.61:443
Flows TCP192.168.1.1:1032 ➝ 210.56.63.61:443
Flows TCP192.168.1.1:1033 ➝ 210.56.63.61:443
Flows TCP192.168.1.1:1034 ➝ 210.56.63.61:443

Raw Pcap
0x00000000 (00000)   9943422d 78b850e6 0dbef06f 59e5fd0d   .CB-x.P....oY...
0x00000010 (00016)   7f699f19 173fb4e5 1834876f 0fbfd0ca   .i...?...4.o....
0x00000020 (00032)   b7ece53d 8a7b074b 1dd87777 46         ...=.{.K..wwF

0x00000000 (00000)   504f5354 202f3631 43414341 37374645   POST /61CACA77FE
0x00000010 (00016)   38363845 30383936 43444246 38452048   868E0896CDBF8E H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a4848 56313a20 300d0a48    */*..HHV1: 0..H
0x00000040 (00064)   4856323a 20300d0a 48485633 3a203631   HV2: 0..HHV3: 61
0x00000050 (00080)   3435360d 0a484856 343a2031 0d0a5573   456..HHV4: 1..Us
0x00000060 (00096)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000070 (00112)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000080 (00128)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000090 (00144)   646f7773 204e5420 352e313b 202e4e45   dows NT 5.1; .NE
0x000000a0 (00160)   5420434c 5220322e 302e3530 3732373b   T CLR 2.0.50727;
0x000000b0 (00176)   20535631 290d0a48 6f73743a 20736371    SV1)..Host: scq
0x000000c0 (00192)   662e6261 63677561 72702e63 6f6d0d0a   f.bacguarp.com..
0x000000d0 (00208)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000e0 (00224)   300d0a43 6f6e6e65 6374696f 6e3a204b   0..Connection: K
0x000000f0 (00240)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x00000100 (00256)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000110 (00272)   68650d0a 0d0a                         he....

0x00000000 (00000)   7dc821c3 c921bd68 39c84db5 648b3140   }.!..!.h9.M.d.1@
0x00000010 (00016)   e306093e 2a6f                         ...>*o

0x00000000 (00000)   504f5354 202f3735 41393346 39364438   POST /75A93F96D8
0x00000010 (00016)   35334445 35453031 35353439 36422048   53DE5E0155496B H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a4848 56313a20 300d0a48    */*..HHV1: 0..H
0x00000040 (00064)   4856323a 20300d0a 48485633 3a203631   HV2: 0..HHV3: 61
0x00000050 (00080)   3435360d 0a484856 343a2031 0d0a5573   456..HHV4: 1..Us
0x00000060 (00096)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000070 (00112)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000080 (00128)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000090 (00144)   646f7773 204e5420 352e313b 202e4e45   dows NT 5.1; .NE
0x000000a0 (00160)   5420434c 5220322e 302e3530 3732373b   T CLR 2.0.50727;
0x000000b0 (00176)   20535631 290d0a48 6f73743a 20736371    SV1)..Host: scq
0x000000c0 (00192)   662e7a75 6573696e 666f2e63 6f6d0d0a   f.zuesinfo.com..
0x000000d0 (00208)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000e0 (00224)   300d0a43 6f6e6e65 6374696f 6e3a204b   0..Connection: K
0x000000f0 (00240)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x00000100 (00256)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000110 (00272)   68650d0a 0d0a                         he....


Strings
.CC
 
@@.
.
...C_.o.MK.nGG
V.8U
l.Ngg.@D..g.lWm.?
W
.K7E.lg.;.oc
.'.n.
wh.
..|...w.hE-
..

                                 H
         (((((                  H
         h((((                  H
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
0WWWWW
&"=/1,
1#34LRsB
28e*>v
2gEzkEe
*+_2>n
3+?k+?%
3Ugn7_
49%~lw8
4~f9.u
;4hh4K
4~mptgN
4QwhR7
5lCMFC
5q6Em[
$*_%6H
6_lgg~~
_=6W:)
780gW_NFgg
(@781@
7A?NJO
7BlHV{7d=VOUVO>V
7DGN$qG
[_7e@gg
7GAEmOkmM
-7%gnI
,7_\g;nQ
7knnn?
7lg.fl
7lhRkJ'
7whRgn7n
7w_kazG
;;+;7+;x
?807.eC
~870xm~"@
8D?VBI
'8g~~|
8'ggwh
8g|Qgg
9>>':8
9&.lf7
A'.4n8
A7Ew_g
A870o)gGm
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
A?Fwhxkgd
'>'Ag@
Ag7?<G
Ag81nn
A:^k7l
A{kK7.k
An application has made an attempt to load the C runtime library incorrectly.
AnF7;_]`g7
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
A&wkRR
+?%B,?
BBFFf;
.B'CgTv
_Bg;Ul;c
B@MNkM8
B>{n>	
BnGR80
_buhh7
BwO.?dB
@[.@cA_07
cCkggg|
CcVwCruwI
+Cd:gl
Cf+mgg
Cg80x=
C'g]jg
c,?gUi
cl'G>)
c_,my2=C
CorExitProcess
Cp YBv
- CRT not initialized
c}:R_v
Cw_5l-n
Cw_]@'Im
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
Degn,Oz
DeleteCriticalSection
dgF/hhgg
Dgg7F_
DgggMx
d~"m7k
DOMAIN error
D_,Tgg
'D_t^hyhBF
?	E!<b
E{E}R{:mwm8
EKrCB7JCgK8
e,m('m
EncodePointer
EnterCriticalSection
_eOg!gl
ExitProcess
f6'g80
f=7'g6(
@@f98u
?f9lgg
FA2mA.lf
FA&mA&.lf
February
=fEngg
Ff_mgg
&f'@hE)
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
>f~mgg
f>ngggh
F+>ngMl
F@o.B_
@fOlCKlC
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
"FW?O^F7
<|_.@g
g@7?<G
g7gg?8
g7GggW'5
g7gghG
g.._7|l.p
g8gpme
gBmgm_
]gCgqg
!gCwg(mgg
gdE)wZSh77
gdfgHg
gEKkEE.
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
_,(ggG|
#ggg80g
gg~gA/h
:GggdD
gggf(g;
'(gGgg
gggg~{_Aggg
ggggmggBgn
ggggwhRg7n7
g?gg_jjhhg
gggmg_9Cgg
?gg_G=U
ggK54g
gGk]GkbmhG
gGm_6m
gg|_+n9|
g_gS'hh
ghg]nx
ghhwhRg7n
gHnHnHnHnHnHn
ghRGwg
{gIg7?7
g/jhhwhR
?gK6nK
|-g^'k7m8
gkGB>m
gkg'}gwg7gg
Gkl\dE
gK=n7whRg
'<gkwn
:glE@:lUml
'_glgg
%glgOGH
glW_PgB
gLw_Sgm
GmGK@_g
gMhRk7?n7
gmNDnE
gMS7n_
gmw_4'kg
_~>Gn4
g&n7gg
;gngg7
gP.f7g
gPn7dO
g>Q<|K_
gSn{3ggg_
g{_t7ggg
GT$Wg=8
_/GU_,
G<w_G"'/
gwggkV9
g>whRg7n
gwhRg7n7
g?w_^TggdgA
@g/xBggdR/
/gxwygg
gyhKl'
gYWV7]
^g_zphh
H2}CO{CXwC
h7|GwOX}J
h8ggln
h8gglnl
hdF&GS_A
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
[hG\GzU.
hghwhRg7n7m
hh1m9q
hh(7gGgg'?O_
hhd*g?hF
hhgg~dB
hhhd7_
hhhwhR
^hh|_Ky
HH:mm:ss
_+[hhn
hhwhRg7?n7
hMCk:Gl
HnHnHnHnHn=nl
h'^nyg
?hR77n7?
hRg7n7
hR;g7n7
?hRnK:
hRwwn@M
I7d(_2
+,I'9'
:+=Ig9'Md
<)ihh~
I.lf1~nA?
'In7hRk
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
_I~n{k%
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
:j7V'K
j8j ^V
/|j'ah
JanFebMarAprMayJunJulAugSepOctNovDec
January
_J!hhG
jhhg~h
J^RtGn
Ju )a7
J.VW:gmh
K7(gGggg
K7k_6Bn
kB?Gn?L??
kdDgnm
kd	.Gdl
kdHgOE
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
kf!lgg
K;G7g 
k(g7gg
kg=gg,
kGw4KG
khRg?7n7
@kmFg8W
K'nCgn7
k'NEp*
??.kN=H
k_;n+T80zs.
}'	kp8
>Kr|C7B
k_U!hh
@/kxBg
L.78?k
l7g7mhR
l7w_`]
,'L~~>8;_>>
l80x?m/n
lAq'gaG8mA.l
LCMapStringA
LCMapStringW
-ld!nO
LeaveCriticalSection
l.e@gC_g>
LFIkKFelg9
lgK9lK
>Lk4~.
lkOkka
llBl;ngg
@=l@<l@m
ll-.ogm
@l\lt80kA
_lmggg
l@MVk@G
l~n~!h
LoadLibraryA
?lP^nh
lviK<9
m3gh0ggg
m7Q>7'Pm
._m7yy78g0,
>m;8;m~n;m
mA7umA;;
<mA.lf
mA.lf`'M
mA.lf%OlA
#mA{nA
memcpy
MessageBoxA
mf>kgg
mFMqm?7
m/g8w~
mgA7l}g
mggd'g=g
mggd<V
[m'g@M
mGn'DwhwC
mgs@exT
m';gS'n
Microsoft Visual C++ Runtime Library
mIPmId7
.mixcrt
!mkf,nG
mLz_~g
MM/dd/yy
Monday
mPng?gdU
=mQhRO
mscoree.dll
msvcrt.dll
MultiByteToWideChar
mx}3gg
n2 n]n
n7G?<G
?n7|gk
>n7hRk7
n7w_Yg
'n9g80
_*nA(W
nCmh9?
NEmA.l
n(g7Wgg
ngG:V7
N_G]hh
+n=g_m
_nGQgGg~
n>H~|y|
NMA@_r
*nmnOm<<m
{nmwn@n?
nn9<gB
nngmg7
n|n?|n
{nOAlO
'nO'g7.
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
[nP5nU
nQg@dM
n|S_-'
nU&n<wg
nWmLlD
n}wn_7S
nWP+RS'
nw{?q_
o_~Aggg
October
-$OeGr
\/O@gg
~OGw~hR
oIsRsVu
!\olgT
ol-hzg[
o_l'm7
ong=gdk
?o_;n?h
_o(nwGW_
oRGE4M
OTGC<T7ChdT
OwR.<?h
oxBgGgdE
Please contact the application's support team for more information.
ppg=g.
PPPPPPPP
Program: 
<program name unknown>
Ps_M,7
\p	Tqd
- pure virtual function call
qhChf~
Qnnn]|
QQSVWh
QueryPerformanceCounter
Qzw$!gy:
`.rdata
rEi|vt
RE<&RT
.RG>(M>G
Rich0mM
=(R_Kz
RlK>l(Ol
Rm3>m9
+rm?^m
-Rt'A.RNk+R
RtlUnwind
runtime error 
Runtime Error!
_Ry,lA
';^-;S-;
s0Gggg
S$?4%O
Saturday
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
SING error
SJ7n7d
sl#sl'D
.SNJdX
sS_xGA'
Sunday
SunMonTueWedThuFriSat
s>wkd=80g
t^9(uZ
tblggg8
tD9(u@
tehS%@
TerminateProcess
[thgh~
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
T}Qng\
/,tQU;
Tuesday
;t$,v-
]:.T_V
t+WWVPV
Uf1ihh_
uh?hd|
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UngVSmgg
UnhandledExceptionFilter
UQPXY]Y[
URPQQh<T@
USER32.DLL
u.WIw80
VirtualAlloc
VirtualFree
{VLm1w
v	N+D$
(Vouc`9
VWgw_\
VwkH^KgmNn
''?|w_
W>7_\9gmgW
w_7I{gg
w7WgW9
WaitForSingleObject
w_BnNmS
WB?wkgAB
Wednesday
Wgf"Gihh_lLFf
Wgg/;:gg
?w_&gO
wG=_SG>7
w_hihhG
WideCharToMultiByte
w{-kg_Bl
w'kS+k4U
WmDgF^DxwUL|
WmK@Q!m-
?Wm;vmO
@W_%Ng7g|_
W,n[.n}
?w_O,?
WO7_Rwn
w_oEgg
w_P+n7
WriteFile
W_sYhh7
w_tLg77
W_wFg7
ww|_$g
wwgggk7g
Ww)mLW<
Ww_Mn7A
w_wW2W1<
w_z9gg
x77~|h
/xBgggd
y870A6g
yC_QgS
YggVzs.fgm
@_ygIdV_
yk7~7?Sh
y?~_ll
yO_<gSg
>=Yt/j
YYu-9D$
YYuTVWh
Z;_7n#hhedcO|;
zAon@g
zC81ng
zCd:Wngm8
zc_~ZN'
?@_Z%g
Zglng97w
zG?l'_yG
zo>}g?~
zogCs~B
z?~|w>.@
zW_)dhh7
z'}w,:gl_
zW_	'K