Analysis Date2015-06-30 14:58:52
MD5372406e72a6e9f03b074f35899d5d0cb
SHA11a26d7d2d1e942563dae676fe1583c20ec3a94d4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d4ab5f3f01d3f542a8875d4b05c81072 sha1: bf806d04689495abba724c79015df896940cc513 size: 177152
Section.rdata md5: e8269eee1b118f983954cf51b23c722a sha1: 03ea4850c35a93c60b6db71a87752744c42e9d7e size: 1536
Section.data md5: 226f5cd9c465a06db91c2b80332ee698 sha1: 8d1a24a200441726b96e0eab85719f12cb81d035 size: 68608
Section.rsrc md5: 092cef8904a0c36529311bfec56a0d37 sha1: 05bf5d1d781ad5dfebc2f48e2fc2272fd547cc32 size: 66048
Timestamp2005-07-25 17:51:16
PEhashf75bac48615a5c8e7e56586b70636898942806bb
IMPhashf328ae44f70c512df1b96fe6e910baa2
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVRisingno_virus
AVMcafeeFakeAlert-SecurityTool.al
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVTwisterTrojan.558BEC81EC3C01000.mg
AVAd-AwareGen:Heur.Cridex.2
AVAlwil (avast)MalOb-EY [Cryp]
AVEset (nod32)Win32/Kryptik.JDB
AVGrisoft (avg)Cryptic.BSC
AVSymantecTrojan.FakeAV!gen39
AVFortinetW32/FakeAV.PACK!tr
AVBitDefenderGen:Heur.Cridex.2
AVK7Trojan ( 001cdda01 )
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVMalwareBytesRogue.SecurityShield
AVAuthentiumW32/FakeAlert.JH.gen!Eldorado
AVFrisk (f-prot)W32/FakeAlert.JH.gen!Eldorado
AVIkarusPacked.Win32.Krap
AVEmsisoftGen:Heur.Cridex.2
AVZillya!no_virus
AVKasperskyPacked.Win32.Krap.ic
AVTrend MicroTROJ_FAKEAV.SMID
AVCAT (quickheal)FraudTool.Security
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997
AVPadvishno_virus
AVBullGuardGen:Heur.Cridex.2
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVClamAVno_virus
AVDr. WebTrojan.Fakealert.19447
AVF-SecureGen:Heur.Cridex.2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\216715643.exe
Creates Process"C:\WINDOWS\system32\cmd.exe" /c taskkill /f /pid 1252 & ping -n 3 127.1 & del /f /q "C:\malware.exe" & start C:\Documents and Settings\Administrator\Local Settings\Application Data\216715~1.EXE -f
Creates Mutexi'm here
Creates MutexDBWinMutex

Process
↳ "C:\WINDOWS\system32\cmd.exe" /c taskkill /f /pid 1252 & ping -n 3 127.1 & del /f /q "C:\malware.exe" & start C:\Documents and Settings\Administrator\Local Settings\Application Data\216715~1.EXE -f

Creates Processtaskkill /f /pid 1252
Creates Processping -n 3 127.1
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Application Data\216715~1.EXE -f

Process
↳ taskkill /f /pid 1252

Creates FilePIPE\lsarpc

Process
↳ ping -n 3 127.1

Winsock DNS127.1

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Application Data\216715~1.EXE -f

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexi'm here
Winsock DNS209.59.237.91

Network Details:

HTTP GEThttp://209.59.237.91/cb_soft.php?q=e65442bd2e2f76dfa6a18f9b9fd9f47d
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
HTTP GEThttp://209.59.237.91/cb_soft.php?q=e65442bd2e2f76dfa6a18f9b9fd9f47d
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 209.59.237.91:80
Flows TCP192.168.1.1:1031 ➝ 209.59.237.91:80
Flows TCP192.168.1.1:1032 ➝ 209.59.237.91:80

Raw Pcap
0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d65 36353434 32626432 65326637   ?q=e65442bd2e2f7
0x00000020 (00032)   36646661 36613138 66396239 66643966   6dfa6a18f9b9fd9f
0x00000030 (00048)   34376420 48545450 2f312e31 0d0a5573   47d HTTP/1.1..Us
0x00000040 (00064)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000050 (00080)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000060 (00096)   653b204d 53494520 352e353b 2057696e   e; MSIE 5.5; Win
0x00000070 (00112)   646f7773 204e5420 352e3029 0d0a486f   dows NT 5.0)..Ho
0x00000080 (00128)   73743a20 3230392e 35392e32 33372e39   st: 209.59.237.9
0x00000090 (00144)   310d0a43 61636865 2d436f6e 74726f6c   1..Cache-Control
0x000000a0 (00160)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d65 36353434 32626432 65326637   ?q=e65442bd2e2f7
0x00000020 (00032)   36646661 36613138 66396239 66643966   6dfa6a18f9b9fd9f
0x00000030 (00048)   34376420 48545450 2f312e31 0d0a5573   47d HTTP/1.1..Us
0x00000040 (00064)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000050 (00080)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000060 (00096)   653b204d 53494520 352e353b 2057696e   e; MSIE 5.5; Win
0x00000070 (00112)   646f7773 204e5420 352e3029 0d0a486f   dows NT 5.0)..Ho
0x00000080 (00128)   73743a20 3230392e 35392e32 33372e39   st: 209.59.237.9
0x00000090 (00144)   310d0a43 61636865 2d436f6e 74726f6c   1..Cache-Control
0x000000a0 (00160)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....


Strings