Analysis Date2014-08-23 07:23:27
MD56d9d22004ee89819ffee7f1483ce1f21
SHA11bf7264942540317df4e9327a3565146ba709a3e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5cd187285c8ddfa7bb11f7a83ab6e970 sha1: 7f48b0ab11c7e14c6f722a890a9dc489cc5bd1f3 size: 21504
Section.rdata md5: abdb7ef71bd6cfba0a529a000f0261dc sha1: d912f7415fca8ca7eec1f0e1f915cac127794a2c size: 1536
Section.data md5: d885255991cee041399b1c6c2c8531cc sha1: 0bc2cf5869094cfe9826faf691e86715e27298fb size: 1024
Timestamp2012-02-20 14:51:37
PackerBorland Delphi 3.0 (???)
PEhashc918ed2865a26b38e9bf6a93e87ff7a4dd565c61
IMPhash4e57d91eeeb4c1385101a5aaf1537909

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\psmdylshwe ➝
C:\Documents and Settings\Administrator\psmdylshwe.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\psmdylshwe ➝
NULL
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\psmdylshwe.exe
Creates Mutexpsmdylshwe

Network Details:

DNSabc.sbulfert.in
Type: A
109.74.195.149
DNSmhogran.com
Type: A
208.73.211.242
DNSmhogran.com
Type: A
208.73.211.163
DNSmhogran.com
Type: A
208.73.211.174
DNSmhogran.com
Type: A
208.73.211.175
DNSmhogran.com
Type: A
208.73.211.193
DNSwww.mhogran.com
Type: A
208.73.211.174
DNSwww.mhogran.com
Type: A
208.73.211.175
DNSwww.mhogran.com
Type: A
208.73.211.193
DNSwww.mhogran.com
Type: A
208.73.211.242
DNSwww.mhogran.com
Type: A
208.73.211.163
DNSmail.mhogran.com
Type: A
208.73.211.193
DNSmail.mhogran.com
Type: A
208.73.211.242
DNSmail.mhogran.com
Type: A
208.73.211.163
DNSmail.mhogran.com
Type: A
208.73.211.174
DNSmail.mhogran.com
Type: A
208.73.211.175
DNSmx.mhogran.com
Type: A
208.73.211.174
DNSmx.mhogran.com
Type: A
208.73.211.233
DNSmx.mhogran.com
Type: A
208.73.211.235
DNSmx.mhogran.com
Type: A
208.73.211.246
DNSmx.mhogran.com
Type: A
208.73.210.219
DNSbulfert.in
Type: A
Flows TCP192.168.1.1:1031 ➝ 50.97.227.106:443
Flows TCP192.168.1.1:1031 ➝ 50.97.227.106:443
Flows TCP192.168.1.1:1032 ➝ 50.97.227.120:443
Flows TCP192.168.1.1:1033 ➝ 50.97.227.121:443
Flows TCP192.168.1.1:1034 ➝ 50.97.218.12:443
Flows TCP192.168.1.1:1035 ➝ 50.97.220.24:443
Flows TCP192.168.1.1:1036 ➝ 50.97.220.25:443
Flows TCP192.168.1.1:1037 ➝ 109.74.195.149:443
Flows TCP192.168.1.1:1038 ➝ 208.73.211.242:443
Flows TCP192.168.1.1:1039 ➝ 208.73.211.174:443
Flows TCP192.168.1.1:1040 ➝ 208.73.211.193:443
Flows TCP192.168.1.1:1041 ➝ 208.73.211.174:443
Flows TCP192.168.1.1:1042 ➝ 50.97.227.106:443
Flows TCP192.168.1.1:1043 ➝ 50.97.227.120:443

Raw Pcap
0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..


Strings
o
'
6stRISClZwpcZFyEW
78qyNQNoPHFjf2QqnL
8Km4taTQm
8nOAFeIilW3KEutpFaj
93NPsD0v0z9JvcrFTFu
Aeetn some us
Aird give day way about wtene
Also ttieoaae two
Also us only twfeynd
Aomnoitf he
As give it heelise
BeginPaint
Blittrne come way with
Bsee at an mrunytnb so
But up tytfifog sevr there out
But year one
Can you an oechpoe
CheckMenuItem
CoGetMalloc
CoInitialize
CreateBindCtx
CreateWindowExA
@.data
DeleteCriticalSection
DispatchMessageA
Do dnur be pewaie
Do iucdeiy our my over tati
EndPaint
EnterCriticalSection
FreeLibrary
(FtFuEE
GDI32.dll
GetCursor
GetCursorPos
GetLastError
GetLocalTime
GetMenuItemCount
GetMessageA
GetModuleHandleA
GetROP2
GetStockObject
GetSystemInfo
GetWindowLongA
GlobalAlloc
GlobalFree
HeapAlloc
HeapCreate
His isra one than wgleie person
If from nepp lrnepo
InitializeCriticalSection
Into his our then also
Its ayaadprs
KERNEL32.dll
Lcrf day there
LeaveCriticalSection
LoadCursorA
LoadIconA
LoadLibraryA
lp1olikj0FKYqKZ.dll
LZ32.dll
LZInit
mjTTO9xK7
Mweanit want eerd
N4ytr5CAn7
Not after like just would umtce
Oebsno not dnkeldel what
OGnksbWE
ole32.dll
PeekMessageA
`.rdata
ReadClassStm
Rectangle
RegisterClassExA
s115a7JeRvKIj73
SetWindowTextA
She hnnf will over an know eyybpwl
ShowWindow
Sreeys brrouyca at on for tetotnh
Svheqtm into
Then if other only
These or do dtsstiel
!This program cannot be run in DOS mode.
Time wrmdhieu soyt soeu that
Toaig him
TranslateMessage
Tsheshf in aetothco
Tthdu wtdeoret
UpdateWindow
USER32.dll
vpoROTKj0NR8
Which lnetaen after because
Which tneh there wfacota only
With use time work to
Work mwceh this
WWWWVVVVh
You iicolpsd any do get