Analysis Date2014-02-20 15:34:20
MD54b9682fe146bd3a175249b35931015b3
SHA121c551decb3086b31190ba2f839700a046ffe529

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 164a2eafb761e46ad6ea869ae63260b5 sha1: 5b446cdb74e0a94e3febececa610644c18266ce5 size: 16384
Section.rdata md5: f05abe27b8d714584207b78c2d7123d7 sha1: 9dc42518151ed90cfd08641eeecea7eee9d7d2bc size: 8192
Section.data md5: 731c6a7ca10b6f64428ff64d782b108e sha1: 43e956911212772c0e6a802cae22ec6e30b169ad size: 163840
Section.rsrc md5: 2c0048ff837058eec59a14a737843838 sha1: b6210d9f34d965ff6888ebbe639f3ec5ab999325 size: 49152
Timestamp2012-05-09 03:24:26
Pdb pathd:\work\Plug3.0(Gf)\Shell6\Release\Shell6.pdb
PackerMicrosoft Visual C++ 7.0
PEhashff394313a0fb642f6bb13b631a5b6b63db8fa8f0
IMPhash8bd0afcba5d7878312f3898cb860f4f8
AVavgGeneric28.BCNO.dropper
AVaviraTR/Crypt.ZPACK.Gen2
AVmsseBackdoor:Win32/Plugx.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\Gf\boot.ldr
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\Gf\NvSmartMax.dll
Creates FileC:\Documents and Settings\All Users\Gf\NvSmart.exe
Creates MutexDoInstPrepare

Network Details:


Raw Pcap

Strings
\
.
 
I
.
.
[B
.
.
.
.*
...
.
&
.E
.
9
O

(&A)...
Copyright (C) 2012
(&F)
                                 H
         (((((                  H
(&H)
         h((((                  H
jjjj
Shell6
SHELL6
Shell6 Version 1.0
	System
(&X)
`/<~]^
01M;xW-
030806000000Z
0])=?5
.*@09 
090619000000Z
0"E-'n
+0F_/M
0N~jz@
0VqPgY
<;#$	1
110619235959Z0w1
?\11za
12T-"o
130805235959Z0U1
1_93,z
1}EnQqm
201231235959Z0
20Z^%}=
!26VYLS
;3b8`fk
"3S8Jj
3;:.>w:
4&41gqC~-
)4b7rF
^`4k9I	
4<SBa-*jjm
4?{:S%@X
50K>n\
52tLc*
5qdhG9
63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:
'6:LGr
6oA2(n|e
7D8~`L&=
7k[St_)
8'AES	;Aa
	"8F9Ln
>@8^.O
8R	j!E
960801000000Z
9GY)by
9JfM~>
(9kaVrp
!9lc!f
9q*9_D
-9S0VU
9tdl-T$
a0M[x2
'>;_\a2
A{85/&
aAZS]=:k
A buffer overrun has been detected which has corrupted the program's
-]##ad
a'JFTp
a@<";o
;A	,O!
a](Pun
a@Qp3R
A security error of unknown cause has been detected which has
A-.[V0
A@v+X!
Ay1<>|
~b		0{}i9[
_b3M{qv
B7#u\ t
BeginPaint
%Bm:v6B
b_Rp{uV
Buffer overrun detected!
bU!KW+
c0v')2
C3fWq-c
Ca(al{
}Ca	Fr
	Cape Town1
Certification Services Division1!0
cGg%#3
cGm(i>
CM'j,i
cMPGM66
continue execution and must now be terminated.
CorExitProcess
corrupted the program's internal state.  The program cannot safely
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CreateWindowExA
CWN%+>
^,)cYN
cyYM$WU
@(D1_p/
D	2[$_p
D.~=5c_
@.data
DefWindowProcA
De[+pD
DestroyWindow
d[[hjf
D$HRQh
DialogBoxParamA
DispatchMessageA
d _leD/
D$LRQP
DOMAIN error
dR-D<3
drGh||
D>_`}u
DuER*X
DU VTk
d:\work\Plug3.0(Gf)\Shell6\Release\Shell6.pdb
'eLhC)
EndDialog
EndPaint
En{>\Tl
eQCfHgd5
@E,?sB$
e&_\sS
E{}.Ti
ExitProcess
^;<_?F
&!F]d<
f@hC=[_
- floating point not loaded
F'*#Oz
FreeEnvironmentStringsA
FreeEnvironmentStringsW
(f$rV	 k.j
Fu$jNY
=#f&%W
fxPfad
(g0ArL
G25'(iP
g@6 Ir
GaY}h<P
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
Geumcheon-gu1
?\GHin
;G;jf:
*@g-KflD-
g^p(rR
GY5MM}
h01KS+
H4sXy<
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
hH~}+&. 
hh)C\9d
 #HPP\
htDHt%
;H+tg$v
-http://crl.thawte.com/ThawteCodeSigningCA.crl0
/http://crl.thawte.com/ThawtePremiumServerCA.crl0
http://ocsp.thawte.com0
hU/>Ik
I3')+*+)))*))()*+++,6J!54 CBA
i46Rmq
:I/d>z
'ieA=oH
I(EcQ4
\iHvh4
ikiXUm
InterlockedExchange
internal state.  The program cannot safely continue execution and must
" 	iQ*
IqL P;*
iRn[X%$
I.UOu31
i`UQ{X
IX`0|h
iZFL1e
J0YIw	
J3":!&
J.9`9%
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
jfTu5O)	
?:&+JHH|
JHHGGGGGGGGHI
j`hXQ@
)jiEUr
J.ify=
JJIIIIJIIIIJJ
 ?%j{ %L
jMfYt#
j,Q#PZ
Jr,pHY/
j%#Wk{jV
jYPQTVTSkllZTTXRTUiHceWda/
K+5H.kO
 _k5|y
K*amP-]
kC?P)4\
KERNEL32.dll
.=kff$A5
Kjp	uY
K@NxT.
k?O]Y@
kpFQ}>
k+^((:Z
LCMapStringA
LCMapStringW
'l=e75
L|eZmK
`Lgw<CCD;
/l%i~3&
:l`Ie2
Li@,u1s
l';L8	>
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
"Lp>Umh
)#lsD_
lSSlR\
?lW=FEA
lZAv|S
.l<z}b
!M7:JJ
m8'vE~
ma&BFI
MessageBoxA
MGAME Corp.0
MGAME Corp.1
Microsoft Visual C++ Runtime Library
|mj,%q
mKPxg02lj
MnD&nt
<mqO}9
mscoree.dll
MT;-~l
MultiByteToWideChar
M-X,B(
MyoCfS
m#[yxo|
!"M|'ZJ
*N3atz+
Nas{*M
`nBpOC
)Nedc	
nH&t4E)
(>nIk3
N/_ju.4H
nk*P'n
nlVIa3
no5m,j
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
now be terminated.
NS$^&lE
-NS::p
Nw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
o`0h:Z;;
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
O(@>=77A779?<8;$O' 
<OHcpv\
O%JEEEEEEEEEFFB
~'!OKm0
om)C[[V
omcw8+
"oNT`K
=oqu//R
O%s~tt
ouj_E$C@
	|o{~v
oZM\5]N(
=(p5_O
p8R3{5~@"
P`B`(Y
P )J^n
Please contact the application's support team for more information.
PM.$O>
PostQuitMessage
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
$p{Q2Y
premium-server@thawte.com0
PrivateLabel2-1440
Program: 
<program name unknown>
- pure virtual function call
pwwwwwwww
pwwwwwwwwwwwwwwwp
pxDDDDDDDDD@
pxDDDDDDDDDDDDDDpx
pxDDDDDDDDDH
pxDDDDDDpx
pxwwwwwwpxDDD
pxwwwwwwwwwwwwwxpx
	Q))C=@
;qN-[Z
}>qooggggggg1`_fhsnHK
QP:nt@vk
+|Q>qJ~
QQSVW3
q@rltz
QSVWj@h
qT]jX0
QueryPerformanceCounter
%,r`0+h
R9D*+#
<.RAeW
r{cgEA\8
r?&>|D
`.rdata
RegisterClassExA
$<RH{>K
roz?3"
"Rr|> 
RtlUnwind
runtime error 
Runtime Error!
.Rys"I
s1oi$`F
S7OV95
SAS(fS
Seoul1
SetHandleCount
ShowWindow
SING error
S(>l_)~>
_SQr=gT
s'U]4D!
}%SW"X
sX.$]%
@]<!T~
"t1BW1
t2WWVPVSW
T\9.X.
ta~7R^
TEng.k<:K
TerminateProcess
T@Gx,0
Thawte Code Signing CA
Thawte Code Signing CA0
Thawte Consulting cc1(0&
Thawte Consulting (Pty) Ltd.1
Thawte Premium Server CA1(0&
- This application cannot run using the active version of the Microsoft .NET Runtime
This application has requested the Runtime to terminate it in an unusual way.
!This program cannot be run in DOS mode.
tjNV2C
TLOSS error
]}t|Qc
tR1)klZht-
TranslateAcceleratorA
TranslateMessage
~&-t-rY
t!SS9]
t#SSUP
t.;t$$t(
t$<"u	3
t$$VSS
-U1l	$
u^gaQrN
U]H$@9
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
Unknown security failure detected!
UpdateWindow
U.PE[Jr
user32.dll
USER32.dll
uS`<}z
uuJJs 
uxz"#z
=u)^>y
UYG7[|
VA(L:m
VC20XC00U
vDHy@,
/^*vHmJ
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
`/Vo2V
vPVP	|c&,
Vu&w"uQ
v~z`g>
VzGXNsh
w+1Wp/2
Web Dev Team1
Western Cape1
wf.('4
]wF=e5
w+gXo@
WideCharToMultiByte
WkV21TSav^8{
w}";qzbT
WriteFile
ww 2Gpm
wW`Q1J#
WWWWVSW
wwwwwwwpx
wwwwwwwwwwwwwwwpx
W!:X*KtS
:!x1JX
x`^^n7c"w6~
[$^x?qQP
`xR($]
+y1^-Y
YC%`M@
{YEMQ1
y.gt%A
yJg?>l
Y Ksj&
yL/`cd
YMU{}2[
yQrxE`
{|yvrrwsqpon
_^][YY
=YYTX_
yZt.Jo
^|Yz>z~=$
Z2w^-.
z8Qp'4y
ZA1%0#
`z	AIk
zCC{:S
>]ze1p
z_|_EA
z ,fs;
Zf '#w
zG}?%k
>?zK64/
zuRfBG
}zy|yx~