Analysis Date2015-05-12 01:26:22
MD500ae318d12d52b832ed0ca6de13316a3
SHA12298ee8a7b211b2028236c1ead2ca15aa556f409

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cac10d56c98368e8efaee0effce21119 sha1: 7940b2a415798271f65438d21c43e70fd3688ced size: 5632
Section.rdata md5: 9636aa3534158031e7acb79813de44ed sha1: 92f15e3c03e23d3f36a0fa8576ddca13a2ba65d9 size: 4608
Section.data md5: 8e995aecc1b37e1cff83598be17edd7b sha1: f0f53638eb1f10e9635ebb411b0185e9a315f636 size: 1024
Section.rsrc md5: 25bc697401fcd96b01305e4f51315fdb sha1: f8b8bd7bcb9028182922220526d8e5a83416f45d size: 13824
Section.reloc md5: 8871a5ad053ae7d572fe3185b15ab0d7 sha1: 200b51333ede63de00e0b9f6880bd0e6c57acacb size: 2560
Timestamp2011-05-10 23:13:32
PEhash75dda1e310fe2346600a27a50a8d7f79fa6bfdc4
IMPhashabe419df550107c081fafd8ffe205844
AVAd-AwareTrojan.Agent.BHHS
AVAlwil (avast)Downloader-VQV [Trj]
AVArcabit (arcavir)Trojan.Agent.BHHS
AVAuthentiumW32/Trojan.NESF-4279
AVAvira (antivir)TR/Cabhot.A.95
AVBitDefenderTrojan.Agent.BHHS
AVBullGuardTrojan.Agent.BHHS
AVCA (E-Trust Ino)Win32/Tnega.ZAMDQLD
AVCAT (quickheal)TrojanDownloader.Dalexis.A3
AVClamAVWin.Trojan.Agent-837624
AVDr. WebTrojan.DownLoad3.35539
AVEmsisoftTrojan.Agent.BHHS
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVFortinetW32/Kryptik.CVBD!tr
AVFrisk (f-prot)W32/Trojan3.NER
AVF-SecureTrojan.Agent.BHHS
AVGrisoft (avg)Downloader.Agent.16.AA
AVIkarusTrojan-Downloader.Win32.Upatre
AVK7Trojan-Downloader ( 00499db21 )
AVKasperskyTrojan-Downloader.Win32.Cabby.cbtj
AVMalwareBytesTrojan.Email.FakeDoc
AVMcafeeRansom-CTB!00AE318D12D5
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis
AVMicroWorld (escan)Trojan.Agent.BHHS
AVPadvishno_virus
AVRisingno_virus
AVSophosTroj/Agent-ALFM
AVSymantecDownloader.Ponik
AVTrend MicroTROJ_DALEXIS.E
AVTwisterTrojanDldr.Elenoocka.A.joad
AVVirusBlokAda (vba32)TrojanDownloader.Cabby

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2298ee8a7b211b2028236c1ead2ca15aa556f409.rtf
Creates FilePIPE\wkssvc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_72093.cab
Creates File\Device\Afd\AsyncConnectHlp
Creates Process"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Documents and Settings\Administrator\Local Settings\Temp\2298ee8a7b211b2028236c1ead2ca15aa556f409.rtf"
Creates Mutex56730099
Winsock DNSwindowsupdate.microsoft.com

Process
↳ "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Documents and Settings\Administrator\Local Settings\Temp\2298ee8a7b211b2028236c1ead2ca15aa556f409.rtf"

Creates FilePIPE\lsarpc
Creates MutexCTF.TimListCache.FMPDefaultS-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500MUTEX.DefaultS-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.221
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 134.170.58.221:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520372e 303b2057   ble; MSIE 7.0; W
0x00000040 (00064)   696e646f 7773204e 5420362e 30290d0a   indows NT 6.0)..
0x00000050 (00080)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000060 (00096)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000070 (00112)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000080 (00128)   6c6f7365 0d0a0d0a                     lose....


Strings
.5.. ...w{...]?..
 .._.0Gc4.H...b..pE..}&.2..a\.....viW...]....#........>l.$N
n.u"#_......"c.A-...b.'{.
..
0#0)0/050L0S0Z0_0d0j0
0 0*030:0>0K0Q0W0]0i0q0x0}0
:!:*:0:9:B:I:O:]:c:u:{:
1 1&111D1T1Y1_1m1v1}1
1%1.12181@1M1T1[1`1e1k1u1{1
2 2'2-21272B2U2^2e2j2o2u2
2!2'2-2A2H2N2U2Z2`2o2s2}2
3%3*30363<3C3H3N3X3_3e3i3o3u3
3!3(3-333@3O3V3[3a3g3s3w3}3
;);.;3;9;?;T;Z;a;f;k;q;
4%4+42494>4C4I4Z4`4f4s4w4}4
4%4:4E4L4Q4V4\4k4q4x4~4
<%<+</<4<=<V<]<d<i<n<t<
5(5.555:5?5E5S5Y5_5c5o5u5{5
555<5A5G5U5Y5a5g5m5
=(=/=5=9=?=M=S=`=f=m=t={=
6#61686>6I6O6U6^6c6m6v6}6
7#7*717L7R7Y7^7d7n7t7~7
>!>*>.>7>D>Y>a>f>l>{>
9)9.949:9@9F9J9Y9a9f9m9r9x9}9
AHfvsJbRcHyZE
AlphaBlend
b7}	*q
CloseHandle
Cuq|M1l2i
Cuq|M1l2i]-j
@.data
DllInitialize
?%?.?=?D?M?R?X?a?i?q?v?}?
d`.pZ|,F#z\q5Sk6K
Fr}mc3t
GetBinaryTypeA
GetComputerNameA
GetConsoleAliasW
GetCurrentProcess
GetEnvironmentVariableA
GetGeoInfoA
GetLongPathNameA
GetPrivateProfileStructW
GetProcAddress
GetProcessId
GetStringTypeA
GetTimeFormatA
GradientFill
HeapValidate
HVNo#3+7fP`<2
IScOlQYELb
jR\*q;nR#do
kernel32.DLL
KERNEL32.dll
klospad.pdb
LoadLibraryA
lstrcpynA
mKl|H&2n
msimg32.dll
"-n*7!O
nddeapi.dll
NDdeShareAddA
NDdeShareEnumA
NDdeShareSetInfoA
owSggfaMvWvpxTgu
PathCompactPathA
pJ}`>3L
QSrP	Uf
R0HZ7B
RAbs0`
`.rdata
ReadConsoleA
@.reloc
RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
rZ}p6y
SetEnvironmentVariableW
SHLWAPI.dll
sVEKNJTTU
!This program cannot be run in DOS mode.
TransparentBlt
UpdateResourceA
UrlCanonicalizeA
UrlCombineA
UrlCompareA
UrlCreateFromPathA
UrlEscapeA
UrlGetLocationA
UrlHashA
UrlIsA
UrlIsNoHistoryW
UrlIsOpaqueA
UrlUnescapeA
uSJjW5
~\@UvT
veQaNHHu
VirtualAllocEx
WaitForSingleObject
WTSAPI32.dll
WTSEnumerateProcessesA
WTSFreeMemory
WTSLogoffSession
WTSOpenServerW
WTSQuerySessionInformationA
WTSQueryUserToken
WTSRegisterSessionNotification
WTSSendMessageA
WTSSetUserConfigW
WTSUnRegisterSessionNotification
WTSVirtualChannelClose
WTSVirtualChannelPurgeInput
WTSVirtualChannelRead
WTSVirtualChannelWrite
-yH&//.