Analysis Date2014-08-20 03:14:19
MD521693eebec8f041bd08cdb46c99b7397
SHA12303c633c64bf00b9cf60923a8c0cbf0353cf686

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 96f19965715a9b4a77290326ac9e545c sha1: 5c40f458dea04920bd36bd718a4eed9e52b9ff43 size: 4608
Section.data md5: 5e210c11b9fe92358c4fa917043afda7 sha1: 0facd928697b3deed173c2149df0e2bc3e3a78a0 size: 7168
Section.idata md5: bdd6e11a11fffb3445806e7648a94008 sha1: 8d8b343a67cd2d91ec8e124914714cdc3cd4cc70 size: 1024
Section.rsrc md5: 2d206b8f393c1844fd6fb61d74d40184 sha1: fd6b747a1d974c755bb891bfc7d7eff66104bf98 size: 5632
Timestamp2005-05-22 14:12:56
PEhash01d67f603db2e7d45bf3933c572d35a7e6760ea8
IMPhashc5effa462f51432aeac8904668baca02
AV360 SafeTrojan.GenericKD.1462753
AVAd-AwareTrojan.GenericKD.1462753
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.Bublik.boim
AVAuthentiumW32/Trojan.SCZK-3312
AVAvira (antivir)TR/Dldr.JQGV
AVCA (E-Trust Ino)Win32/Zbot.HSD
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVClamAVno_virus
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1462753
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Agent.AFGR!tr
AVFrisk (f-prot)W32/Trojan3.GVH (exact)
AVF-SecureTrojan.GenericKD.1462753
AVGrisoft (avg)Crypt2.CDKF
AVIkarusTrojan-Spy.Zbot
AVK7Trojan ( 00491c461 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.FakePDF
AVMcafeePWSZbot-FOH!21693EEBEC8F
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Trojan.GenericKD.1462753
AVNormanwinpe/Upatre.TE
AVRisingno_virus
AVSophosTroj/Agent-AFGR
AVSymantecTrojan.Zbot
AVTrend MicroTROJ_BUBLIK.AAA
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!Trojan.Bublik.Win32.12641

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"
Creates MutexVideoRenderer

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexVideoRenderer
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbestdatingsitesreview4u.com

Network Details:

DNSbestdatingsitesreview4u.com
Type: A
54.240.252.19
Flows TCP192.168.1.1:1031 ➝ 54.240.252.19:443
Flows TCP192.168.1.1:1032 ➝ 54.240.252.19:443
Flows TCP192.168.1.1:1033 ➝ 54.240.252.19:443
Flows TCP192.168.1.1:1034 ➝ 54.240.252.19:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
;
"011
011)
[.11
"1G"
:222)
!222
%222
2222
;225
2B221
>322
3222
4221
4221b
4222)%
422(O
45w:
6222
7225
7H22
b222
B222
b<2222F22
C:\81b289b53a564712c12979a9e9a4ff3113d1c734f2add10961218c797500d004
C:\_aAe2Ubm.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.860\payment-history-n434543-434328745231.exe
C:\joqzqDkD.exe
C:\KTlJdrQu.exe
C:\PcsRxiHN.exe
C:\qPQ7RHAZ.exe
C:\tj2bmaoC.exe
C:\wN_EOgPn.exe
F222
F222%
G'a225
G;f225
H222
j/11
J222
J322
N222
O222
q.11
r>5w:
t>5w>
tB5w:
vV:`
vV>2
vV;2
vV@2
vV5v
vV7`
vV8e
vV9d
vV9s
vVE2
vV?t
W1A5w.3F8
W222
w.2222
w"2222
w*2222
w&2222
w.3222
w*3222
w&4322
Z222
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
%%____
0000000
00000000000000
1"t7.r
26)EEEEEEEEEEEEEEEEEEEEEEEEE
+2I_DEEEJ
2kEEEE
4e *<+
?5?5?5
5?55555
55@WEh
65F62F5?5??5?5h>
6EEEEEEEEEEEEEEEEEEEEEE
8EEEEEEEEEEEEEEEEEEEEEE
)-a6$wA
acmFilterChooseA
acmStreamOpen
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
ckkkk8kkEEEEEEEE
CloseHandle
CreateEventW
CreateWindowExA
DefWindowProcA
DeleteCriticalSection
-E8EEEEEEEEEEEEEE
EEE8/5[g
EEEEEE
EEEEEEE
EEEEEEE86e,<RkEEEEEEEE8S!
EEEEEEEEE
EEEEEEEEEEE
+*<EEEEEEEEEEEEE
=EEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEi.HEEE<(
EEEEEEi5@?oEEEEEEEEEEEEEEEEEEEEE
EEEkEEEEEEEi
EES	+ Ek<QYsYQY
EkEEEEEEEEcss8EE<
ExitProcess
FFhFFhFhhhhFh
FreeLibrary
fZ5555?5
GetLastError
GetMessageA
GetModuleHandleA
GetModuleHandleW
GetPrivateProfileIntW
GetPrivateProfileStringW
GetProcAddress
GetTickCount
GetVolumeInformationW
GlobalLock
GlobalUnlock
HeapAlloc
HeapCreate
i<1@*5*5
.idata
InitializeCriticalSection
j,?*W$$f
k "\BkkkkkkkEEEEEEEEE
kernel32.dll
 kkEEEEEEEEEEEEEE
kkEEEkEEEkE)
kkk8k8k8kk9E
kkkE-`KBkkkk
kkkkkEEkEEEEHaa
kkkkkkk
kkkkkkkkkEk
kkkkkkkkkEkkk^TBEEEEEEEEEEEEEEEE
kkkkkkkkkkEER(T(REEEEEEEEEEEEEEE
kt"--nEkkkkkk
L		L(L	](]	]	]	]	]	]	]	]	]	(L#2
LoadCursorA
LoadIconA
LoadLibraryExA
lstrcpyW
mciSendStringA
+Mk.j)	8.B
Msacm32.dll
oPeN Bad.mp3 typE mPeGvideo aLIas myF
PostQuitMessage
QanEEEEEEEEEEEEEE
QdLEEk$
RegisterClassA
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
Rkkkkk
    </security>
    <security>
SEEEEEEEEEEEEEEEEEEEEEEE
SetEvent
.s,*@ff?<EEEE
T} G# 
!This program cannot be run in DOS mode.
TranslateMessage
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TryEnterCriticalSection
user32.dll
VI(Z`(
WaitForMultipleObjects
*WE$8!$8.
@WE8<Z
Winmm.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
*y(o;+n
YYYYYY
+YYYYYYs+7I_IEEEEJ
,+Z*P\$