Analysis Date2013-08-23 17:51:38
MD5b48b96bcb51b4b4461fe2a3fd02d02b4
SHA1242fa4dbfc2cf2a6a87963d1f461ede0ddd4b15c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9d64b6ac6eb1aa41e38f6cc8798b652e sha1: f4a3d9f95186a438562e94d405bfef3355c6cb1f size: 23552
Section.rdata md5: f179218a059068529bdb4637ef5fa28e sha1: 6035d27db526131eb0f29aee60cfcdbb5072ed7d size: 4608
Section.data md5: af685ae5a632e08acd6c90a62cdfc3bb sha1: efc7ece496385ad53dda894ae310ffa90b2fc571 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 8ac37b560836a72f29c2e8794d5253fd sha1: fab0536980f00bc14fbbe95bb3d5ceb1c33beb08 size: 16384
Timestamp2009-12-05 22:50:35
PackerNullsoft PiMP Stub -> SFX
PEhashc3a88a2d82481b318e316e704c1841fa7c235f63
AVavgWin32/Heri

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CLASSES_ROOT\CLSID\{30E7B485-2705-7529-3AA6-C604A4D8153C}\ ➝
revenuestreaming browser enhancer\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\AppDataLow\Software\{94C1BCC8-4F4A-D0BE-97F3-B67B231B005E}\aff_id ➝
revenuestreaming_4
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\xqlyeqdxyq\DisplayName ➝
Advanced Performance Platform Revenuestreaming.\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fwovtriaczyfxhx ➝
C:\WINDOWS\System32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\nsv4.tmp.dll"
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30E7B485-2705-7529-3AA6-C604A4D8153C}\NoExplorer ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsv4.tmp.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsb2.tmp
Creates FileC:\WINDOWS\system32\xqlyeqdxyq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\System.dll
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsk1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp
Creates Process"C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSrevenuestreaming.net

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\Settings ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{30E7B485-2705-7529-3AA6-C604A4D8153C}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\get-your-job[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexShell.CMruPidlList
Winsock DNSrevenuestreaming.net

Process
↳ "C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"

RegistryHKEY_CLASSES_ROOT\CLSID\{30E7B485-2705-7529-3AA6-C604A4D8153C}\ ➝
revenuestreaming browser enhancer\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fwovtriaczyfxhx ➝
C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30E7B485-2705-7529-3AA6-C604A4D8153C}\NoExplorer ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexGlobal\afxOpenEvent1337

Network Details:

DNSrevenuestreaming.net
Type: A
64.74.223.44
HTTP GEThttp://revenuestreaming.net/bc/nsi_install.php?inst_result=success&aff_id=revenuestreaming_4&id=7d2c1ab9d1cfe00d7254c93d819c053475c383b2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://get-your-job.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 64.74.223.44:80
Flows TCP192.168.1.1:1034 ➝ 64.74.223.44:80

Raw Pcap

Strings