Analysis Date2013-12-26 15:54:04
MD517d2f8a4402e629ec161ba4783016a28
SHA1289e56c7a55dcf39a64757dac9012ffb68f55bf4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9ecdf803865f3e1fbe6b9f6b7b7e751a sha1: e238cec8321514d00bfa5c02a96a430e774b8cc0 size: 1536
Timestamp2004-07-31 09:14:47
PEhashc13a7d02f19c778670004fcf3222fb6a215d8616
AVaviraTR/Downloader.Gen
AVavgProxy.10.AQ
AVmcafeeProxy-Mitglieder
AVmsseTrojanDownloader:Win32/Small.N

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSwww.die-cliquee.de
Winsock URLhttp://www.die-cliquee.de/get.php

Network Details:

DNSwww.die-cliquee.de
Type: A
80.67.17.151
HTTP GEThttp://www.die-cliquee.de/get.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 80.67.17.151:80

Raw Pcap
0x00000000 (00000)   47455420 2f676574 2e706870 20485454   GET /get.php HTT
0x00000010 (00016)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000020 (00032)   2f2a0d0a 41636365 70742d45 6e636f64   /*..Accept-Encod
0x00000030 (00048)   696e673a 20677a69 702c2064 65666c61   ing: gzip, defla
0x00000040 (00064)   74650d0a 55736572 2d416765 6e743a20   te..User-Agent: 
0x00000050 (00080)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000060 (00096)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x00000070 (00112)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x00000080 (00128)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x00000090 (00144)   20322e30 2e353037 3237290d 0a486f73    2.0.50727)..Hos
0x000000a0 (00160)   743a2077 77772e64 69652d63 6c697175   t: www.die-cliqu
0x000000b0 (00176)   65652e64 650d0a43 6f6e6e65 6374696f   ee.de..Connectio
0x000000c0 (00192)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000d0 (00208)   0a                                    .


Strings
accept
advapi32.dll
closesocket
CreateThread
DownloaderFirstRu2
ExitProcess
GetTickCount
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
http://www.die-cliquee.de/get.php
kernel32.dll
listen
RegCloseKey
RegCreateKeyA
RegQueryValueExA
RegSetValueExA
SHELL32.dll
ShellExecuteA
shlwapi.dll
%s\%lu.exe
socket
Software\Firwes
!This program cannot be run in DOS mode.
URLDownloadToFileA
urlmon.dll
user32.dll
WSAStartup
wsock32.dll
wsprintfA