Analysis Date2014-04-23 06:57:37
MD58e5bbd08f8e103c3c9e62e8d871b58a7
SHA133189848e6809c72aef2dda17487838a4ff7c0cb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8d62651348d17cdd54365de324998b1c sha1: 3b8403c92036f66e620c7139931110da2989b19f size: 203264
Section.data md5: 6fac5092c38a3280ce87c476ec7f8da0 sha1: 085099c78d7322a3c101e05d8a26cf0a39c65cc1 size: 512
Section.rsrc md5: e466ade3bfe01b1a2febee851c6d9a23 sha1: 207d4c31b09aba2d9d69d44b029cc98be3f9b468 size: 8192
Section.aspack md5: d28083f4569059f348e6b5a74ec9cd99 sha1: 98c5799a575ef442303929e449e4121d142b56bc size: 6656
Section.perplex md5: 794f977cf9a5bfb89fb21ffcbe16c0ae sha1: 5f0ce0835d3efc3c8c0186517c9158ffe7e06577 size: 103076
Timestamp2029-10-13 15:59:23
VersionLegalCopyright: Microsoft Corporation
InternalName: setdebugnt
FileVersion: 1.00.0005
CompanyName: Microsoft Corporation
LegalTrademarks: Microsoft Corporation
Comments: SetdebugNt
ProductName: SetdebugNt
ProductVersion: 1.00.0005
FileDescription: SetdebugNt.exe
OriginalFilename: setdebugnt.exe
PEhash18a1b54c9221057a12b0db0892b367ecc3119c92
IMPhashfdbfec85672f73d2a4d49635454936d4
AVaviraTR/Spy.Bancos.u
AVavgLuhe.Fiha.A
AVmcafeePWS-Banker.gen.i
AVmsseTrojanSpy:Win32/Bancos.DV
AVclamavTrojan.Spy.Banker-122

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\windows\setdebugnt.exe
Creates Processc:\windows\setdebugnt.exe

Process
↳ c:\windows\setdebugnt.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft\\xae ActiveX Debugger NT ➝
"c:\windows\setdebugnt.exe"\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFF37A.tmp
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ieupdate.dat
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSwww.supernet.speedserv.com
Winsock URLhttp://www.supernet.speedserv.com/downloads/winlockdll.dll

Network Details:

DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSwww.supernet.speedserv.com
Type: A
DNSsmtp.mail.yahoo.com.br
Type: A
Flows TCP192.168.1.1:1032 ➝ 188.125.69.59:25
SMTPesportemano12@bol.com.br

Raw Pcap
0x00000000 (00000)   48454c4f 20434f4d 50555445 522d5858   HELO COMPUTER-XX
0x00000010 (00016)   58585858 0d0a4155 5448204c 4f47494e   XXXX..AUTH LOGIN
0x00000020 (00032)   0d0a5932 46796248 5276626d 4e70626d   ..Y2FybHRvbmNpbm
0x00000030 (00048)   553d0d0a 4d544179 4d444d77 0d0a4d41   U=..MTAyMDMw..MA
0x00000040 (00064)   494c2046 524f4d3a 3c636172 6c746f6e   IL FROM:<carlton
0x00000050 (00080)   63696e65 40796168 6f6f2e63 6f6d2e62   cine@yahoo.com.b
0x00000060 (00096)   723e0d0a 52435054 20544f3a 3c707573   r>..RCPT TO:<pus
0x00000070 (00112)   63617065 3140636c 69636b32 312e636f   cape1@click21.co
0x00000080 (00128)   6d2e6272 3e0d0a52 43505420 544f3a3c   m.br>..RCPT TO:<
0x00000090 (00144)   6573706f 7274656d 616e6f31 3240626f   esportemano12@bo
0x000000a0 (00160)   6c2e636f 6d2e6272 3e0d0a44 4154410d   l.com.br>..DATA.
0x000000b0 (00176)   0a46726f 6d3a2043 4f4d5055 5445522d   .From: COMPUTER-
0x000000c0 (00192)   58585858 58584070 61757361 2e636f6d   XXXXXX@pausa.com
0x000000d0 (00208)   2e62720d 0a546f3a 2070726f 636c6965   .br..To: proclie
0x000000e0 (00224)   6e746540 70617573 612e636f 6d2e6272   nte@pausa.com.br
0x000000f0 (00240)   0d0a4461 74653a20 5765646e 65736461   ..Date: Wednesda
0x00000100 (00256)   79202c20 32332041 70722032 30313420   y , 23 Apr 2014 
0x00000110 (00272)   30363a30 353a3336 20414d0d 0a537562   06:05:36 AM..Sub
0x00000120 (00288)   6a656374 3a204176 69736f20 21202120   ject: Aviso ! ! 
0x00000130 (00304)   21202032 332f3034 2f313420 30363a30   !  23/04/14 06:0
0x00000140 (00320)   350d0a58 2d4d6169 6c65723a 204d6963   5..X-Mailer: Mic
0x00000150 (00336)   726f736f 66742043 6f72706f 72617469   rosoft Corporati
0x00000160 (00352)   6f6e202d 204d6963 726f736f 66740d0a   on - Microsoft..
0x00000170 (00368)   0d0a2020 0d0a4572 726f3a20 6e6f2061   ..  ..Erro: no a
0x00000180 (00384)   67756172 646f2064 6f207061 672e2064   guardo do pag. d
0x00000190 (00400)   6f20646f 776e6c6f 61642c20 65207661   o download, e va
0x000001a0 (00416)   69207061 6761722e 2e2e0d0a 4d736720   i pagar.....Msg 
0x000001b0 (00432)   64612076 657273e3 6f2e3a20 312e302e   da vers.o.: 1.0.
0x000001c0 (00448)   350d0a0d 0a2e0d0a 0d0a5155 49540d0a   5.........QUIT..
0x000001d0 (00464)                                         


Strings
040904B0
1.00.0005
Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
Microsoft Corporation
OriginalFilename
ProductName
ProductVersion
setdebugnt
SetdebugNt
setdebugnt.exe
SetdebugNt.exe
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
<>}=;`
+')&%)^
																														
*}};0<
 (08@P`p
0B3&#RQ
0K7e;JU
$<0^nE^
	`0nh8
14+n/a
1)f_J%
1'GM;}
1@HY^s
(1idTW,O
1i>	 o
1JMy_v"
1@*&L|[
*,1l.k;X
1>uoYo
1!@zF9!
2J@=dO
2K^@|qfD
]2LDT!
2>Lei2
|>2_Mx
2NuKWa
2nwK4?
2N,}[YE
2QTDQQ;^F
;)2Tx$
#3BDfQ
3ClO]UV
3#@d#`
,3M0Ay
\@[3nmh
,3nXU<<X
,3(XU<PX
3z4Z5IO
3z)E(Wk
44-I\}3
%+498J
4HM	`0
"_(4.:HYIk
4IX$E)
4KU0Vs
4	}KW#
4~of/dM%>8
4r#n"(
4uR2vXOm'!"'
@53aoD
}<5duR
5LH~I2]
5L*_~PT
5*!q}L	
5_T*/pn
:5urP2
5{.[Zu0
658~|qYB
<6cFdXn
<6R]`,"q
	6uR~8eK
6V9Z3[b
]7Fu&2
7Gly=E
7MLd\9
7QV'(~
7 uy2[E4
;7W^sX
}7{]xc
888x4->4!%
8F:>~\y6
@8~>)k
-8-PZi
8-[s\N
8 $t'x 
8v">^>`
|{8~Vb\
}8YF_ 
92%0#	
[	94Z)Y)WN
9E5'Ioj
9@,e  Y-
 9hzE}-
9jinJ!O
9J<R)()!Erp
9/;k:i
9(}@^[M
9n%Glj
 9(p{"
9Sj/@(
$=<9?w
9XLzck4d3
+a0PR)
A?1%V0
*%a=.4
A85ZG'
abnVvv:Ex
(a\{E#S
a"ey p
AG.,18$4
AiAXQ"
!aIf{v
Anx'F<
AqmizC
.aspack
[AspackDie!]
!;.aU	F
_aW8o1g
[AwnU!H
AXM%Em
:A,yc)
AyU,E+
[(*=B!
b5[b]e
b7eh@(NS
b7"h6'/
!BbYBX
bCWEOdj
(,bi2y
b$LA8 
bp6X@F3
B	S#P~q
bTp6iCz[z
bvUD(A
:B@W)?
=B]xUo
">\bY~/
bZ<2"#
c110&/*Py
,C+3)'
C`3'9}=
CA%>Ae
CEH`42
c*e?u|
C[$e{W
 CfGVI
cfo1Aj
c]^^;%g
C=>>;%G
`CGK;4R3R
ciPY2P
C%	nlh
co#N>?
cp2u46
CT;CN2
CU#Qt.aJc
d2[pPr
D3+F9h
D+	9Hy
dAJA(p
|d|Bad
dbcEE'
dciET(
~?DE^7
DeBoW>
dhd;Pb
DiE]5K
#DKOmV
-Dla0_
dop	G>A=
D<R1Rn
Dt*G|i
dt|*oBR
Dv$)7S
dXJDH9BZ
D*/^?x;T
;DyF\<
&E1Pj(
"E/58e
(`	\E6
= E7M,.
e8@F#0
.@/edT
ED't&LU3
EE3?;^
# =Ef1+
efbJ/c;
EK_Q@9
ElMq7j
El	;S)
?e>~O?'
>e%P&2
ExitProcess
Ezs{-]rE
~F#4$u
F5S:(0-
fH9Zhx%
FILDF-
F&[omT
Frfm2h
<$ftw]
GetModuleHandleA
GetProcAddress
G@Fk%*T-
gfmrQ<
g"O?-d
].{G$P
gq^J~L
Gq\L$:Atp
G"q~n'
Gr'5t2
GSSu)S
]:%GWI
}gYT]W
H1bEYq
hdLiai
HE/>c-n
,<hHmO
HJ"IA&
!hKpq<
HKY(3x
-~Hm7A
hMP0w4KN`
H&M~qG
`hN3l	
h&O3	&
h%O+Ca
Hp^7_'!8
HpV})$ 
hqEQ0b
^)h>rF(
h$TGi*
HX4*Kg
\Hxl=M
HYUdSb
=^^;)I
I2<l*nh
i.3[W/
i&5:&L
I;6Q	Az
'idze)
ifMY8a
Igc]]]
I*^i+0
imws__
IN_y@MV
i pU`^F
i:}tzL
J#%0"5
j//-)1
j1h	SUT
JBgRG$
@-$j;cIM
jDSqW&v
JDwb]Y
jjgUE%
jx`2LlY*
jZ@|$_
_}k4k$[
K^76kaI
k<caCj
kernel32.dll
KERNEL32.DLL
?}k+Hi
,*k>j5
K(JLR*V
kkC5y3
k-|KNf
/	KL!t
:ko"=@
k.p=,5
KsN-]mlp
kT:>3/
*kwjKB
kZ/KF1
l2h}DO
l9QL/4
*L|{B.,4
$L_,*ed!
leJl-`V
lE<JZ dE=
lG<rlV&h
l HPe=sA
`@L[ ;i+@
l Jr"TT
LOADER ERROR
LoadLibraryA
l`,O Z
*L*-`#S
LSby;{
lsCEw;
lSwdjA
LV<].a
@@L[X;i+,
LyC4m ac~/Z
&`m7Shn
M8m.mZ'P
!m!9S(B
m?Cm1#
#m#c$X
MessageBoxA
'?MHj,n7~@
MineImport_Endss
mk]F~_
.MKs!U
mnw ,)C
:mq'Z4
MrEl^Q
msvbvm60.dll
m'U[F(~
mU$mJ*T
#MUQ4]
Mu+STo
mX#+3v
!@Mz(n_
N:|" _4
N9M^zz
N%<bQXR*p+=P
NC+tBc
nGIE]T
nh8o+`
nKJ_?{
n?;N2K
n+!%n6
NN}qfu
nNqGAf
){n!U~
%]||	O
:O0a8T+
o3m8.r
O[(431
#o#Dpu#c
ojcRTZ
`#Ok_]Q/S
`Om[2D
/omTS+q
OQag=7
]or)Cb
O`Tk*t
:OvZQp
Ow)Zh*
oyZpWp
p%+4h8J
P59~P%
p6}}XZ
peR0Ck]
.perplex
,PE`vB@d
PfrqW_
]p_hwk6b
P$I#DP
@Pj"z8
^Pkn']Z
PLHD)b
PLup^N'>
poQC;	
PrWsxYj
PsyF6p
]|pvYx
PVZ>.Cm
~},q*`
*[_q]|
!|:Q0F
q|0GGF
qB%j12
qbY'*y
Q,eFkq
QE@fX@\
Q$H	GY9
QHVZUt
/q?:?i?>
qLgJYve
;/q:qlF
>."qQS
^Q<rN|
QSs8f{%
(\qT+.
r0IZ1UB
#R)#1G
)R5fV~
r9~_64h%
Randimize
r/b?5~m;
rb?N\$
R<@	D)X
RegA^&
\Rf0!:
RL3.^	
R<li9`
rm8[hb
!rn~~n
:r:p?S
/\;R>*tsd
rtveQV7
:rtVPPG
R)|y.|c
s4)[^5
S8.1nA
sBOaK6#
sbv3	Hr
(Sc= cf
_*Scxm9P
SebE5zg6
SeNL-<]G1
%Sg\&J
s	(i2r
$s)Jeh
+SoWL:
SPW#-d/
/sqx4I)
@s	`R#
[/STtA
STxJ/C>
Su	: B)
SWF_!1
t53&1m
Tdher*^
TDn~GG*
tD]Zb\
teu]18s
TFlBiG
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
!This program cannot be run in DOS mode.
TkhKhzH
TNE*9E
tNU,u9
TT[V\]
TU]QnS_
TXk aE
u0B/m4aI
u;%1t=
(u2{fg
udD:my
{>Ud;H
~ue}mz
U|G4ib
Uh+b"z
--u<j|
uORXt-{
~uOUL_
user32.dll
USER32.DLL
UXp/+ 3
?u~~;y
\u`ZHj
*u(zKu|
}V1,oC
	V $82
V8*nF$
v8-{+XP
[v_+*AC
__vbaVarSub
vcO`N.:
VirtualAlloc
VirtualFree
vjT~%]
>.]Vm(
_VneR:Vj
=V{P{h
 vqFZk
V:r4]D
V[Ra>Q
*,@VU 
VuK\tuL
W6PpG#(
	WA'BAI3
<(w'#aj
]wEQ7$f
wEZ8ve
WhT6}.
wKmoOX
w+NAP:J
<W NDk
wOuf`6
wsprintfA
w_Y,2W*
	_w~zU
x1p#7}2
x2%o$2LZ,4
+`x9j!
x-<bT(
(X%ca4
[$XcKi
xf~nX:D
<<~x,I
XjwBI1I
XkVe<f
Xo*Gy-
"xpiP0
{~XP;L
<X%Q`a
x<qe2Qc
"_:XST@2
XWH>v$~
XW@k:4LHv
**(XYD
\XyW!N
y!0:E|
*y%2o^
%Y3pm7
Y7:	};
y"e;&C
yhQ_ae
yhs^	Ny%,
:<YjE1%
y?lq=j
Y[.O"f
YO[yk6
%{yPB/
yp)TR1s
yq	j8`
y:rkg.
y`:W`ck2
YX^*Q\
yyN)e3
!Z0L20
 Z2zMMk
z=6YC8
]Z9&a`8
zAydT!
/#z,*C"4;
@zcd)2
!zdN[p
ZHjGPE"
ZJd"3&#da
Z}M<G7e
Zo{MS},
Zo%vEj5
ZPOtA-
Z=Q`+E
)+zR(!
ZrxtE-
Zs\4"$>F+
Z[s,kH
zw @`n
}ZY1kG
z@;@yV
zZL=Q}
zz(xDrR