Analysis Date2015-11-01 13:39:02
MD5bb8e180af72b2f22339288626f6d1a16
SHA1349bf8e954d3235ea6c03e5db102ef2cd93fc33a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1f1f7f730dbde008b76c8f4722a7e724 sha1: 45bfece0cb835c125f1053965fefc587078a8d05 size: 5632
Section.rdata md5: 11df99c186851140513216ec424b6ef2 sha1: 0996b7a1a76d5b26776450802a36f692c1128705 size: 5120
Section.data md5: 50e220e184b2afda3ca5d02c0c24a385 sha1: c23de603095ab54cf28842879b86ed9cbbbbe886 size: 1024
Section.rsrc md5: 8943f17561446e9565bda606b43bee8c sha1: abe0979f9f7138d5b1891cd951d6bb08dfe50af1 size: 18944
Section.reloc md5: 1349da72f29f3a985c36ac7a8f241e19 sha1: b752b291124a5498b1b931eee5b8bef80837bda4 size: 2560
Timestamp2005-08-27 22:34:54
PEhash21f0a707c0c6288582ee9a6301e492d58b68212f
IMPhash7585564eb7908f9e16ed747ff84cf9de
AVKasperskyTrojan-Downloader.Win32.Cabby.cbti
AVGrisoft (avg)Inject2.BLSX
AVVirusBlokAda (vba32)TrojanDownloader.Cabby
AVMalwareBytesBackdoor.Bot
AVAuthentiumW32/Downloader.ANXR-3630
AVAd-AwareTrojan.Agent.BHHK
AVTwisterTrojanDldr.Cabby.cbti.bdko
AVBitDefenderTrojan.Agent.BHHK
AVDr. WebTrojan.DownLoad3.35539
AVClamAVWin.Trojan.Agent-837432
AVIkarusTrojan-Downloader.Win32.Upatre
AVFrisk (f-prot)W32/Downldr2.IZQD
AVCAT (quickheal)TrojanDownloader.Dalexis.A3
AVPadvishno_virus
AVRisingno_virus
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVTrend MicroTROJ_CRYPCTB.SMD
AVFortinetW32/Kryptik.CVBD!tr
AVZillya!Downloader.Cabby.Win32.793
AVEmsisoftTrojan.Agent.BHHK
AVAvira (antivir)TR/Chabot.oslrr
AVMcafeeRansom-CTB!BB8E180AF72B
AVAlwil (avast)Downloader-VQV [Trj]
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis
AVSymantecDownloader.Ponik
AVBullGuardTrojan.Agent.BHHK
AVArcabit (arcavir)Trojan.Agent.BHHK
AVF-SecureTrojan.Agent.BHHK
AVMicroWorld (escan)Trojan.Agent.BHHK
AVCA (E-Trust Ino)Win32/Tnega.PJQVNLC
AVK7Trojan-Downloader ( 00499db21 )

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\349bf8e954d3235ea6c03e5db102ef2cd93fc33a.rtf
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_75140.cab
Creates File\Device\Afd\AsyncConnectHlp
Creates Mutex56730099
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
157.55.240.94
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 157.55.240.94:80
Flows TCP192.168.1.1:1032 ➝ 65.55.50.158:80

Raw Pcap

Strings
...
$.
.c-.....Z..\=lg#.2.
 .
U.
.r......;..'C?....ZM\.GT.. ...
.m2..g%[.
.Y..CK....&3.M*?.:.{
.
.E...L.-.iK......^.....o.
..

ATERNUS
0 0&03090@0D0J0P0Y0_0e0l0{0
0+03080>0U0b0g0m0r0x0~0
1+10161C1J1O1U1[1a1h1u1y1
1"1)1.141I1M1X1^1k1q1z1
=%=,=1=7=>=C=I=S=]=b=h=p=v=|=
&1=EP@
2%2+2/2<2C2I2\2d2j2o2u2~2
2 2&2,232D2I2O2c2l2p2x2
<!<+<2<6<<<C<I<O<U<[<a<h<m<s<x<
2j	hCR@
3)3-32383?3H3}3
3%3+3/353<3B3I3O3U3\3a3g3v3z3
?$?*?3?<?@?I?P?V?m?u?z?
4%4,424;4S4`4m4s4
4(4:4J4S4X4^4l4s4y4
46u@E#
;4|<#*QQb/?\	
5$5*535E5M5S5Z5`5f5m5y5
5"5(575=5A5L5R5
>!>'>5>=>B>H>S>\>c>i>p>t>z>
5ksQ!7rP
6~+	48
; ;*;6;;;A;G;M;S;W;];d;r;x;
6hq*v[@
7'7+767<7B7H7N7T7[7`7f7t7
:%:/:7:?:D:J:_:f:n:u:y:
8#8)8/858;8B8F8Q8X8^8d8m8u8z8
9%959:9@9K9R9Y9]9c9o9u9{9
}[9ca?
ADVAPI32.dll
ajn{dbe
AlphaBlend
A)=rQ@
Bp]8=.
CloseHandle
CompareStringA
ControlService
CountryRunOnce
CreateDirectoryA
CreateNamedPipeA
CreateServiceA
@.data
DeviceIoControl
DllInitialize
drvCommConfigDialogA
drvSetDefaultCommConfigA
FMYdVsYj
FormatMessageA
FpRWKbkoRz
GetAtomNameA
GetBinaryTypeA
GetComputerNameA
GetConsoleAliasW
GetConsoleTitleA
GetCurrentDirectoryA
GetCurrentProcess
GetFullPathNameA
GetLongPathNameA
GetNumberFormatW
GetProcAddress
GetProcessHeap
GetProcessId
GetTickCount
GetTimeFormatA
GetVersionExA
){G;fa
Gj	hCR@
HeapValidate
InvokeControlPanel
IsTextUnicode
IsValidAcl
IsValidSecurityDescriptor
IsValidSid
?j	hCR@
{j	hCR@
j	hCR@
kernel32.DLL
KERNEL32.dll
Kj	hCR@
k:UZ{x
lmmxa[S
LoadLibraryA
lstrcpynA
m'K@Sv)
MO9J:`
modemui.dll
msimg32.dll
nddeapi.dll
NDdeShareDelA
NDdeShareGetInfoA
NDdeShareSetInfoA
nL[EB 
nLvanL
OpenServiceA
p^b u{MY
[$P!C{7'
pnevnut.pdb
QueryDosDeviceW
`.rdata
ReadConsoleA
ReadFile
RegCreateKeyA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegFlushKey
RegOpenKeyExA
RegQueryValueA
RegSaveKeyA
@.reloc
)rgE(+c
RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
R\\P$c,
@SEs}[
SetEnvironmentVariableW
SetFilePointer
sQVOnL
!This program cannot be run in DOS mode.
TransparentBlt
VirtualAllocEx
WaitForSingleObject
w+B !ee
WriteConsoleA
WTSAPI32.dll
WTSEnumerateProcessesA
WTSFreeMemory
WTSLogoffSession
WTSQuerySessionInformationA
WTSRegisterSessionNotification
WTSSetUserConfigW
WTSVirtualChannelClose
WTSVirtualChannelQuery
WTSVirtualChannelRead
WTSVirtualChannelWrite
X$W&m-!Z^z m8m}q
y4A#pdB&
ZWv=(_p