Analysis Date2014-08-15 12:16:15
MD54094f3c76be32358d9dd0fa3c35efc98
SHA1365c2e250ac131cd7c3663bebe240d7884124dc2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: c1e09d3cefdfbbecbf160e7055d62409 sha1: 27aeb3e9402eef83c979debc13136373032fc195 size: 17920
Section.rsrc md5: 11818d4428ef9e5573b94e97909618bb sha1: 28f0f1d877000fdb72e76bf9bf6c07e1dab8d96b size: 15872
Timestamp2005-07-04 12:14:26
PackerUPX -> www.upx.sourceforge.net
PEhashdbf24394396bfd207ac1ea158bf866ab608dbbef
IMPhash2134f794bcda54794e74b7208adb2204
AV360 SafeTrojan.Downloader.FakeAlert.DV
AVAd-AwareTrojan.Downloader.FakeAlert.DV
AVAlwil (avast)Downloader-E [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)DR/Dldr.NSIS.FraudLoad.AH
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Downloader-2541
AVDr. WebTrojan.Fakealert.7234
AVEmsisoftTrojan.Downloader.FakeAlert.DV
AVEset (nod32)NSIS/TrojanDownloader.FakeAlert.W
AVFortinetW32/Dloader.AR!tr.NSIS
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Downloader.FakeAlert.DV
AVGrisoft (avg)Startpage.MRF
AVIkarusno_virus
AVK7Trojan ( 00071a9b1 )
AVKasperskyTrojan-Downloader.NSIS.FraudLoad.ah
AVMalwareBytesRogue.Installer
AVMcafeeno_virus
AVMicrosoft Security EssentialsRogue:Win32/FakeSmoke
AVMicroWorld (escan)Trojan.Downloader.FakeAlert.DV
AVNormanwinpe/FakeAV.IXD
AVRisingTrojan.DL.Win32.Mnless.fyj
AVSophosMal/FakeAV-CC
AVSymantecWiniGuard
AVTrend MicroTROJ_PATCH.RJ
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!Trojan.FakeAV.Win32.7392

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2gbk87zj
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu3.tmp\NSISdl.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu3.tmp\md5dll.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsz2.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\8enyqcv1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu3.tmp\time.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\2gbk87zj
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu3.tmp\NSISdl.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu3.tmp\md5dll.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\8enyqcv1
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsz1.tmp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\2gbk87zj.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\2gbk87zj.exe

Network Details:

DNSwww.antiaid.com
Type: A

Raw Pcap

Strings
N
.
.
.
.
N
.
.

075kmn
 |0aml
0jS3T9
1aOWB_
 1Hpu?Y
2pZT;V
?3Adj/tTos,
&>|}'3u
!/45km
~}:(467
4`mc[x
~4o?43
7/@#]%$
7-Addr1m
7mandLin
9Mhpk0&B
\9\*s{3p
9tiBy7oWiV
.a>7}G
Ad68K'
ADVAPI32.dll
A^|Fjk
AlYWaF
AM4h`K
BrushI($
B?R#Vh;+]
!|Caps #9
CckDlgB9L
CDE*&&'
COMCTL32.dll
CoTaskMemFree
: %d%%#
d1Common
D#6I7W
D*?|<>/":B
_?	Db6S
DdEBA@@@@=
.DEFAULT\Control Panel\I
 /D=eiQ
Desktop\R
D{/t<h
e2GtIm
e4>)uc
ec$	0\
EnvA0m/
ernati
es)clude
et Explo&r\Qu
Ex%ADVvk
ExitProcess
F1Vj),
&#fay'
f{c\8.
fffffox
FOLDER
ftDu1Z
fTSSzu
-G1P|H
GDI32.dll
GetProcAddress
GetShort
gflBeglR
GWgH4#=
GXf#(gg$hf
h1Sw;0
>h=3:6a
has fai
hpppiffT
${hpUX
#hrF*IK
http://n
;hvLUn
iRichu
+iSize
Kb.t<>
k ,/&c
KERNEL32.DLL
k Laun
kNG;Fl
kV,P3V
:L/K=)(
LoadLibraryA
lobalUn
lS'WObjzv 
MakTsu[
MD *Y 
M*<fy=
MN: o1v
`m*.t:
(*MXob
NEL+\*.*
&+,Nlo
nsab!n
n+UAG4
NullsoftInst
NulluM	EZ
NX\kqphZUQ3,
ole32.dll
O_mcs]0
o+Pbn7
Open*{
O [rKey
ourceLoc&e'
owCtegPty che
owto ob
P;?@@?
P;?@@@@?
P$#3fE
}pm/r#
p'[m[t
punqq974.
puqqqqq<770
py>Exi
%!qxHc
;=;r9(
RbEOGs6
RegEnumKeyA
RichEdit
rifying 
rlbA?4)
RYjgfW2+*
{{{s<.
	s8j#*
S+Bitmap
SetBkMode
SHELL32.dll
ShellExecuteA
sis.sf.t/NSIS_Err
{ssuBBs@@@<4
<S	[\X
t9{-$<
tbGcmK?
td*[woh37
!This program cannot be run in DOS mode.
` tnload andqma
Trazpup
,|TtBiVp
ttributes
Udeo!E
ue :1M
][uepOp(oc$s4
unpack
USER32.dll
UVhsf;#
,v6;Is;5d
VerQueryValueA
VERSION.dll
VirtualAlloc
VirtualFree
VirtualProtect
VSRR@/
_VTTPPI
Vu-0~V^
V_VPTPIG
w8=0B|
ware\MtZ
~W .*FGXxo
wgQu^y
\Windowsq9
w/s>Q6u
WW1BqX[
wwwwww
wwwwwwp
wwwwwwwx
wwwwwx
wxwwwwww
&X3^o ?(
xc\shX^
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.45</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
XPTPSW
 )XWKp
YiaQMRb
)-.Yln
Y=PcKq
ZaZaZXKJ
Z_ZT_PI
zzz||||
z}z}z{v